Several weeks ago, all security researchers failed to crack Google's Chrome OS at CanSecWest Pwnium3 in Vancouver, even the deadline extended from 2pm to 5pm due to researchers' request. But, unfortunately, the Chrome browser was compromised by MWR Labs at Pwn2Own 2013 which sponsored by HP and Google. This contest proves that Google Chrome was vulnerable.

Following is our analysis for chrome browser security:

 

 

    Chrome browser was developed by Google and now is one of the most popular web browser in the world. It includes Google search, youtube and many Google proprietary services. In personalization, Chrome web store provides abounding extensions to modify and enhance the functionality of the Chrome browser. 

    Extensions are small software programs and bundle all their files (manifest.json, picture, js and CSS...) into a single file that the user downloads and installs. This bundling means that, unlike ordinary web apps, extensions don't need to depend on content from the web.

 

 

manifest.json provides important information including name, description, version, language and permission...

The following code shows the supported manifest fields. (http://developer.chrome.com/extensions/manifest.html )

 

 

The only fields that are always required are name and version. Here we take content_scripts, permissions and update_url to explain the attribute and function as following:

content_scripts: They are JavaScript files that run in the context of web pages. By using the standard Document Object Model (DOM), they can read details of the web pages the browser visits, or make changes to them.

update_url: Setting URL for update checking

permissions: To use most chrome.* APIs and extension capabilities, your extension must declare its intent in the manifest, often in the "permissions" field. For example, Google mail Checker mush have 2 permissions as following:

1. access your data on *google.com

2. access your tabs and browsing activity 

 

  

 

 

    An user might see a dialog for permission request when installing an extension. If the permission improperly assigned and content_scripts include malicious code, the extension can do anything to your system.

    For example:  Malicious extension auto posts and spreads malicious links on Facebook. (Security Alert 2013-02-06: Watch out for Facebook video link). Also, the malicious extension will auto update by “update_url” setting to change to another hacking jobs.

 

    Chrome browser adds extension function from version 4.0. The extension was easy to develop, but also easy to exploit. Old version of google Chrome permits related extensions auto setup when Windows application installing. It is easy to install malicious extensions to victim's system without user permission

 

    So, google chrome enhances extension management from ver 25.0. Only extensions from Chrome Web Store are available and no more auto installation. Every extension must be permitted by user before installation. However, there can be no assurance that all extensions in Chrome Web Store are secure.

 

    On faceook, the attacker pretends to be victim's friend which shares attractive themes to lure victims to click the hyper link and install malicious extension. Then the victim will post many malicious link to his friends. So the malicious extensions spread constantly by victim's curiosity. The victim misunderstood his account was stolen and changed password, but it was not workable. The victim has to remove malicious extension from chrome browser.

    For more detail scenario, please refer to our previous post: 

Security Alert 2013-02-06: Watch out for Facebook video link

Security Alert 2013-02-22: Malicious Chrome extensions   

 

    Web browser plug-ins are additional pieces of software that add extra capabilities to your web browser, such as the ability to view movies, run Java applets, or see Flash animations. Unfortunately, since plug-ins run with all the privileges of real applications, they can do absolutely anything to your computer. The year past, so many 0-day vulnerabilities were reported in Java and many security experts strongly recommend disabling it. 

 

    As seen from the above analysis, the Extensions and Plug-ins are two vulnerable points in Chrome browser. For Chrome more secure, Google Web Store should inspect all extensions strictly, moreover, we would like to remind our customer:

1.Do not install any extensions from untrusted resource. 

2.Notice that permission request is normal or not when extension installing.

3.Do not install unnecessary plug-ins as possible. If your have any plug-in installed, keep up to date. 

 

by AegisLab