It’s hard for us to believe, but it’s been just over two years since we first announced the Chromium Security Rewards Program.

We’ve been delighted with the program’s success; we’ve issued well over $300,000 of rewards across hundreds of qualifying bugs, all of which we promptly fixed. It also helped inspire a wave of similar efforts from companies across the web, including Google’s own vulnerability reward program for web properties, which has also been

We’ve been fascinated by the variety and ingenuity of bugs submitted by dozens of researchers. We’ve received bugs in roughly every component, ranging from system software (Windows kernel / Mac OS X graphics libraries / GNU libc) to Chromium / WebKit code and to popular open source libraries (libxml, ffmpeg). Chromium is a more stable and robust browser thanks to the efforts of the wider security community.

Today we’re expanding the scope of the Chromium program to formally include more items that deserve recognition:

• High-severity Chromium OS security bugs are now in scope. Chromium OS includes much more than just the Chromium browser, so we’re rewarding security bugs across the whole system, as long as they are high severity and present when “developer mode” is switched off. Examples of issues that may generate a reward could include (but are not limited to): 
  • Renderer sandbox escapes via Linux kernel bugs. 
  • Memory corruptions or cross-origin issues inside the Pepper Flash plug-in. 
  • Serious cross-origin or memory corruption issues in default-installed apps, extensions or plug-ins. 
  • Violations of the verified boot path. 
  • Web- or network-reachable vulnerabilities in system libraries, daemons or drivers.

Chromium OS security bugs should be reported in the Chromium OS bug tracker, whilst security bugs affecting the desktop Chromium browser should be reported in the Chromium bug tracker.

• We may elect to issue “bonuses” ranging from $500 to $1000 if a bug reporter takes on fixing the bug they have found themselves. For eligibility, this process involves working with the Chromium community to produce a peer reviewed patch. These bonuses are granted on top of the base reward, which typically runs between $500 and $3133.70. 

• The base reward for a well-reported and significant cross-origin bug (for example a so-called UXSS or “Universal XSS”) is now $2000. 

Perhaps most importantly, this program reflects several of our core security principles: engaging the community, building defense in depth, and particularly making the web safer for everyone.

Related to this third core principle, we’re particularly excited by all the work that has been done on shared components. For example, a more robust WebKit not only helps users of two major desktop browsers, but also a variety of tablet and mobile browsers.

While the web is a virtual treasure trove of great content, it’s also used by bad guys to steal personal information. One of Chrome’s most advanced security features, Safe Browsing, helps protect against the three most common threats on the web: phishing, drive-by malware, and harmful downloads. We recently announced some new enhancements to Safe Browsing, so we thought we’d offer an inside look into how it works.

Safe Browsing downloads a continuously-updated list of known phishing and malware websites, generated by an automated analysis of our entire web index. Each page you visit, and each resource (such as pictures and scripts) on the page, are checked against these lists. This is done in a way that does not reveal the websites you visit, and is described in more detail in our video on Safe Browsing. If Chrome detects that you’ve visited a page on the list, it warns you with a large red page that helps you get back to safety.

Of course, this only helps for dangerous content that Google already knows about. To provide better protection, Safe Browsing has two additional mechanisms that can detect phishing attacks and harmful downloads the system has never encountered before.

Phishing attacks are often only active for a few short hours, so it’s especially important to detect new attacks as they happen. Chrome now analyzes properties of each page you visit to determine the likelihood of it being a phishing page. This is done locally on your computer, and doesn’t share the websites you visit with Google. Only if the page looks sufficiently suspicious will Chrome send the URL of that page back to Google for further analysis, and show a warning as appropriate.

Malicious downloads are especially tricky to detect since they’re often posted on rapidly changing URLs and are even “re-packed” to fool anti-virus programs. Chrome helps counter this behavior by checking executable downloads against a list of known good files and publishers. If a file isn’t from a known source, Chrome sends the URL and IP of the host and other meta data, such as the file’s hash and binary size, to Google. The file is automatically classified using machine learning analysis and the reputation and trustworthiness of files previously seen from the same publisher and website. Google then sends the results back to Chrome, which warns you if you’re at risk.

