Tuesday, September 09, 2008

Chrome updates offer a HUGE exploit window

I'm loving Google Chrome, the new browser offering from the Googleplex. However I was very worried this morning when I read that they have a proprietary (ie. not open-source) update infrastructure which downloads updates to the user's browser without telling them.

This is a major security flaw, and I'm frankly surprised by it - perhaps it is intended to be a short-term fix whilst the browser is in Beta, but many Google products (e.g. GMail) seem to never leave Beta. The real problem with the approach they've taken is their lack of transparency about security flaws and the fact they leave users in the dark:

"Users do not get a notification when they are updated ... When there are security fixes, it's crucial that we update our users as quickly as possible in order to keep them safe. Thus, it's important for us to not require user intervention."

That sounds very noble, but the problem is that it leaves users unable to reject an update as well. That means that if Google decides they want to change the browser to slap ads in your face every 30 seconds you can't stop it from doing that (you can always go back to another browser - assuming competitors still exist). More importantly it means that if some criminal did manage to take control (however briefly) of Google's update infrastructure then they could install whatever they like on your PC.

In fact any update infrastructure allows this to happen, and many are vulnerable to it. Google's not particularly different, and with the attitude they are displaying at the moment they are more likely to be exploited - because the people that could help them find problems are not being given full access to the software updates (the latest security changes do not show in the open-source changelog). Of course, not updating your software leaves you even more vulnerable.

A recent study into the update problem for browsers (found via ESJ) looked into the problem of users who do not update their browsers:

Figure 1: The Web browser Insecurity Iceberg represents the number of Internet users at risk because they don't use the latest most secure Web browsers and plug-ins to surf the Web. This paper has quantified the visible portion of the Insecurity Iceberg (above the waterline) using passive evaluation techniques - which amounted to more than 600 million users at risk not running the latest most secureWeb browser version in June 2008.

"We believe the auto-update mechanism as implemented within Firefox to be the most efficient patching mechanism of the Web browsers studied. Firefox's mechanism regularly polls an online authority to verify whether a new version of the Web browser is available and typically prompts the user to update if a new version exists. With a single click (assuming that the user has administrative rights on the host), the update is downloaded and installed. Just as importantly, Firefox also checks for many of the currently installed Firefox plug-ins if they are similarly up to date, and, if not, will prompt the user to update them. Opera's update mechanism is essentially the same procedure as a manual download and re-installation of the browser.

Figure 3: Maximum share of users surfing the Web with the most secure versions of Firefox, Safari, Opera and Internet Explorer in June 2008 as seen on Google websites.While Microsoft’s operating system auto-update functionality encompasses the Internet Explorer update mechanism even if the browser is not in use, the fact that patch updates (for both Internet Explorer 6 and 7) are typically only made available on a monthly basis means that updates are released less frequently (when compared to Firefox), which can result in a lower short term patching effectiveness.

Based upon our findings, we strongly recommend that software vendors embrace auto-update mechanisms within their products that are capable of identifying the availability of new patches and installing security updates as quickly and efficiently as possible - ideally enabled by default and causing minimal disruption to the user. We also recommend that these same auto-update mechanisms are capable of alerting the user of any plug-ins currently exposed through the Web browser that have newer and more secure versions available.


Given the state of the software industry and the growing threat of exploitable vulnerabilities within all applications (not just Web browsers), we believe that the establishment of a ”best before” date for all new software releases could prove an invaluable means to educating the user to patch or ”refresh” their software applications. The same ”best before” date information could also be leveraged by Internet businesses to help evaluate or mitigate the risk of customers who are using out of date software and are consequently at a higher risk of having been compromised."

It is worth noting that the researchers do not recommend a solution that involves automatic updating of the browser without user permission - rather they would prefer to let users know the "use by" date of their software in order to inform them that an update is required (see the paper for more details on how they suggest this could be done). Also their research paper notes that "Access to Google’s global Web server logs enabled the authors to provide the first in-depth global perspective on the state of insecurity for Web browser technologies," so it's not like some part of Google was unaware of the study.

Personally whilst I will continue using Chrome for some of my browsing I will be re-evaluating my continued use of it based on how Google responds to these sorts of security issues. I recommend you do the same.