
Chromium Blog: A Tale Of Two Pwnies (Part 2) - cleverjake
http://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html
======
jmillikin
Is anyone else dismayed by the implicit view of these sorts of articles, that
browsers should be complicated and full of all these insecure features?

It reminds me strongly of PDF and Acrobat. PDF is great for mailing around
print-ready documents, which are more-or-less guaranteed to look the same for
every viewer. Writing a PDF renderer is not easy, but it is straightforward,
and there are multiple stable implementations without significant security
problems.

Then Adobe comes along and they add forms, and 3D charts, or Javascript, or
multimedia, and Acrobat grows from a document viewer into what is essentially
a backdoor on every Windows computer.

A similar thing is happening with browsers. The core purpose of a web browser
is the ability to render HTML+CSS into a human-readable document. Then browser
vendors added forms and Javascript, so XSS was invented. They added persistent
data storage, so looking at cat pictures can compromise my bank account. And
now, Chrome+Firefox are /competing/ to see who can add more features, security
be damned.

WebGL exposes your graphics drivers (never security-audited before) to the
internet. <audio> and <video> expose multimedia codecs, which in the past have
caused numerous security problems. Flash is, essentially, a cross-platform way
to let arbitrary people run exploits on your machine.

When will it stop? When will browser vendors take a collective breath, look
around, and realize the insanity they've been perpetrating?

~~~
azakai
> Is anyone else dismayed by the implicit view of these sorts of articles,
> that browsers should be complicated and full of all these insecure features?

You're taking a position 100% against all additions to web browsers, it seems.
And some people responding to you are taking the 100% opposite position. But
there is a middle ground.

Browsers should include the _minimal_ amount of technology possible, and
strike a compromise between number of features and security (because more
features always means less security). What the right compromise is, is of
course debatable.

But I don't want to just say "extremes are wrong, the right middle way is
best" in a generic manner because that's always true. More specifically,
Google is the browser vendor including the most nonstandard technologies these
days, and therefore incurring the most risk. For example, NaCl, WebSQL, a
large extension API (even including things like text to speech), a closed-
source PDF reader, Adobe Flash, Chrome Web Store frontend, and apparently soon
Dart. All those things add to the attack surface of Chrome, I would argue
needlessly.

Of course other browsers are guilty of similar things, just to a lesser
extent. At least Microsoft does not bundle Silverlight with IE (but it will
apparently bundle Flash..).

~~~
jmillikin
I don't think my position is extreme. I'm not advocating for a removal of all
browser features, merely removal of those which are unrelated to the browser's
core purpose of document navigation and rendering.

If browser vendors spent less money on implementing audio synthesis or OpenGL,
they could spend more on font rendering, SPDY, and standards compliance.

~~~
quanticle
>I don't think my position is extreme. I'm not advocating for a removal of all
browser features, merely removal of those which are unrelated to the browser's
core purpose of document navigation and rendering.

The view that a browser's core purpose is document rendering and navigation
was laughably out of date in 2000. It is simply an invalid opinion today.
Users and developers can and do expect browsers to be fully-functional
sandboxed runtimes that can host everything from mail clients, to mapping
applications to games.

But if you want your browser to be nothing more than a document rendering
engine, no one is forcing you to use Firefox. w3m and xxxterm, for example,
both fulfill this role quite admirably.

~~~
jmillikin

      > But if you want your browser to be nothing more than a
      > document rendering engine, no one is forcing you to use
      > Firefox. w3m and xxxterm, for example, both fulfill this
      > role quite admirably.
    

No they don't, not even close. Firefox and Chrome are years ahead of them in
important features like CSS, fonts, and graphics.

~~~
tedunangst
w3m, yes. But xxxterm is basically webkit with vi keybindings, so I don't
think Chrome can be all that many years ahead.

------
tptacek
Once again, there's two ways of reading this story. One way is from the
attacker's perspective, baffling yourself as to how Glazunov could have found
all these bugs and assembled them in the right order. The other is from the
defender's perspective, gaining an appreciation for how well the security
model is working that it takes an exploit this intricate to break it.

Either way, you're doing something right when your documentation of a security
vulnerability in your product actually serves to market the security of that
product. The Chrome security team is doing a lot of stuff right.

