Chrome users on the developer channel or Canary will see download warnings if they try to download a file on a website that matches the list of malicious websites published by Google’s Safe Browsing Api. The warning reads “This file appears to be malicious. Are you sure you want to continue” with options to discard and save. The options may cause quite the confusion among users, and it would probably have been better if Google would have simply added Yes and No buttons to the prompt
Another thing to remember is that all downloads of said websites will be flagged, regardless whether they are indeed malicious or dangerous in nature, or not. All downloads? Well that is not entirely right, at least not for now. Google flags all Windows executable downloads as suspicious if the site is on the Safe Browsing list. No warning is currently displayed for other files. These files are not actually scanned by Google, keep that in mind if the warning message pops up.
Google Chrome already sports a number of security-minded features, from Incognito mode to a software sandbox which makes exploiting the browser a Herculean task. Now, Google has announced additional protection for Chromium and Chrome users.
Built upon the Safe Browsing API, the new feature introduces protection against malicious downloads. If a download link appears in the Safe Browsing blacklist, Chrome and Chromium will warn users against downloading -- a save button is still presented, of course, in case you're convinced a file is perfectly safe to download.
We'd like to see something a bit more eye-catching than the red warning icon -- like perhaps painting the entire bar red. Many of the people a feature like this aims to protect probably won't notice the icon or change in wording as they'll be focused on clicking the save button.
Google is initially making download protection available to Chrome dev channel users, and you'll likely see it in Canary and Chromium snapshot builds as well. After thorough testing, beta and stable users will be next in line.
Pwn2Own, the annual three-day browser hackathon, has already claimed its first two victims: IE8 on Windows 7 64-bit, and Safari 5 on Mac OS X. Google Chrome looks set to survive for its third year in a row.
Internet Explorer 8 was thoroughly destroyed by independent researcher Stephen Fewer. "He used three vulnerabilities to bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before," said Aaron Portnoy, the organizer of Pwn2Own.
Safari 5, running on a MacBook Air, was compromised in just five seconds by French security company Vupen. Both attackers netted $15,000 for successfully compromising a browser.
The contest continues today and tomorrow. Firefox 3.6 is yet to be attacked, and tomorrow will see the very first mobile browser deathmatch. Windows Phone 7, iOS, Android and RIM OS, all with their stock browsers, will be attacked by security researchers to find out just how secure mobile browsing is. Again, $15,000 is available for the first person or team to compromise each of the browsers.
Google, Apple and Mozilla, incidentally, all rolled out updates to their browsers just before Pwn2Own. It was not a coincidence.
Trustware's BufferZone was an early entrant into the desktop sandboxing arena. Sandboxing, of course, is the security-by-isolation system which has since been built into apps like Google Chrome and Adobe Reader X. Recently, Trustware launched a promotion and gave away BufferZone Pro for free -- and now the company is making the discount permanent. From now on, BufferZone Pro will be freeware.
But, wait -- BufferZone still doesn't support x64, and maybe you're thinking that there will be a paid version once a 64-bit Windows version arrives. Not so, Trustware's Efrat Schneider told me in an email: "The product will continue to be free," he replied.
If you're looking for a free way to tighten up security on your Windows system, BufferZone is an excellent app for the job. We'll let you know when the 64-bit version becomes available.
Google isn't just bringing the Chrome Browser to Pwn2Own 2011 -- this time, it's also bringing its own hardware. The Cr-48 Chrome OS laptop will be on hand for the browser exploiting hullabaloo, and Google is offering $20,000 and a CR-48 notebook for a successful exploit. According to the event's organizer, the attacker will also need to escape Chrome's sandbox. At last year's event, prominent researcher Charlie Miller said that's no easy task, so we're very curious to see whether someone will succeed this time around.
Offering cash for exposing vulnerabilities isn't anything new for Google, of course. The Big G just paid one developer $7,500 for finding a trio of vulnerabilities in Chrome back in January.
Google Chrome's security padlock is freaking me out. When I'm on sites that should be secure—like, say, Gmail—Chrome is giving me warnings that the page isn't secure. What's going on here? More »
Sandboxing in Chrome is currently only available for Windows, where it's particularly important for the relatively insecure Windows XP, and is rolling out to all Chrome Dev installations on Windows automatically. If you have a particular aversion to sandboxing your Flash experience, you can easily disable it with the flag --disable-flash-sandbox. For those of you who are running the beta or stable release of Chrome, but want to try out the developer version with Flash sandboxing for Windows, then head on over to Chromium.org and grab yourself the 'Dev channel' and install it over the top of your current Chrome version.
Over time, Google Chrome has achieved a reputation for being one of the fastest and most secure browsers. Chrome attributes much of it’s security due to the sandboxing model, which ensures that each tab runs in a separate process and cannot interfere with each other.
Google Chrome has gone the extra step to ensure that one of the most vulnerable software, Adobe Flash, gets constantly updated with bundling and auto-updating the Flash Player automatically. Extending this further, with the latest dev channel editions, Chrome also sandboxes Adobe Flash content. Chrome developers state that Chrome is the first browser under Windows XP which sandboxes Adobe Flash content and hopes this will protect users again most common malware.
