Are browsers getting safer?

On the other day when starting my PC, a small window popped up.

An update of Google Chrome is available

Install the update

or

Remove Google Chrome

Due to the new Google Privacy conditions and personal integrity I become reluctant to use Google products so I decided to “Remove the Google Chrome”. But, the question is why Google propose to remove or update?

At HP founded  live hack last year Google Chrome could stand against the  hacks. But this year on March 7-9 it showed that Google Chrome was the first browser which failed during the first 5 minutes of the live attacks. Google founded $1.000.000 for people who can demonstrate the vulnerabilities in Chrome and as it shows the following screenshot $60.000 will go to Sergey Gazunov for his two critical submissions against the most recent version of Google Chrome (i.e. zero day).

VUPEN another team of hackers from France who obviously sells vulnerabilities and exploits to the “government customers”, used two zero days and could take down Google Chrome in 64-bits Windows 7 with the latest patches. They were able to completely taking over the system without any user interaction!!! I am sure they could able to cash some of the reward money from Google

But don’t panic according to Google the Chrome update 17.0.963.78 has already the necessary patches.

What about other browsers?

Well, according to VUPEN co-founder and head of research Chaouki Bekrar his team

equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox. “….but he said the decision to go after Chrome first was a deliberate tactic.” “We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year…”

Later on VUPEN demonstrated a Zero-Day for Internet Explorer including a Protected Mode bypass. IE9 on W7 completely owned.

Video at YouTube shows how Chorme is hacked

What about Adobe?

Adobe has fixes to handle Flash Player. Flash Player 11.1.102.63 contains priority 2 updates that address critical vulnerabilities on Windows, Macintosh, Linux, Android 4.x, and Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Specifically the update fixes memory corruption vulnerability in Matrix3D that could lead to code execution (CVE-2012-0768) and a resolves integer errors that could lead to information disclosure (CVE-2012-0769). Adobe are recommending that users should install the update within 30 days. This is because there are currently no known exploits and based on previous experience, Adobe do not anticipate exploits are imminent

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x

The new version is available from Flash Player Download Center.

What about Mac?

Apple has released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd and 4th generation iPod touch, and all of its iPad models. About 90 fixes for security especially for browsing functions, some may relates to the Chrome security issues were identified and fixed in iOS5.1.

It is your system, your data, your browser

In my understanding you may have favourite browser and would not change it for any reason. Well, it sounds ok but don’t forget to continuously update your OS, browser, … and may need to listen to rumours about security. Then you have enough information to take the necessary actions.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s