source: United Nations
Browser Security Comparison:
New study claims that Chrome is the most secure browser.
From the cellular phone to the desktop, the web browser has become a ubiquitous piece of software in modern computing devices. These same browsers have become increasingly complex over the years, not only parsing plaintext and HTML, but images, videos and other complex protocols and file formats. Modern complexities have brought along security vulnerabilities, which in turn attracted malware authors and criminals to exploit the vulnerabilities and compromise end-user systems.
Google, Inc. develops the Google Chrome web browser. Google released the first stable version of Chrome on December 11, 2008. Chrome uses the Chromium interface for rendering, the Web Kit layout engine and the V8 Java Script engine. The components of Chrome are distributed under various open source licenses. Google Chrome versions 12 (12.0.724.122) and 13 (13.0.782.218) was evaluated in this project.
Microsoft develops the Internet Explorer web browser. Microsoft released the first version of Internet Explorer on August 16, 1995. Internet Explorer is installed by default in most current versions of Microsoft Windows, and components of Internet Explorer are inseparable from the underlying operating system. Microsoft Internet Explorer and its components are closed source applications. Internet Explorer 9 (9.0.8112.16421) was evaluated in this project.
Time to Patch:
The amount of time it takes for a vendor to go from vulnerability awareness to a fix can be seen as a security commitment indicator. However, the reality is not so simple. Internet Explorer has such a deep integration with the Windows operating system that a change in Internet Explorer can have repercussions throughout a much larger code base. In short, the average time to patch is less indicative of a commitment to patch, as it is of complications with providing a good patch.
It is clear that Microsoft’s average time to patch is the slowest. To be fair, this information was based on a much smaller sample set than Firefox and Chrome. Even worse, it may be possible that the advisories for these vulnerabilities had timeline information only because of the fact that they had taken so long to patch.
Firefox comes in second, taking an average of 50 days less than Microsoft to issue a patch. The browser with the fastest average time to patch is Chrome. With an average of 53 days to patch vulnerabilities, they are nearly three times faster than Firefox and slightly more than four times faster than Microsoft.
URL Blacklist Services:
The stated intent of URL blacklisting services is to protect a user from him or herself. When a link is clicked inadvertently, via a phishing email or other un-trusted source, the browser warns the user “are you sure?” and displays a warning that the site might be unsafe based on a list of unsafe URLs regularly updated as new malware sites go live and are taken offline. Microsoft’s URL Reporting Service (from here forward, “URS”), formerly “Phishing Filter”, referred to in the browser application as “Smart Screen Filter”, was the first to provide this feature, with Google’s Safe Browsing List (“SBL”) following suit later, utilized initially by Mozilla Firefox, and now by Chrome as well as Safari.
A sandbox is a mechanism of isolating objects/threads/processes from each other in an attempt to control access to various resources on a system.
Address Space Layout Randomization (ASLR) attempts to make it harder for attackers to answer the question ‘where do I go’. By taking away the assumption of known locations (addresses), the process implementing ASLR makes it much more difficult for an attacker to use well-known addresses as exploitation primitives. One key weakness of ASLR is the ability for one module to ruin it for the rest, a weak link in an overall strong chain.
Data Execution Prevention (DEP) is one of the first steps in compromising a system is achieving arbitrary code execution, the ability run code provided by the attacker. During traditional exploitation scenarios, this is achieved by providing the compromised application with shell code, data furnished by the attacker to be run as code. Data Execution Prevention (DEP) addresses the problem of having data run as code directly. DEP establishes rules that state: “Only certain regions of memory in which actual code resides may execute code. Safeguard the other areas by stating that they are non-executable”.
Stack Cookies (/GS) are the common programming errors, archaic APIs and trusted user input, stack-based buffer overflows have been leveraged to gain code execution on Intel-based architecture.
The URL blacklistingservices offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sand-boxing architectures are implemented in a more thorough and comprehensive manner.
In conclusion, overall browser security needs to be considered when attempting to compare browsers from a security standpoint. Drawing conclusions based solely on one category of protection, such as blacklisted URL statistics, doesn’t give a valid perspective on which browser is most secure. Instead, they should be considered in the context of other mechanisms such as anti-exploitation technologies and malicious plug-in protection, which play a more important role in protecting end users from exploits and persistent malware. By these measures, Google Chrome to be the web browser that is most secured against attack.
Microsoft announced that it was redesigning the logo of Windows software, making a fundamental change to the iconic four-colour Windows logo users have been used to for 20 years.
Meshing with the Metro design of Microsoft’s upcoming Windows 8, the new logo is a slightly-angled blue block with a thin white cross in the middle, making it look like a window instead of the four-color wavy flag in the past.
“The Windows logo is a strong and widely recognised mark but when we stepped back and analysed it, we realised an evolution of our logo would better reflect our Metro style design principles and we also felt there was an opportunity to reconnect with some of the powerful characteristics of previous incarnations,” said Microsoft in a blog post.
“We did less of a re-design and more to return it to its original meaning and bringing Windows back to its roots – reimagining the Windows logo as just that – a window,” the company said.
The goal of the logo is to “better reflect our Metro style design principles” according to Moreau. (Microsoft blogger Sam Moreau).
The new logo is designed by Paula Scher from the Pentagram Design Agency.