It’s important to note that any time Safe Browsing sends data back to Google, such as information about a suspected phishing page or malicious file, the information is only used to flag malicious activity and is never used anywhere else at Google. After two weeks, any associated information, such as your IP address, is stripped, and only the URL itself is retained. If you’d rather not send any information to Safe Browsing, you can also turn these features off.

This multi-pronged protection combines to make you much safer against the most prevalent attacks on the web while carefully guarding your privacy. We’ve always believed in making the web a safer place for everyone, so we also make the Safe Browsing API available for free to other browsers and websites.

Safe surfing!

When we first set out to design Chrome, we knew we had a unique opportunity to improve the security of the web. In addition to speed and simplicity, we’ve been adamant that security be a central tenet of everything we build. Chrome and the web have since come a long way, and we’ve been challenged to protect a complex and rapidly changing browser against the many threats that emerge on the web.

After spending tens-of-thousands of hours working on ways to make users safer on the web, we thought it might be worth sharing the Chrome security principles that guide the work that we do.

There are lots of technical details, but the fundamentals have always been simple. Security should compliment your browsing experience, not detract from it, and your browser should be secure by default -- no configuration required. No defense is ever perfect, so we rely on multiple layers of protection to help guard against single points of weakness. We support and fund the security research community in their work to identify weaknesses, and when vulnerabilities are found, we pride ourselves on patching them faster than any other browser.

These principles have served us well in protecting users while keeping Chrome super fast and easy to use. If you develop software, we hope you find them helpful in securing your own product, and if you’re a Chrome user, that they give some insight into the many ways we work to help you surf with confidence.

Today’s Beta release improves on two of Chrome’s core principles: speed and security.

One of the things people like best about Chrome is that it loads web pages quickly. To get you where you want to go even faster, Chrome will now start loading some web pages in the background, even before you’ve finished typing the URL in the omnibox. If the URL auto-completes to a site you’re very likely to visit, Chrome will begin to prerender the page. Prerendering reduces the time between when you hit Enter and when you see your fully-loaded web page--in some cases, the web page appears instantly.

On the security front, improvements to Chrome’s Safe Browsing technology should help protect you from additional types of malware attacks. Previously, Chrome focused primarily on protecting you from sites that would exploit your computer with no user interaction required. Now, we’re seeing an increase in malicious websites that try to convince you to download and run a file that will harm your computer. Some websites even pretend this malicious file is a free anti-virus product.

To help protect you against malicious downloads, Chrome now includes expanded functionality to analyze executable files (such as “.exe” and “.msi” files) that you download. If a file you download is known to be bad, or is hosted on a website that hosts a relatively high percentage of malicious downloads, Chrome will warn you that the file appears to be malicious and that you should discard it. We’re starting small with this initial Beta release, but we’ll be ramping up coverage for more and more malicious files in the coming months. Remember, no technical mechanism can ever protect you completely from malicious downloads. You should always be careful about which files you download and consider the reputation of their source.

Try out these changes in the new Chrome Beta--we look forward to hearing your feedback. As always, please keep in mind that the Beta channel inherently comes with more bugs and kinks to work out.

A new Google-funded study of browser security by security research firm Accuvant Labs crowned Chrome the champion of security features, and ranked Firefox below Internet Explorer in terms of protection available from web-borne threats. Predictably, Microsoft and Mozilla have different opinions on what makes a browser secure, and why Accuvant's findings are off base. All of this got us thinking about which browser is the most secure, and whether the security features listed in studies like this even matter to the rest of us. More »

Google funded study confirms.

Accuvant, the US based research, firm has published a new study, which compared security features of the three most popular web browsers: Internet Explorer, Google Chrome and Firefox.

As it turns out, the search giant funded study has made a conclusion that Google Chrome is the most secure browser out there, followed by Internet Explorer and Firefox.

After such claims, Mozilla has decided to respond with the following statement:

“Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We’re proud of our reputation on security, and it remains a central priority for Firefox.”

