So as most of you probably know the big buzz on the Internet last week was that Google (after supporting Firefox for so long) have actually launched their own browser.

It’s cooled Google Chrome. Now of course in typical Google fashion they call it BETA software, and a number of flaws have popped up during the first couple of days of release.

One cool thing though is that each tab runs it’s own threaded process, so if one tab bombs out it won’t take down your whole browser.

The browser is a move for Google into the online/offline integration they started with Google Desktop, there are more and more online apps (Google Office) that people still want to use offline with a Google made browser this will be possible.

You also have to consider the privacy implications though, if you are also using Gmail…Google will basically know everything you do, even worse if you also use Google Desktop they will know what you have on your computer, what e-mail you send and receive and what you surf on the web.

The German Government has come out and told its citzens NOT to use Google Chrome.

There have been a few flaws released since Chrome came out such as a carpet bombing flaw:

Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.

Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference — to trick users into launching executables direct from the new browser.

The PoC is here: http://raffon.net/research/google/chrome/carpet.html

Another is a crash in chrome.dlll.

An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ‘special’ character, the chrome crashes with a Google Chrome message window “Whoa! Google Chrome has crashed. Restart now?”. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4.

The PoC is here: http://evilfingers.com/advisory/google_chrome_poc.php

And a few people have also been complaining that it allows auto-download of executable without a user prompt.

We will be keeping an eye on Google Chrome.

Hackers are developing new software that will help hide browser attack code from some types of security software.

The software, called VoMM (eVade o’ Matic Module), uses a variety of techniques to mix up known exploit code so as to make it unrecognizable to some types of antivirus software.

Using these techniques, VoMM “can create an endless number of variants of an exploit,” said Aviv Raff, one of the developers behind the project.

“It aims to provide several techniques out of the box to make browser exploits (mostly) undetectable,” according to a blog posting by one of the project’s founders, a hacker going by the name of “LMH.” That posting can be found here.

The software users server-side scripting technology to create new versions of the exploit code, which then get delivered to browser users when they visit the attacker’s Web site. By making a number of cosmetic changes to the code that do not affect its functionality, VoMM creates a new version of the malicious software that cannot be detected by “signature-based” techniques.

Signature-based antivirus products analyze known malware and then create a digital fingerprint that allows the antivirus software to identify malicious code. By adding extra components — tabs and spaces, and random comments and variable names — that are not included in known signatures, VOMM creates software that can evade detection.

The VoMM code is expected to be included in a new module for the upcoming 3.0 version of the widely used Metasploit hacking toolkit, Raff said. Metasploit developer HD Moore is also developing the VoMM software. Raff’s blog posting on the project can be found here.

Source: Infoworld

Get ready for a complete month of fun with H D Moore’s Month of Browser Bugs.

Quoting from Browser Fun blog:

This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!

He say’s he has plenty of vulnerabilities to go around.

You can also read his post at Metasploit’s blog.