Chrome beats back hack attacks

Analysis
Mar 24, 20093 mins

The third annual Pwn2Own browser hacking competition is over, and just one browser was left standing: Google’s Chrome. And that’s pretty surprising, especially since Chrome has been pilloried of late due to its lack of security features, especially in terms of poor password protections and tepid malware recognition. But with Chrome, it’s not so much about its vulnerabilities–something all software has to some extent–but it’s lack of ways to exploit them.

According to TechSpot, Apple’s Safari browser succumbed to a hack during the contest in less than 10 seconds, while Firefox and IE went down shortly thereafter. And even after rules were relaxed on Day 2, making attacks a bit easier, Chrome still didn’t budge.

TechSpot says known hacker Charlie Miller attributed the failure to a tough combination of Windows 7 security features and Chrome’s sandboxing feature. In the past, the main attraction of Google’s sandboxing mechanism was productivity: if one browser tab crashed it didn’t take the rest of the browser along for the ride. But perhaps more important is its ability to isolate malware. Because everything is sandboxed apart from everything else, exploiting a hole in one area doesn’t automatically grant access to the entire browser, cutting off the best exploits.

The setup is similar to how Google has boxed off Android. Although a known flaw in the OS surfaced quickly after Android debuted, at the time, the same Charlie Miller said hackers would find it difficult to exploit–even going so far as saying Android may not need antivirus software:

“If you want to do anything dangerous like access personal contacts, you have to specifically say to the virtual machine ‘these are things I’m going to have to do,’ and the virtual machine will ask the user if that’s OK,” he said.

It gives the user a heads-up about an attack (why would this game need access to my private contacts?), and the ability to shut it down, simply and quickly, by just denying the request.

Seems like a smart way to go. Rather than trying to design a browser or OS against every known (and future) exploit, simply design it so that even if the software gets compromised, very little harm is done. Perhaps Google is the one vendor that’s figured out how to design a browser that’s not only fast but secure.

* * *

Like this post? Visit the Google Subnet home page for more news, blogs and podcasts.

More blog posts from Google Subnet:

  • Browsers: Good, fast or secure. Pick one.

  • Sony, Google play the free card vs. Amazon Kindle

  • Is Google security deceptive/inadequate?

  • Picasa ads provoke interesting search results

  • Quiz: Are you a Google expert?

Sign up for the weekly Google newsletter. (Click on News/Google News Alert.)