Scher and her team created a complete system based on the idea of perspective. The designers completed motion studies to demonstrate the transformation of the flag shape into a window shape, to show that they weren’t that far apart and would be an easy and elegant transition for the brand.
In its research, the team considered the Windows brand history. The original Windows logo looked like a window. As computing became more powerful, the logos for Windows began to get more complex, to show off the capabilities of Microsoft systems. The logo for Windows 1.0 resembled panes of glass. By Windows 3.1, this had been replaced with a waving effect for a sense of motion and the four colours that became a signature of the Windows brand.
For Microsoft, the logo became a natural place to demonstrate the graphic capabilities of each new version of Windows. The Windows logo underwent another transformation for Windows XP, when the “flag” began looking more material and gained a 3D effect with a gradient. For Windows Vista, the flag evolved into a kind of dimensional button or “pearl,” as it became known in Microsoft’s branding language.
The new logo reflects the sleek, modern “Metro” design language first introduced by Microsoft in its Windows 7 phones. Metro is based on the design principles of the Swiss International Style, with clean lines, shapes and typography and bold, flat colours. One guideline of Metro is that the graphic or interface must appear “authentically digital” – that is, it should not appear to be material or three-dimensional using gradients or effects. The new identity suggests dimensionality using the classic principle of perspective: lines receding into space.
The perspective drawing is based on classical perspective drawing, not computerized perspective. The cross bar stays the same size no matter the height of the logo, which means it has to be redrawn for each time it increases in size, like classic typography.
The perspective analogy is apt because the whole point of Microsoft products is that they are tools for someone to achieve their goals from their own perspective. The window here is a neutral tool for a user to achieve whatever they can, based on their own initiative. The logo design is deliberately neutral so that it can function effectively in a myriad of uses, especially motion. The old logo was flat and drawn in motion; the new logo is a neutral container that can convey actual motion, becoming a more active and effective brand.
The team designed the system to fit into lines of perspective.
The logo is redrawn at different sizes so the cross bars always appear at the same size.
Google Chrome hacked with sandbox bypass:
The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome security holes.
Glazunov scored a $60,000 payday for the exploit, which targeted two distinct zero-day vulnerabilities in the Chrome extension sub-system. The cash prize was part of Google’s new Pwnium hacker contest which is being run this year as an alternative to the more well-known Pwn2Own challenge.
According to Justin Schuh, a member of the Chrome security team, Glazunov’s exploit was specific to Chrome and bypassed the browser sandbox entirely. ”It didn’t break out of the sandbox [but] it avoided the sandbox,” Schuh said in an interview.
Schuh described the attack as “very impressive” and made it clear that the exploit “could have done anything” on the infected machine. ”He (Glazunov) executed code with full permission of the logged on user.”
“It was an impressive exploit. It required a deep understanding of how Chrome works,” Schuh added. ”This is not a trivial thing to do. It’s a very difficult and that’s why we’re paying $60,000.
Glazunov is a regular contributor to Google’s bug bounty program and Schuh raved about the quality of his research work.
Schuh said Glazunov once submitted a similar sandbox bypass bug but stressed that these kinds of full code execution that executes code outside the browser sandbox form a very small percentage of bug submissions.
Less than 24 hours after Sergey Glazunov hacked into a fully patched Windows 7 machine with a pair of Chrome zero-day flaws, Google rushed out a patch for Windows, Mac OS X, Linux and Chrome Frame users.
Technical details of the vulnerabilities are being kept under wraps until the patch is pushed out via the browser’s silent/automatic update mechanism.
According to Google’s advisory, the flaws related to universal cross-site scripting (UXSS) and bad history navigation.
- [Ch-ch-ch-ch-ching!!! $60,000]   Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.
Glazunov’s exploit also bypassed the Chrome sandbox to execute code with full permissions of the logged on user.
The Google browser was also popped by a hacking team from VUPEN and there’s speculation that a vulnerability in the Flash Player plugin was exploited in that attack. VUPEN co-founder Chaouki Bekrar told that the flaw existed in the default installation of Chrome but declined to say if the faulty code was created by Google or a third-party vendor.
The Flash Player plugin in Chrome runs in a weaker sandbox than the full browser and has always been a tempting target for attackers.
Google is working on putting Flash within the more robust plugin and this will happen before the end of this year.
Google’s Giving $60,000 to Whoever Can Exploit Chrome :
Google has offered prizes, totalling $1 million, to those who successfully hack the Google Chrome browser at the Pwn2Own hacker contest taking place today i.e. 7March 2012. Chrome is the only browser in the contest’s six year history to not be exploited like at all.
Therefore Google will hand out prizes of $60,000, $40,000, and $20,000 for contestants able to remotely commandeer a fully-patched browser running on Windows 7. Finding a “Full Chrome Exploit,” obtaining user account persistence using only bugs in the browser itself will net the $60k prize. Using webkits, flash, or a driver-based exploit can only earn the lesser amounts.
Prizes will be awarded on a first-come-first-serve basis, until the entire $1 million has been claimed. “While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Chris Evans and Justin Schuh, members of the Google Chrome security team.
“To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.” Pwn2Own isn’t the only time researchers can be paid for digging up security flaws in Chrome. Like other companies including Mozilla and Facebook, Google offers “bug bounties” to researchers, and its flaw-buying program has given out more than $300,000 in payments over the last two years.