Also since we reported on the Chrome bug bounty program back in February 2010 – Google Willing To Pay Bounty For Chrome Browser Bugs – it seems to have been a great success.

They’ve paid out a fair amount of money and patched 32 vulnerabilities in the latest version of Chrome (v14) – do note though, none of the vulnerabilities were of a critical level.

Google today patched 32 vulnerabilities in Chrome, paying more than $14,000 in bug bounties as it also upgraded the stable edition of the browser to version 14.

The company called out a pair of developer-oriented additions to Chrome 14 and noted new support for Mac OS X 10.7, aka Lion, including full-screen mode and vanishing scrollbars.

Google last upgraded Chrome’s stable build in early August. Google produces an update about every six weeks, a practice that rival Mozilla also adopted with the debut of Firefox 5 last June.

Fifteen of the 32 vulnerabilities were rated “high,” the second-most-serious ranking in Google’s four-step scoring system, while 10 were pegged “medium” and the remaining seven were marked “low.”

None of the flaws were ranked “critical,” the category usually reserved for bugs that may allow an attacker to escape Chrome’s anti-exploit sandbox. Google has patched several critical bugs this year, the last time in April.

Six of the vulnerabilities rated high were identified as “use-after-free” bugs, a type of memory management flaw that can be exploited to inject attack code, while seven of the bugs ranked medium were “out-of-bounds” flaws, including a pair linked to foreign language character sets used in Cambodia and Tibet.

I think the whole bug bounty model is great, I mean look at it this way – Google has paid out $14,000 in bug bounties for these vulnerabilities. That’s a small fraction of what it would cost to get a ‘professional’ company to do as a VA or code-audit on the software.

Plus for the researchers, they get to practise their skills and make a little pocket money on the side. I don’t expect anyone to hand over any critical 0-day type exploits for the amount Google is offering, but still – it makes the browser more secure.

And at the end of the day, more secure browsers make for less virus laden family members and colleagues (and less of that annoying work which we can’t escape for us).

Google paid $14,337 in bounties to nine researchers, including $3,500 to “miaubiz” and $2,337 to Sergey Glazunov, another regular bug finder.

The company’s security team also credited others, including researchers who work for Microsoft and Apple, for “working with us in the development cycle and preventing bugs from ever reaching the stable channel.” Some of those researchers were also awarded bounties, but Google did not spell out the amounts of those awards.

As per its practice, Google barred access to the Chrome bug-tracking database for the 32 vulnerabilities to prevent outsiders from obtaining details on the flaws. The company only opens the database after users have had time to update the browser.

Google also added a pair of developer-only features to Chrome 14, including support for the Web Audio API (application programming interface) and for “native client,” an open-source technology that runs software written in C and C++ within Chrome’s security sandbox.

The Mac version of Chrome 14 also supports Lion’s new approach to scrollbars, which appear only when a user is actively scrolling through the browser window. Chrome 14 also now runs in Lion’s full-screen mode, triggered via the icon in the upper right of the browser or by pressing Ctrl-Command-F.

But Chrome’s full-screen support isn’t polished or finished; the browser won’t return to its windowed view with a press of the Escape key, as do Apple’s home-grown applications in Lion.

Seems like Google had some help from Apple and Microsoft too – good to see the big boys working together.

I’ve given up on Firefox, I tried using Chrome for a while but didn’t really get on with it (seemed like a massive memory hog). I’ve recently switched to Palemoon (a Windows optimised version of Firefox) and it’s great so far.

Source: Network World

Now they are infringing on the area of anti-virus vendors and stepping up in the fight against malware by proposing to block applications that are harmful to Windows users.

All we need to do now is make sure all new computers ship out with Chrome or Firefox installed as the default browser.

Google says it’s expanding its blacklist of malicious websites to include those that use deceptive claims to push harmful Windows programs.

The addition to Google’s Safe Browsing API will warn people when they are about to visit websites that offer Windows-based trojans that are disguised as screen savers or other innocuous applications. The search behemoth introduced the service five years ago to alert users when they try to browse sites that perform drive-by downloads that exploit security vulnerabilities in the operating system or browsing software.

The underlying programming interface is already being used by browsers including Google Chrome, Mozilla Firefox, and Apple Safari. It’s also available to any webmaster who wants to use the wealth of information available from Google to prevent malicious links from being posted to their sites.

Seen as though this is part of the Google Safe Browsing API, I wonder will Firefox follow suit and implement this in their browser. It’s always a good idea to give users an additional layer of security.

The onion approach rather than security by obscurity – or more commonly, just not giving two shits.

Drive by downloads have been a problem for a long time, and will continue to be a problem when it comes to users lacking proper secure computing habits (e.g. most of the public mass).

“Safe Browsing has done a lot of good for the web, yet the internet remains rife with deceptive and harmful content,” Moheeb Abu Rajab, a member of Google’s security team, blogged on Tuesday. “It’s easy to find sites hosting free downloads that promise one thing but actually behave quite differently.”

Keyloggers, botnet software and adware are just three examples.

The new feature will initially be available only for Chrome users who subscribe to the browser’s development release channel. The company plans to integrate it into the next stable release of Chrome. There is no mention of it being made available to browser providers outside of Google.

