Attackers can combine the months-old “carpet bomb” bug with another flaw disclosed last month to trick people running Google Inc.’s brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.
The attacks are possible because Google used an older version of WebKit, the open-source rendering engine that also powers Apple Inc.’s Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.
Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new “blended threat” — so-named because it relies on multiple vulnerabilities — to attack Chrome, the browser Google released this week.
“This is different from the Safari/IE blended threat,” said Raff in an interview conducted via instant messaging. “It’s a different blend with one similar component. It uses the auto-download vulnerability (aka ‘Carpet Bomb’) in combination with a [user interface] design flaw and an issue with Java that doesn’t display a warning on execution of JAR files downloaded from the Internet.”
Raff’s reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple Inc.’s Safari browser could be paired with an unpatched vulnerability in Microsoft Corp.’s Internet Explorer (IE) to compromise Windows PCs.
The “carpet bomb” bug, revealed by researcher Nitesh Dhanjani in early May and named for the way it could be used to dump files onto the Windows desktop, stemmed from the fact that Safari did not require a user’s permission to download a file.
Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.
After first balking — for a time it refused to classify the flaw as a security vulnerability — Apple patched the bug in mid-June by updating Safari to 3.1.2.
But Google used a pre-patch version of WebKit to build Chrome, and so the bug, which was also patched in later editions of WebKit, slipped through. According to Raff, the Chrome beta uses the older WebKit 525.13, the engine used by Safari 3.1.
Raff combined the still-there carpet bomb bug with another reported by U.K.-based penetration tester Petko Petkov at the Black Hat security conference last month. At the time, Petkov outlined how a Java flaw allows Windows to automatically execute JAR files without prompting or warning the user.
Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser’s frame. “One click on this button will execute the file,” Raff said.
Attackers could place malware on a malicious site, then wait for — or better yet, draw in — users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.
Users can set an option in Chrome that will thwart Raff’s exploit by popping up a warning asking for a filename and location for any downloaded file. To change Chrome, select Options under the “Customize and control Google Chrome ” menu; the menu is at the far right, near the top, and although not named, looks like a small wrench.
Next, click the “Minor Tweaks” tab in the Options window, then check the box that reads “Ask where to save each file before downloading.” The blended threat, Raff argued, illustrates a bigger problem for Chrome, which has borrowed components from both Safari — via WebKit — as well as unspecified pieces of Mozilla Corp.’s open-source Firefox.
Calling the approach “problematic” from a security standpoint, Raff wondered how quickly Google will be able to patch problems in Chrome.
“They’ll have to track all security vulnerabilities in those [borrowed] features, and fix them in Chrome too,” Raff said in the blog post that spelled out more detail of the Chrome/Java blended threat. “This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time.”
Chrome can be downloaded in a version for Windows XP and Vista.
Chrome a “memory pig”?
In addition to its security vulnerabilities, Chrome’s voracious memory appetite has also been come under scrutiny.
The Chrome browser chews up more memory than even Microsoft Corp.’s recent Internet Explorer 8 Beta 2, according to one researcher.
“Chrome’s a pig,” said Craig Barth, chief technology officer at Devil Mountain Software Inc., a Florida-based maker of PC performance-testing software. “Like IE8 Beta 2, it’s targeted at the next generation of hardware, not older PCs running Windows XP on a half-gig of RAM.”
Barth ran Chrome, the new Google browser released Tuesday, through the same 10-site scenario Devil Mountain used earlier in the week to benchmark the memory footprint and processor thread count for IE8 Beta 2, IE7 and Mozilla Corp.’s Firefox.
In the test, each browser opened the 10 sites — including media-rich domains such as Boston.com, Channel9.com, CNet.com, InfoWorld.com and NYTtimes.com — in separate tabs, with links on those sites opened in additional tabs.
Chrome’s peak memory consumption under Windows XP was 324MB, slightly less than IE8 Beta 2’s 332MB, Barth said today, but the Google browser’s average footprint of 267MB was 26per cent larger than IE8’s 211MB.
In Monday’s test, IE8 Beta 2 consumed far more memory than other browsers – 52 per cent more than IE7, for example — and easily led all others in the dubious honor. At the time, Barth called IE8 “epically porcine.”
But even though Chrome tipped the scales even more dramatically than IE8, Barth was willing to cut Google some slack. “It’s going to be fat by virtue of what they’re trying to do,” he said, noting that Chrome eats more memory because it essentially opens a separate instance of the browser for each tab, a design Google said it used to segregate tabs, and the sites on them, so that if one crashes the browser as a whole does not.
“It’s going to be fat, but you have got to give Google credit for doing [the browser] from scratch,” Barth noted. “It’s fat by design, and they come out and say that. ‘We’re willing to isolate each tab,’ Google says, so you know that and expect it.”
As he did with the other browsers, Barth also tallied the processor threads that Chrome spawned. The numbers, he said, “befuddled” Devil Mountain.
“Given its use of a multiprocess model [similar to IE8’s], we would have expected Chrome to introduce a comparable thread workload,” he said. “[But] we were surprised that Chrome had spun a much more manageable 48 execution threads at the peak.”
In comparison, Firefox and IE7 spawned 25 and 43 threads, respectively, while IE8 Beta 2 spawned a whopping 153.
Barth praised Chrome’s each-tab-is-separate design. “It’s a completely modular architecture,” he said. “Our guess is that the initial 25 threads handle the user interface functions, bookmarking, all the basic stuff, but then beyond that, it uses just two threads for each tab.” All told, Chrome spun off 12 discrete instances of itself to handle the 10 test tabs.
IE8 Beta 2 also isolates each tab, and with Microsoft citing anticrash and security concerns for using the technique as well. That browser spawned just six instances, but more than three times the number of total processor threads, to handle the 10 open tabs.
“Chrome is a very pure browser design, and that gives them an edge over Microsoft,” said Barth. “IE is so convoluted by this point. It traces its origins back to Mosaic, so just from a common-sense standpoint, it has to be more complicated. That’s why each process in IE8 is fatter than each process in Chrome.”
Although the same criticisms he leveled against IE8 earlier also apply to Chrome — in particular, that the browsers are likely to stutter on older machines running single-core CPUs and on PCs with meager amounts of memory — he ended up applauding the isolated-tab model they both feature.
Especially Chrome’s. “Google wants in the enterprise, but it can’t when a Web [Office-style] suite can be taken down because the next tab has Dilbert.com on it and fails,” Barth said. “It can’t have people saying, ‘There goes my 15-page document.’ Google knows they need this kind of architecture to penetrate the enterprise.
“So understanding their goal, I’m giving them a pass. I think it’s worth giving them the benefit of the doubt,” he added. “But IE, that’s just more of the same.”
And what of Mozilla’s Firefox, which has managed to build a market share of nearly 20per cent, mostly by appealing to users dissatisfied with IE? Based on his tests, Barth had unkind words for the open-source browser.
“It’s looking dated,” he said, referring not to its appearance but to how it handles tabs. “It will never get the kind of tab isolation that you can get in IE and now Chrome. It’s looking like yesterday’s design.”
But Chrome he’s excited about. “You’ve got to admire what Google is trying to pull off,” he said.
Devil Mountain operates Exo.performance.net (Xpnet), a community-based collection network that gathers performance data and other metrics from more than 3,000 PCs. Users can join the network by downloading and installing a small utility, DMS Clarity Tracker Agent, from Devil Mountain’s site.
Google Chrome can be downloaded in a version for Windows XP and Vista.