Forums Blog |

Google Chrome Beta has been available for a few days, and hackers and security analysts have apparently been quite busy picking it apart. The following is a summary of known, confirmed and in the wild vulnerabilities that the current build of Google Chrome is affected by:

1. Carpet Bombing: Google Chrome uses AppleWebKit/525.13, the same build of WebKit that is used in Safari, which has been demonstrated to suffer from a critical flaw where the browser will download, install and execute certain files without user intervention. This is actually a shared vulnerability that combines a bug in WebKit with a flaw in Java, allowing JAR files to be executed while bypassing the Operating System’s protection scheme. See: US-CERT Current Activity
2. Undefined Handler Exception: Using URLs containing certain strings followed by a certain character can cause all tabs and processes under Google Chrome to crash.
3. App Mode: When visiting certain sites, such as GMail, Chrome opens in a full screen application mode. While in this mode, Chrome hides the address bar. Specially crafted links and even desktop shortcuts can mimic this behavior while sending the user to a malicious phishing site. See: The Way I Think | Security Vulnerability with Google Chrome

As with the release of any new browser software, make sure you take all possible security steps to protect your system and network while testing the application. Now is the time to see how quickly these issues are patched. In today’s security landscape, this is often the litmus test for network applications. When the Safari bug was released, Apple took over two months to release a patch.