The warning will be displayed whenever users encounter a download from a URL that matches the latest list of malicious websites published by the Google API.

Safe Browsing is good and I think it really helps, especially with phishing sites which tend to get reported very quickly and then are promptly blocked in users browsers.

The new feature isn’t available in the current stable release of Chrome, but will be merged into the next stable version and is currently available in the development release.

Source: The Register

This is a pretty interesting development from Google and also seems to be coming much more common now, companies openly offering payments for bugs/vulnerabilities discovered in their software.

It’s a chance for the white-hat guys to earn a few bucks, but honestly I don’t think it’s going to change anything. Especially not when we’re talking $500 per vulnerability.

A serious browser 0-day exploit that can allow execution of malware will go for 100 times that much on the black market so there’s no real incentive for the bad guys to give up their code for $500.

Google yesterday announced a bug-bounty program that will pay researchers $500 for each vulnerability they report in the Chrome browser and its underlying open-source code.

In a post to the Chromium project’s blog , Chris Evans, who works on the Chrome security team, said the base bounty would be $500, but that “particularly severe or particularly clever” bugs would reap rewards of $1,337 each.

The latter amount is a reference to “leet,” a kind of geek-speak used by some researchers; there, “leet” is rendered as “1337.”

New vulnerabilities in Chrome, Chromium — the open-source project that Google uses to craft Chrome — and plug-ins that ship with Chrome, such as Google Gears, are eligible for bounties, said Evans. Bugs that are ranked “high” or “critical” in Chrome’s rating system get preference, he added, but others may be considered.

Even for the particularly severe or clever bugs they can award up to $1,337, that’s still peanuts compared to what they can sell the exploit for on the open market – or even to companies like TippingPoint ZDI who claim to pay 10 times more (which would be more reasonable, $5000 for a working exploit).

I hope it helps though and gives some legitimate security researches a little more incentive to focus on Chrome, the bad guys won’t pay much attention though as Chrome is still a relatively small player in the browser world.

“We are hoping that … this program will encourage new individuals to participate in Chromium security,” said Evans. “The more people involved in scrutinizing Chromium’s code and behavior, the more secure our millions of users will be.”

“Internet Explorer, Safari, Firefox…those browsers have been out there for a long time,” said Pedram Amini, manager of the security research team at 3com’s Austin, Tex.-based TippingPoint, which operates Zero Day Initiative (ZDI), one of the two best-known bug-bounty programs. “But Chrome, and now Chrome OS, need researchers. Google needs people to put eyes on the target.”

Google’s new bounty program isn’t the first from a software vendor looking for help rooting out vulnerabilities in its own code, but it’s the largest company to step forward, Amini said. Microsoft , for example, has traditionally dismissed any calls that it pay for vulnerabilities. “This will be beneficial to Google,” Amini added. “There are actually very few vendors who play in the bounty market, but Google doing it is definitely interesting.”

I don’t realistically expect any groundbreaking bugs to come out of this initiative, but I think a few people might bust out their browser fuzzing tools and see what they can find.

Worth a bit of effort if you can find 10 decent bugs in a couple of hours and net yourself $5000usd.

Source: Network World

Just remember that even though Firefox tends to be more secure than Internet Exploder – it’s not immune from vulnerabilities (although they do tend to get fixed much much faster).

The latest one that’s cropped up in both Firefox and Chrome is a clickjacking vulnerability. This is basically where a link is replaced by an attacker to lead to a site (which would usually be setup to deliver malware).

You can find the Proof of Concept (PoC) here.

Security researchers have discovered a flaw affecting Google’s Chrome browser that exposes it to “clickjacking”–in which an attacker hijacks a browser’s functions by substituting a legitimate link with one of the attacker’s choice.

Google has acknowledged the flaw and is working toward a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya Sood.

Sood disclosed the flaw on Tuesday and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum.

“Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page,” Sood said within the disclosure.

While Google is working on a fix, a representative for the Australian arm of the company pointed out that clickjacking can affect all browsers, not just Chrome.

I’m pretty sure there has been an Internet Explorer Clickjacking bug going around recently too. There was something with IE8 and apparently the ‘fix’ didn’t even help much.

So as always be cautious with what you’re clicking, and if you are super Paranoid just turn off all Javascript.

If you are even more paranoid…just go back to using Lynx on the command line :)

Either way it’s a fairly new brand of vulnerability so I’m sure it will be developed into a more complex and perhaps damaging variation.

However, Nishad Herath, an independent security researcher and CEO of Australian security consultancy Novologica, told ZDNet.com.au that after running Sood’s proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Google’s security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google’s representative.

Clickjacking is a relatively new browser attack that security researchers Robert Hansen and Jeremiah Grossman gave a talk on it late last year at the Open Web Application Security Project security conference in New York. Such an attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim’s browser to send an HTTP request to a Web site of their choosing.

“Clickjacking means that any interaction you have with a Web site you’re on, for example like clicking on a link, may not do what you expect it to do,” explained Herath.

I’d except Firefox to come out with an updated version pretty soon patched against this vulnerability, I’m not so sure about the release cycle of Chrome but I’d be surprised if Google let this slide.

It’ll be interesting to watch how far this goes.

Source: Cnet (Thanks Navin)