So here you have it folks. Despite continuous IE bashing in various communities, it still managed to beat Firefox in a non-biased study.

What do you think?

Chrome users began reporting the specious detection of the browser early Friday in a quickly growing thread on a Google support forum.

Numerous users complained in Google Forums about the warnings they received in Microsoft Security Essentials, a free, consumer grade anti virus software from Microsoft. According to various reports, WSE identified a problem with Google Chrome web browser and has tagged it as: PWS:Win32/Zbot.

Fortunately, Microsoft became aware of the problem and issued the following statement:

An incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs. We have already fixed the issue…but approximately 3,000 customers were impacted.

Microsoft told users to update Security Essentials with the new definition file, then reinstall Chrome.

For its part, Google slapped a red warning banner at the top of its Google support pages that read, “Alert: Google Chrome has been incorrectly marked as malware by Microsoft security software.”

Wow, that’s certainly one way to win the browser war. - Andrew Storms, director of security operations at nCircle Security

 

Chrome/Firefox: FB Secure is a Chrome extension that gives you precise control over the permissions that a Facebook application or game gets when you connect it with your Facebook account. For example, if you're connecting an app but don't want it to post to your wall, you can deny those permissions while accepting the rest. More »

Parents fret all the time about protecting their kids on Facebook, but many of the products and services I’ve seen that aim to help are intrusive, and inject the parents into the child’s normal, healthy online social life in a way that’s awkward for both.

For awhile, Google's been using their own goo.gl shortener to compress long links, but as of today they'll be using a different shortener, g.co. However, the goal behind g.co is not to provide another URL shortener for you to create short links. Instead, it's a service that only Google can use to shorten links to their own pages—that way, when you see a g.co link, you know that it's coming from a trusted source and you can click on it. For your own links, you can still use Goo.gl, but just know that when you see a g.co link around the internet, it's coming straight from Google and is safe to click on. [Official Google Blog] More »

Thanks to the continuous security improvements, the latest dev version of Google Chrome now blocks insecure scripts.

If the web site is secured via HTTPS protocol, Google’s web browser will also check whether or not the specific parts of the code (such as scripts, external CSS, etc.) also use HTTPS to deliver data.

In case they do not, Google Chrome will notify the user and offer to either block the insecure script or load it anyway.

Via: Google Chrome Browser

[Thanks, FForever]

When the Google Chrome Security Team isn’t busy giving prompt attention to finding and fixing bugs, we’re always looking for new security features to add and hardening tweaks to apply. There are some changes worth highlighting in our current and near-future Chromium versions:

Chromium 11: strong random numbers for the web
We added a new Javascript API for getting access to a good source of system entropy from a web page. The new API is window.crypto.getRandomValues. Web pages should not currently be using Math.random for anything sensitive. Instead of making a round-trip to the server to generate strong random numbers, web sites can now generate strong random numbers entirely on the client.

Chromium 12: user-specified HSTS preloads and certificate pins
Advanced users can enable stronger security for some web sites by visiting the network internals page: chrome://net-internals/#hsts

Google Chrome's stable release has now reached version 12, bringing hardware acceleration for 3D CSS, better in-browser privacy for the built-in Adobe Flash Player, and safer downloads. Chrome 12 will automatically scan downloads to check for malicious files, warning users when they're found. With the new updates comes a loss, though, as Gears is now officially kaput—which means no more offline Gmail access for Chrome users. The update will automatically take place over the next couple of days. [Download Google Chrome via Google Chrome Blog]More »

A new option's shown up in Chromium builds that allows users to choose what type of cached personal data should be encrypted as it's sent to Google's cloud. Until now, only saved passwords have been encrypted, but the new option would conceivably cover everything from saved form data, like credit card numbers, to Omnibar auto-completions and what extensions are installed. [Browser Scene]More »

The much awaited laptop powered by Google Chrome (a cloud-based operating system) is all set for launch on June 15.

Here are few things that you need to about the all new Chromebook.

How does it work?