~~~
tedunangst
For this exploit, the security defenses didn't impress me as much. The
immediate question I have is why are there chrome:// URLs at all? It seems you
could achieve a much stronger sandbox by using native UI controls that are
simply not attached to the webview. Then it would not be possible to trick it
into making a same origin mistake.

I mean, this is standard advice for web apps and services, right? You build
the control interface completely outside the main user app.

~~~
aboodman
There are a lot of answers to this question:

1) From a UX perspective, we prefer to have the majority of the UI within a
tab. We don't want to build up an entirely separate UI hierarchy outside tabs.

2) We tried putting native UI within a tab in early versions of Chrome, and it
did not feel right. There was an uncanny valley effect. If the content of a
tab doesn't feel like HTML, it feels wrong. And it isn't practical to emulate
the feel of HTML perfectly with native code.

3) The Chrome team puts a lot of engineering effort into making the web
platform as strong as it can be. We would like to eat our own dogfood when
possible.

~~~
DanBC
Off topic but:

I don't understand why on (chrome://chrome/settings/) I have blue links, blue
underlined links, and buttons. I guess I could figure it out, but the meaning
is opaque to me at the moment.

------
kvnn
Google has changed the relationship between exploiters and themselves into
something symbiotic and fun.

How refreshing it is to hear excitement and admiration when a large tech
company speaks about an exploit made in one of its products.

Super awesome.

[ See [http://blog.chromium.org/2012/02/expanding-chromium-
security...](http://blog.chromium.org/2012/02/expanding-chromium-security-
rewards.html) ]

------
datr
In Part 1 it's mentioned that they held up publishing this issue as it affects
many other products:

"While these issues are already fixed in Chrome, some of them impact a much
broader array of products from a range of companies. So, we won’t be posting
that part until we’re comfortable that all affected products have had an
adequate time to push fixes to their users."

Presumably this is referring to other webkit browsers and the wordpad.exe
exploit. Does anyone know if these problems have been fixed yet?

~~~
tedunangst
The wordpad exploit, unless I'm mistaken, is basically just the equivalent of
LD_PRELOAD. As such, there's nothing to fix.

This may be of some interest, as it there's some discussion of when it's an
exploit and when it's just the way things are supposed to be.
<http://news.ycombinator.com/item?id=3005832>

------
mcot2
The idea of "perfect security" is a myth. The best approach to security is
doing exactly what google is doing:

Off the top of my head:

1.) Spend a lot of time and money on security engineering. 2.) Constantly
update, make sure it is not a hassle for users to update. Preferably force
them to update, design with patching and updates built in and with minimal
impact. 3.) Hire/pay a lot of people to try to break your shit. 4.) Keep a
keen eye out for undisclosed vulnerabilities/exploits on the black market and
have an easily accessible reporting mechanism for white hats which you do not
pay. 5.) Notify the crap out of your uses when something goes wrong.

You can easily see why programs such as old versions of Adobe Flash and Reader
were terrible from a security perspective if you try to compare them to the
above criteria.

Talking about complexity and operating system design opens up a new can of
worms. With iOS I think Apple is taking the extreme approach which works for
like 99% of people who are not power users...

1.) Isolate everything. 2.) No third party apps that Apple does not approve.
3.) Everything is digitally signed. 4.) Limit apps from running other code.
5.) Be able to kill switch apps or wipe the device remotely.

------
vibrunazo
$60k seems kind of cheap after reading all that.

~~~
rosstafarian
yeah it's a pretty amazing hack. I believe the guy who wrote it is a
university student from russia(who also found other holes in chrome) so for
him the $60k will go quite a bit further then for some one else and the
prestige/job offers associated with it will go even further then that.

When the event was going on, another group called vupen(french company that
deals in selling 0day exploits to govts) that found a hole in chrome during
that contest refused to give up their method, when offered $120k instead of
$60 and their ceo half jokingly said he might give it up for the entire
million dollars worth of prizes google was offering

------
petegrif
Mind blowing. And so great you publish it all to improve the product.