For whatever reason, if you want to disable Flash sandboxing, add –disable-flash-sandbox as a command line parameter to your Chrome shortcut and you’re set.
Every time you try to download an application in Google Chrome, it gives you an annoying prompt at the bottom of your browser asking if you are sure. You can't disable this message outright, but you can make your downloading more keyboard-friendly. More »
Adobe Flash Player is now sandboxed in the latest dev channel release of Google Chrome, bringing a huge security benefit to Chrome users.
Chrome: Vanilla is a browser extension that serves as a whitelist for browser cookies, automatically blocking cookies from sites you don't explicitly allow. More »
Or so it seems.
According to the “Dirty Dozen” applications list (which is basically a collection/report of the most discovered software flaws that require security updates), when it comes to vulnerabilities, Google Chrome is the no. 1 application to get.
Furthermore, same report claims that Internet Explorer has far less security flaws than Safari or Firefox web browsers.
Good news for Opera users, as this browser had the lowest number of discovered vulnerabilities.
Statistics (application, number of security flaws found)
Adobe Flash remains a popular attack vector for malware authors. In addition to a seemingly never-ending supply of security flaws, bad guys know that people who use Flash often ignore the updater's prompts. That leaves users in an even more tenuous position, since they're still vulnerable to attacks Adobe has already patched.
That's one big advantage to Google Chrome's internal Flash plug-in. Since updates are delivered silently in the background to users, the internal plug-in is always up-to-date. This keeps everyone as safe as possible, but Chrome offers one more way to protect its users: sandboxing. By running unfamiliar Web code in its isolated sandbox, Chrome can execute that code in a safe environment -- where it can't harm your operating system.
Back when Google first announced internal Flash, one of their stated goals was "to further protect users by extending Chrome's 'sandbox' to web pages with Flash content." According to revision 66022, Google is making good on their promise. Sandboxed Flash is now supported in the Chromium source code, and should be available to Windows users of Canary and Chrome Dev very soon. A quick look through the source code seems to indicate that Chrome can sandbox not only its own internal Flash plug-in, but also the traditional Adobe version -- as long as it's version 10.1.103.19 or better.
This is great news for Chrome users. It was already an incredibly difficult browser to exploit, and sandboxing Flash will add another layer of armor to its defenses.
Facebook's immense popularity has made it a prime target for cybercriminals. Malicious (or 'poisoned') links, spam, and malvertising are all too common -- and it's far too easy for an unsuspecting Facebook user to be taken in. Hey, if one of your friends sends you a link to what seems like a hilarious picture, there's a decent chance you'll click through, right?
... And that's how the bad guys get you. Fortunately, however, there's a slick new Facebook app from BitDefender called safego that can help protect you (and your less-technical friends and family).
The idea is simple: install safego and let it scan your profile. Any links you've received will be scanned, including short URLs from services like bit.ly and tinyurl. Fire up the scanner and let it check all those new messages and wall posts you've received, and you'll know in an instant if there's anything that you should avoid clicking.
My mind boggles when I think about all of the infected computers I've cleaned that could have been spared that fate if their owners had used an app like safego to defend their Facebook profiles.
safego even checks your account for any privacy issues which might need to be addressed. Right now, unfortunately, attention items aren't linked -- so I can't find out what it is about my profile safego thinks I should check.
The app is in beta, however, so I'd fully expect that problem to be addressed by the time it sheds the tag. It's also worth noting that on some versions of Google Chrome the bottom boxes in safego's dashboard (last scanned items and infected items) never update. Again, this is likely a beta issue.
Growing pains aside, BitDefender safego is still a fantastic way for any Facebook user to protect him or herself. If you've ever been the victim of a malicious link on Facebook or had your profile attacked by some nasty malware, safego is an app you simple shouldn't be without.
BitDefender provides safego totally free, and with good reason. The Facebook app is a great idea, and it's got tremendous viral potential. That means a lot of free PR and more name recognition for BitDefender -- which in turn could lead to increased sales of the company's paid products.
It should also allow BitDefender greater insight into the Facebook threat landscape, and that's a good thing for all of us. The more security companies know about what the bad guys are up to on Facebook, the better equipped they'll be to protect us.
Install the BitDefender safego Facebook app
The passphrase option is currently only available in Chrome's Dev Channel, but these things usually trickle down to the Beta and Stable channels pretty quickly. You can find it in Options > Personal Stuff > Sync > Customize > Encryption tab. Once you set up your passphrase, you won't be able to sync any data to another Chrome install without entering it there as well. Also, Google won't be able to see any of your synced data, since it will be stored encrypted on their servers, and your passphrase itself never leaves your computer(s). One thing to keep in mind is that once you've set a passphrase, you can't remove it without clearing your sync data.
This is a neat addition to the sync feature, yet for complete peace of mind when passwords are involved, a dedicated tool like LastPass will probably work better. Granted, that does require an additional download and setup routine, and some simply won't go through that trouble -- so it's definitely cool that even integrated features receive additional security.