Now that the enormous amount of noise over the debut of the Google chrome browser has died out a bit, what does it look like from a security viewpoint?
For some reason, they based their browser on WebKit that Apple’s safari browser also uses. The dependencies in security between the versions was the way that intrepid hacker Aviv Raff discovered that like the earlier version of Apple’s Safari Browser, the new Google browser was vulnerable to a carpet bombing attack. The attack would allow an attacker to drop malware on a desktop (the social hook here was free coffee coupons in the demo) and get people to launch it off on their desktop.
While Vista would have had some inbuilt protections to keep the browser from doing things, it should not be doing, which would not be enough to keep the system from being hacked. The version of Web kit they are using 525.13 also has other security flaws as well.
What makes this an overall interesting issue is that Google’s former dedication to security is now in question. While there is no doubt that Google security is excellent in many ways, their code developing practices suffer from the same issues that everyone else’s code development practices suffer from. Good code written by great programmers, based on something vulnerable because it is easy to write good code, it is difficult to write good secure code.
Classic issues, but wants me to dig deeper into Google code across the enterprise, Google mail, Google documents, Google calendar, Google RSS reader to figure out what else has been written, and how else it might be subverted. The myth of the security of Google code is now broken, and that is going to lead to other hackers to wonder what else Google programmers might have missed that could be used against Google product users.
What is also particularly interesting is section 11 of the EULA system that talks about content posted through the browser. Assuming blog entries, pictures, video, audio, anything else you do through the browser automatically gives Google a perpetual copyright to use your stuff. This makes no sense what so ever. The entire section 11.1 reads:
11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services. Chrome EULA
If anything, this is a sharp blow to the mystique that Google has developed over the last few years of excellent security, excellent products, and excellent practices. In what has been developing as a crazy state, this looks like the process was not fully baked, and while they call it a Beta, for Google, this is a major blow, not just to their credibility when it comes to good code, but to how they plan on managing user rights in the future.
Google as we knew it is dead.