Remember last month, when all the Internet was crowing about how “no one even attempts hacking Chrome” at Pwn2Own, an annual hacking contest with a primary focus on Web browsers?
The implication was, of course, that the Chrome Web browser cannot be hacked; or, at least, that its architecture is so good, and that hackers know this so well, that Chrome somehow becomes the Sword In The Stone, if not the Holy Grail.
This, of course, is nonsense. Fast-forward to today, where Google announces patches to three major Chrome security holes.
While Google isn’t revealing the specific nature of the three holes — “the referenced bugs may be kept private until a majority of our users are up to date with the fix” — their titles alone are alarming: “cross-origin bypass” suggests it’s pretty easy to spoof / forge where a request comes from; and all “memory corruption” causes concern about at least forced crashing, if not unauthorized access to system privileges.
Is Chrome a bad browser? Hardly. Has it had problems? It sure has. Did the refusal of hackers to go after Chrome during Pwn2Own mean Chrome is invincible? Not at all.
For one, there’s money to be made at this competition, and time is limited, so it only makes sense to go after the browsers you know can be compromised easily: Internet Explorer, Firefox and Safari, which was most easily hacked in previous Pwn2Own contests and leverages the same base technologies — WebKit and Chromium — used to power Google Chrome.
For another, these other browsers have been out longer and are used more widely than Chrome. That means knowledge of how they are built, information about glitches that could prove to be exploitable, etc. is greater.
Or I may be completely wrong. It could be that Chrome is, indeed, completely feared within the black- and white-hat communities alike.
Whatever the case, my point is that Google is not infallible, Chrome can be exploited, and why no one bothered to try to do so during a specific competition is hard to say.
Take with a grain of salt the hype you hear about hacking and security, especially if it’s proclaimed loudly. Anything complex is vulnerable to compromise and collapse, be it the Mayan civilization or even the Oracle DB server. Chrome is no different.
All links in this post on delicious: http://delicious.com/dougvdotcom/googles-web-browser-has-its-problems-too