New browser on the block (Google Chrome)

[Jaded]

Loving the "incognito" function....

Why do all the browsers claim that incognito functions are for planning surprise birthdays?

BTW - what are you looking at rae?? 

Joy of Tech explains

[andyoxon]

I've given it a whirl, and will probably stick to Firefox 3.  Is Chrome faster than Firefox? I couldn't see any diffs, perhaps I didn't try very 'hungry' sites... 

[andyoxon]

They've still got some work to do:

Zero Day mobile edition


"
Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.
"

Is it best not to use beta versions for online purchases/banking?

[Greenbank]

Is it best not to use beta versions for online purchases/banking?

Simply put:-

If you use the Beta of Google Chrome to visit a webpage where someone has decided to exploit this bug for malicious purposes then it could have downloaded and installed anything it likes on your computer.

Sophisticated keyloggers, mouse position loggers, screen grabbers, network sniffers, zombie clients, etc.

Even if you then use IE, FireFox or Safari to connect to your webmail, online banking, work websites, etc the information could still be grabbed and uploaded to someone else.

However, you've still got to visit a dodgy webpage in the first place, but that's why nasty people spend a lot of time hacking legitimate websites (remember the ASSOS website was recently flagged as dodgy by Google) as they need as many people as possible to succumb to the original infection vector.

Personally I wouldn't touch it with a bargepole. If I did it'd be inside a handy VMWare "Scorched Earth" type sandbox.

[Gattopardo]

Is it best not to use beta versions for online purchases/banking?

Simply put:-

If you use the Beta of Google Chrome to visit a webpage where someone has decided to exploit this bug for malicious purposes then it could have downloaded and installed anything it likes on your computer.

Sophisticated keyloggers, mouse position loggers, screen grabbers, network sniffers, zombie clients, etc.

Even if you then use IE, FireFox or Safari to connect to your webmail, online banking, work websites, etc the information could still be grabbed and uploaded to someone else.

However, you've still got to visit a dodgy webpage in the first place, but that's why nasty people spend a lot of time hacking legitimate websites (remember the ASSOS website was recently flagged as dodgy by Google) as they need as many people as possible to succumb to the original infection vector.

Personally I wouldn't touch it with a bargepole. If I did it'd be inside a handy VMWare "Scorched Earth" type sandbox.

Wouldn't a good firewall, spyware stuff cover this?

[Greenbank]

Wouldn't a good firewall, spyware stuff cover this?

Yes, to some extent, but you still have to be careful.

Spyware hunters can only find what they've been told to look for. If you get infected before the Spyware stuff has been updated you're vulnerable. Plus the signature of the spyware can quickly be changed so that it is no longer picked up by the Spyware.

Firewalls will only stop what you tell them to stop. If you have a blanket permit all outgoing web-traffic rule then that could be the way the data gets out. Does your firewall allow outgoing emails? etc

Anyway, all theoretical, and all browsers are vulnerable in different and still be discovered ways. I'd just be very worried about using a beta browser with such a public, and easily exploited, bug.

If you were devious and wanted to infect the maximum number of "people" in the shortest possible time then this is it. There are millions of people trying this browser right now and this fact will not be lost on the ID theft criminals.

[Gattopardo]

Wouldn't a good firewall, spyware stuff cover this?

Yes, to some extent, but you still have to be careful.

Spyware hunters can only find what they've been told to look for. If you get infected before the Spyware stuff has been updated you're vulnerable. Plus the signature of the spyware can quickly be changed so that it is no longer picked up by the Spyware.

Firewalls will only stop what you tell them to stop. If you have a blanket permit all outgoing web-traffic rule then that could be the way the data gets out. Does your firewall allow outgoing emails? etc

Anyway, all theoretical, and all browsers are vulnerable in different and still be discovered ways. I'd just be very worried about using a beta browser with such a public, and easily exploited, bug.

If you were devious and wanted to infect the maximum number of "people" in the shortest possible time then this is it. There are millions of people trying this browser right now and this fact will not be lost on the ID theft criminals.

Would you say running this beta that you run the same risks as running firefox beta or IE8 beta?

[Greenbank]

Would you say running this beta that you run the same risks as running firefox beta or IE8 beta?

No, for various reasons, not limited to:

1) Neither of those can be abused by the highly advertised exploit.
2) The exploit is pretty fundamental. Download and run any jar file without the user having any knowledge this has happened. That's a very big wide open door with a big neon sign saying "Kick me."
3) Many more people will be downloading Chrome than going for FF or IE8 betas because of all the Hype.

It's a combination of the hype regarding Chrome and the exploit.

I'd bet a reasonable sum that there are people out there specifically working on something for injecting keyloggers/password sniffers/etc via this exploit. Next step is to get this dodgy code on as many websites as possible.

The flaw was discovered within one day of Chrome's release.

[bobajobrob]

Some news about Linux and Mac OS X versions:

Google has made the Chrome source available under a permissive BSD license so that it can be incorporated into both open and proprietary software programs. Detailed build instructions are available for Windows, Linux, and Mac OS X. The Linux port is still in early stages of development and is not yet fully functional.

   Google unveils Chrome source code and Linux port

[bobajobrob]

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Sophisticated keyloggers, mouse position loggers, screen grabbers, network sniffers, zombie clients, etc.

Only if you have 2GB RAM installed Also you'll know when it happens as your machine will grind to a halt.

[Greenbank]

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Sophisticated keyloggers, mouse position loggers, screen grabbers, network sniffers, zombie clients, etc.

Only if you have 2GB RAM installed Also you'll know when it happens as your machine will grind to a halt.

I know it was a joke, but JAR files are just .zip files. The executed Java code can extract or download anything it wants. Even stuff written in a proper language not some itty-bitty bytecode bollocks.

(Bile brought to you by today's JVM incompatability problems that have wasted half a day's "productivity".)

[bobajobrob]

Would you say running this beta that you run the same risks as running firefox beta or IE8 beta?

The proof of concept requires user action to run the code. So not that bad if you know never to download files from sources you don't trust.

[bobajobrob]

(Bile brought to you by today's JVM incompatability problems that have wasted half a day's "productivity".)

What was it, bytecode incompatibilty or a problem with different versions of some API or library?

[agagisgroovy]

I've got it, but it won't let me play Runescape. 

[harvey]

After a month of using Chrome I've really taken to it.  It seems very fast, I like the feature of having your most visited websites at hand, and the incognito view is pretty cool.  Sometimes when I back-page it gives this 'confirm form resubmission' and I have to reload the page which is a bit annoying.  Is there a way around this?

[Greenbank]

Slashdot | Google's Chrome Declining In Popularity

The lack of NoScript is the killer.

[TimO]

I like it, but currently, no AdBlock, no NoScript, and no rescaling of images when I change the font size with Ctrl + and Ctrl -, so I'm waiting for those to improve.

[rae]

Yes, the lack of adblock is very annoying.

On the plus side, it doesn't leak memory, so is better than firefox in some respects. 

For all of the much vaunted one process per tab, I find it locks the whole UI far more often than Firefox.  It generally recovers, but it is annoying while it happens. 

[TimO]

I don't want to disable image zooming in Firefox, I like it.  I want it in Chrome.

My laptop screen has a very high resolution, and the fonts are tiny by default (even with the larger font selected in the Windows setup).  If images don't rescale with the font, then things like smilies look rather odd.

That is the great bit about FF, you have the facility and you can disable it if you don't like it.  Until Chrome introduces some of this stuff, and to be fair rescaling of images is a minor point, I'll stick with FF, the only real advantage Chrome has at the moment is speed, and FF isn't that slow.