US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences.

Can you believe that is one of the first things I did after downloading? :)

How ironic eh? How many more of these are we going to see over the next who knows how long? ;)

This sounds like the same issue Safari has [webmasterworld.com] -- but I thought Google Chrome only used the same rendering engine.

To be fair - this is an early beta, so finding problems is not surprising. However, it is a reminder that making a new browser is hard, other browsers have been through periods of intense scrutiny from the security industry, and browsers are particularly vulnerable to security holes due to their complexity.

It will be interesting to see how Google's patching process works in this case - it's very unlikely to be the only security hole in their browser.

Well, google covered their ass by labeling Chrome as being 'beta' :P

being 'beta'

gmail is still beta. Indeed looks like ****** coverage

I think this is funny considering the emphasis they put on that feature in the webcast. They were so happy about one click downloading and execution. I wondered how long it'd go before someone came out against it.

but I thought Google Chrome only used the same rendering engine.

Within the Register url posted by PageOneResults they mention this at the bottom of page.

[theregister.co.uk...]

Apple patched the vulnerability with Safari v3.1.2, but the underlying software behind Chrome is based on older code, hence the vulnerability.

I really hoped Google had developed a browser from the ground up. Ouch, Safari bugs, not good press for Google.

Is that the same "Security Flaw" I saw in the article in ReadWriteWeb by Frederic Lardinois? (I think perhaps I am not allowed to post the link to it here?)

Same one - there's only one Chrome security flaw being kicked around at the moment, and this one is apparently inherited from the WebKit engine that Chrome uses.

As with Safari, just make the intentional decision about where to store your downloads and you've bypassed the vulnerability.

mozilla with new look = google chrome

More trouble for Google Chrome Browser:

An issue exists in how chrome behaves with undefined-handlers in chrome.dll version
0.2.149.27. A crash can result without user interaction. When a user is made to visit
a malicious link, which has an undefined handler followed by a 'special' character,
the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed.
Restart now?".

[evilfingers.com...]

[edited by: tedster at 3:51 pm (utc) on Sep. 4, 2008]
[edit reason] attribute the quote [/edit]

That's an interesting report - but apparently the browser crashes rather than becoming open to an exploit. Not too much of a worry unless someone finds a malicious way to exploit the crash.

Google Chrome is an early beta - so crashes are normal, and expected. I would consider the second as being a simple bug report, not a "security advisory". It's just spin/marketing from wannabe security experts feeding on the hype of a product launch.

More info.

It seems that someone has found a DoS in Google Chrome. What's interesting is that one of the thngs that Chrome does is process separation between tabs (or so they claim), yet this DoS manages to take out all of Chrome, not just the tab you visit the page in.

Can you believe that is one of the first things I did after downloading?

That's always the first thing I do with any new browser download. Who wants to go digging after a download several folders deep?

there is few things that Google has that is no longer in Beta...

I was just waiting for this news from the media, just on TV "Google Chrome gives every user a identity no." so they know how surfs what, they just cant let it be, they keep collecting personal info as much as possible.

Google Chrome is an early beta

Those who push an 'early beta' on the general public via a prominent link on one of the web's main search interfaces deserve the result.

Regarding that entire Chrome marketing sentence on the Google main page - it was only a couple of months back that adding the one word 'Privacy' required the intervention of 'The Founders' and the removal of the word 'Copyright' to maintain some mystical word count...

Those who push an 'early beta' on the general public via a prominent link on one of the web's main search interfaces deserve the result.

Absolutely! I had my mum asking me should she download this Chrome Beta thing that Google was on about. I'm guessing there are lots of people who don't have a clue what beta software is.

yeah beta software to most people means 'new' or 'shiny'. Where most developers know, 'pre release' or 'ready for user testing'. Its common to find bugs with a new product, hopefully there wont be too many with chrome!

Google tends to use the word "beta" in a non-standard way. They keep the label for a long, long time. Google Chrome has been under development for what, 3-4 years? For lots of companies, that would be version 3!

I was just waiting for this news from the media, just on TV "Google Chrome gives every user a identity no." so they know how surfs what, they just cant let it be, they keep collecting personal info as much as possible.

Google phones home with your system variables and assigns your browser an unique user ID among other tracking data. And you get a brand new shiny Google tracking cookie that lasts 2 years.

/service/check2?appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D
&appversion=1.2.131.11&applang=&machine=0&version=1.2.131.11
&machineid=%7B4F599683-B0DE-46F0-A73C-E8A4623C92BD%7D
&userid=%7BAD99E17C-DE6C-4ED7-8FE7-4919642086C7%7D&osversion=5.1
&servicepack=Service%20Pack%202 HTTP/1.1
User-Agent: Google Update/1.2.131.11;winhttp
Host: cr-tools.clients.google.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

Additionally, there is another privacy factor in using Google Chrome

Los Angeles (CA) – Can a browser’s search function work too well? After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data - even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.

[tgdaily.com...]

[edited by: tedster at 2:24 am (utc) on Sep. 6, 2008]
[edit reason] make link cliackable [/edit]

Auto-Suggest Privacy Issues with Google Chrome.

Yes, we will creepily retain your input.

Provided that users leave Chrome's auto-suggest feature on and have Google as their default search provider, Google will have access to any keystrokes that are typed into the browser's Omnibox, even before a user hits enter.

What's more, Google has every intention of retaining some of that data even after it provides the promised suggestions. A Google representative told CNET News that the company plans to store about 2 percent of that data--and plans to store it along with the Internet Protocol address of the computer that typed it.

[news.cnet.com...]

[edited by: tedster at 2:25 am (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]

Here's another report for a different vulnerability:

The vulnerability is caused due to a boundary error when handling the
"SaveAs" function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users' systems.

[securityfocus.com...]

I still don't know why they announced the beta on their home page so quickly. They better close these gaps quickly.

Billys - you can be sure they will NEVER close all trackings, thats what google is about to get as much info as possible, for ads and who knows what. The reason for a browser from google is new informations from the users, its that simple.

Using a Packet Sniffer to See What Google Chrome Sends Back to Google Labs.

If you use Google Chrome, Google will know every URL you type into the location bar. More than that, they will know (almost) every partial URL you type into the location bar. More than that, they will know every word or phrase you type into the location bar, even if you type it and then delete it before pressing enter. More than that, all this information can be linked with your main Google account, because Google sends your cookie along with every automatic search it performs from the location bar. Chrome will use the cookie of whatever Google account you are currently logged into.

Additionally, this data will be sent to Yahoo or MSN if you have enabled them as the default search engine.

[coderrr.wordpress.com...]

[edited by: tedster at 8:22 pm (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]