Chrome had just one day to sparkle before it was hit by two security issues, IDG News reports. Researchers say that two bugs in Google's new browser, which are due to known security holes, are twice as malicious due to the new browser's design.
According to security researcher Aviv Raff, who discovered the malicious code download vulnerability, the problems stem from the fact that Chrome combines features from Firefox and Safari, and that means it doubles up on their vulnerabilities as well. As he says in his post describing the holes:
I really wonder why Google have taken several features from other browsers and mixed them all together. Security wise, it’s very problematic. They’ll have to track all security vulnerabilities in those features, and fix them in Chrome too. This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time.
As an example, he says the bug he found was a known WebKit problem that has since been cleaned up in the latest version of Safari (3.1). Unfortunately, Google's Chrome uses the older buggier version of WebKit. Google then exacerbated the problem with Chrome's new download design. By default, Chrome downloads files into a folder, and then displays a download bar at the bottom of the browser page. If users wish to view the file, they click on the bar, and if the file is an executable, Windows displays a warning. But if the file is a Java Archive (JAR), Windows automatically runs the file, without a warning. Since Chrome's design makes the bar appear to be part of the Web page, users might think they're clicking on a link or a button on the page, rather than opening up a downloaded file, Raff said. The result is a blended threat, where "two small issues in different products, when blended together create a much larger problem," he says.
While Chrome is still in beta and probably launched sooner than Google had planned, due to the early release of its comic book intro, these types of security issues do not bode well for its future success. Tracking bugs in one tool is hard enough, nevermind several. It will be interesting to see how Google approaches not only securing Chrome, but patching it as well.