The Chromrebook should always be connected to the Internet in order to make use of its functionalities. In other words, everything will be on cloud and you’ll need Internet to access all of the apps, documents, photos, movies etc. Installing softwares or updating them, taking backup of files or running anti-virus checks and all other PC related tasks will be eliminated as everything will be done over the cloud.

Who will release the laptops?

Google has tied up with Samsung and Acer which will release laptops powered with Chrome OS.

The Samsung’s device will come with 12.1-inch screen with an 8-hour battery life and will retail for $429 (Wi-Fi enabled) and $499 (3G enabled laptop), while Acer’s device will be an 11.6-inch display and a 6.5-hour battery life. Acer’s notebook will start at $349 and up.

No storage

Since Chromebook is Internet based, all of the files and folders will be stored on the cloud. The laptops will be highly integrated with the cloud services and there will be no storage space available. However, the laptop will have slots to plug in other storages devices.

Boot-up Time?

According to Google, Chromebooks will boot in about less than eight seconds. Once it is up and running it’ll check for any updates and will reboot up with the latest version.

Offilne mode?

Yes, you can work with your Chromebook if you’re not connected to the Internet. You can access Google Docs, Google Calendar and Gmail accounts without an Internet connection. (You won’t be updated with new notifications/mails if you’re not connected to the Internet)

Security

Chromebooks uses the principle of “defense in depth” to provide multiple layers of protection, so if any one layer is bypassed, others are still in effect. Your files and folders will be protected and will be kept safe.

Availability

Chromebooks will be available for sale from June 15.

Laptop Specs

Acer Specifications:
11.6″ HD Widescreen CineCrystalTM LED-backlit LCD
2.95 lbs. | 1.34 kg.
6 hours of continuous usage 1
Intel® AtomTM Dual-Core Processor
Built in dual-band Wi-Fi and World-mode 3G (optional)
HD Webcam with noise cancelling microphone
High-Definition Audio Support
2 USB 2.0 ports
4-in-1 memory card slot
HDMI port
Fullsize Chrome keyboard

Samsung Specifications:
12.1″ (1280×800) 300 nit Display
3.26 lbs / 1.48 kg
8.5 hours of continuous usage 1
Intel® AtomTM Dual-Core Processor
Built in dual-band Wi-Fi and World-mode 3G (optional)
HD Webcam with noise cancelling microphone
2 USB 2.0 ports
4-in-1 memory card slot
Mini-VGA port
Fullsize Chrome keyboard
Oversize fully-clickable trackpad
Oversize fully-clickable trackpad

Google Chrome’s sandbox was assumed to be the uber security feature in any browser till date. Prize money worth a whopping hot $20000 and star recognition was not motivation enough to crack Google Chrome’s sandbox. It seemed like Pwn2Own contestants were giving up on hacking Google Chrome. Though now, they will have more hope.

Finally, VUPEN, a security research firm seems to have gotten in and out of the Google Chrome sandbox with ease. They claim this by saying,

The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

The attack was carried out on Google Chrome v11.0.696.65 on a Windows 7 64 bit system. This attack exploits the Chrome sandbox and successfully downloads a sample calculator program on your computer. This calculator can of course be any other malicious EXE file if you are a cracker. The guys at VUPEN have refused to release any code for the hack, though they have decided to share it with the Government.

This has come up a few hours from the Google I/O Conference and last I heard, Google I/O was going to be all about Android this time.

As expected always, Google must release a statement on this very soon. Over the years, Google has grown extremely protective of Google Chrome and it was only time before someone hacked the sandbox. Clearly, the sandbox is all that stands between the browser and the hacker. In the meanwhile, you can see this video on YouTube and understand better what is happening there.

Check out the VUPEN research page here.

Three years of legacy comes to an end. Google Chrome finally seems to be hacked.

Java and security vulnerabilities go together like bread and butter and fortunately for some users, it is now blocked in Google Chrome.

In case web page tries to access Java plug-in, the following message will be displayed:

“The Java plug-in needs your permission to run.”

After such popup, user can select whether he or she wants to run plug-in this time only or whitelist site all together.

For those who would like to disable protection, all you have to do is add –always-authorize-plugins command line flag.

Good news, nonetheless.