At the recent USENIX Security Symposium, Niels Provos, head of the security team at Google, gave a compelling presentation about the state of client-side web security (you can find research project details here). His research project involves idenfitying drive-by downloads and filtering them from Google search results. One conclusion of the analysis was that any type of site can be malicious. It is usually not the owner, but rather a hacker who places exploit code on websites. This seems to suggest that the only way to keep malware off of computers is to either stop browsing the web, or lock down the web browser.

As security experts, we know how to use a browsing sandbox like Sandboxie or a VMWare appliance. Try, however, to explain this to an average user. It is not a straightforward process. Most people do not even understand the necessity for such precautions. People need a secure browser that is easy to install and manage. An example of such a browser was GreenBorder, which Google bought and promptly took out of commission. During the Q&A session following Niels’ talk, I asked him (in more friendly terms) why Google bought the one browser that promised to improve web security and stopped selling it. At the time he was unable to comment on Google’s strategy, but now the answer is clear: Google Chrome.

Chrome incorporates many of the sandboxing techniques developed by GreenBorder to protect its users. It is no longer possible for the modules that parse HTML and run Javascript to compromise the entire system. Google Chrome’s design is also reminiscent of the OP Browser (available here), which locks down browser components to prevent system-wide exploitation.

If Google’s new browser is truly more secure, then why are we are still seeing vulnerability reports, including some that tout remote code execution? (See Google Chrome Hit With Another Security Bug) If you read the fine print of each repot, the answer becomes clear: exploiting these vulnerabilities requires user interaction. The first bug, an ‘Automatic File Download’ issue, requires that the user click twice to accept accept malicious downloads. The second bug is only triggered if the user goes to the “Save As…” menu option for a malicious website. These exloits require social engineering and can be easily avoided by an educated user.

From what it looks like so far, Google Chrome has changed the browser exploitation landscape by reducing browser attacks from zero-interaction code execution to social engineering schemes. If this holds to be true, then Google has done its job in ending the era of drive-by downloads.

What is next? Now we need to start going after scammers that take advantage of poorly-educated users with attacks such as “Download this FlashUpgrade.exe program to view my YouTube video.” Creating usable security software that blocks Trojan horse downloads while allowing good programs is the next fundamental problem in Web Security. Get to work Google!

This entry was posted on Saturday, September 6th, 2008 at 1:25 am and is filed under Vulnerabilities, Browsers, Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.