45

I've recently read Google Chrome: The End of Drive-By Downloads. Is it true to say that drive-by-downloads are history in Google Chrome?

So if I have a link (from a spam email) I can right-click >> open in new incognito window >> and be 100% sure that there is no virus / damage to my system?

Initially i've asked this question at https://webapps.stackexchange.com/questions/15209/anonymous-links-in-email/15211 but I'm not getting a good answer (and besides the answers are all targeted at phishing-sites whereas my question is targeted at "virus-sites").

Community
  • 1
Pacerier
  • 3,253
  • 6
  • 34
  • 61
  • I don't like this question because any program can be sandboxed if you use the right technology (e.g. Sandboxie). Chrome just has a built-in sandbox, making it user-friendly. Sorry, but you get a -1. – atdre May 16 '11 at 06:59
  • 3
    Even if it could be guarenteed that you can't get a virus from a visiting a website you could still end up informing the spammer that your email address is active as the links and images can have unique IDs. It's certainly something I've seen in marketing email from companies I've willingly given my address to. – Stephen Paulger May 16 '11 at 23:13
  • @atdre heys read my follow-up http://security.stackexchange.com/questions/3879/what-abuses-can-an-infected-webpage-do-to-me-if-im-using-chrome-and-flash-is-dis – Pacerier May 17 '11 at 07:27
  • it is very easy to create batch file or vb script file using vb script using IE. this files can do anything in your computer –  Jun 22 '12 at 11:17

3 Answers3

37

Short answer: Yes, you can get a virus just by visiting a site in Chrome or any other browser, with no user-interaction needed (video demonstration). Even with Chrome you are not 100% secure - and you probably never will be with any browser, but Chrome is getting pretty close to it and the security research community seems to agree that at this time, it is the most secure browser you can use.

Long answer: Chrome, at this time, is the most secure browser that exists in windows, because of the sandboxing techniques it uses which add up to the security. A good description of this sandbox is here: http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html although a bit dated. A more recent and technical one is here: http://dev.chromium.org/developers/design-documents/sandbox

The general idea is that a malicious website will have to use two separate exploits to achieve code execution on your pc: The first one exploiting the browser, the second exploiting the sanbox. This has been proven a very hard thing to do - it has not be done ever.

Your question comes at a nice timing: A week ago the security research firm VUPEN claimed that it broke chrome sandbox and published the following announcement: http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php If you watch the video, you will see that no user interaction was necessary besides visiting the malicious URL, and a sample application popped up out of nowhere (it could be virus instead). The attack description proved to be wrong (but that does not matter much to simple users): The sandbox itself was not breached. It turned out that VUPEN exploited a bug in Adobe Flash Player, which is a plugin almost everybody has installed - and this plugin was not sandboxed. The answer of Google is that they are moving and developing fast so that this plugin will be sandboxed eventually in the next versions.

To sum it up: As you could see in the video, you can never be 100% sure that you are safe, so be careful, don't open links you don't know where they go or don't trust the sites.

Sidenote: NSA recently published a document indicating "Best Practices" for user security on the internet: Among those is the recommendation to use a browser that has a sandbox.

Here is the report: http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

Another sidenote: Internet Explorer 9 is advertised as having a sandbox, but security researchers agree that it is not properly implemented and have demonstrated successful attacks against it.

And a third one: The incognito window has nothing to do with virus protection, but can be useful in certain classes of attacks where cookie stealing or similar is the target because it separates browser instances and isolates information available.

Finally, there are technologies that offer better protection, like sandboxie and running browsers in virtual machines.

john
  • 10,968
  • 1
  • 36
  • 43
  • 6
    @john - I'm not sure it's fair to say that exploiting Flash is not "breaking out of the sandbox" when Flash comes built-in to Chrome - the user has no choice in whether or not Flash is installed in that browser, or which version. – Iszi May 16 '11 at 04:20
  • 1
    @Iszi Fair point, and that was a huge discussion between the researchers of vupen and members of the google security team some days ago in twitter. The consensus is that because flash is not sandbox-protected, they did not break out of the sandbox so.. terminology. The reason VUPEN talked about breaking sandbox is that they claim they did not know it (?), because it is a fact that google has never said that plugins are not sandboxed, in contrary has led everyone to believe that they were through this post: http://blog.chromium.org/2010/12/rolling-out-sandbox-for-adobe-flash.html :-) – john May 16 '11 at 09:07
  • @Iszi ..and so google researchers are claiming that of course vupen knew that flash was not sandboxed, you cannot develop an exploit that hard without knowing what you are doing, but still talked about breaking sandbox to gain reputation and for other reasons.. While vupen are making more or less your point. Anyway, google is rolling out updates as we speak. – john May 16 '11 at 09:09
  • This is very subjective and unscientific - on what are you basing your claim that Chrome is the most secure browser? There are flaws foudn in it all the time... And as for sandoboxing, chrome is not the only one (though you did mention IE9, you were unbasedly dismissive of it - and, IE9 is not the only one). However, there is still some good information in here... – AviD May 16 '11 at 09:39
  • 3
    Yes it is subjective and unscientific, but couldn't be otherwise - there are no papers published comparing browser sandbox or the security of latest browser versions! What I am replicating is the consensus of the security research community, and the fact is that the chrome sandbox has never been breached (at least there is no public knowledge of that), while IE's sandbox has. – john May 16 '11 at 09:50
  • 1
    @Avid , in support of @john often sited claims for Chrome security is also the fact that a flaw has never been found at pwn2own relative to other popular browsers IE8 and Firefox, Safari. Of course IE9, Firefox 4, Opera was not tested in 2011, maybe they will in 2012 (http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011). Another advantage also used to be Chrome's auto-up-date without user intervention. For ordinary users and companies this is major advantage now copied by Firefox and IE9. – Rakkhi May 16 '11 at 14:22
  • You can also cut attack surface by disabling the Flash plugin in Chrome: http://www.simplerna.com/2011/02/how-to-disable-adobe-flash-in-chrome.html . If you have an iOS device and survive fine without flash there this should not be a major sacrifice for some additional security. You can also enable it when needed. – Rakkhi May 16 '11 at 14:27
  • 1
    @Rakkhi - What do you mean Firefox & IE 9 copy Chrome's auto-update? I don't use IE 9 much, but I'm pretty sure it still updates through Microsoft Update just the same as all other Microsoft products - meaning that they're at the user's discretion. My personal preference is Firefox 4, which also gives the user *choice* of how (or if) they will receive updates. In Chrome, auto-updates are mandatory as long as you have an Internet connection and use the browser - and that's not necessarily an advantage. http://t.co/wSBkIVI – Iszi May 16 '11 at 17:06
  • @Iszi as you said Firefox has added an auto update option. There are also reports like this that Mozilla will start "forcebly" updating older versions: http://www.computerworld.com/s/article/9136698/Mozilla_triggers_Firefox_3.5_auto_update_offer . I think this happened to me at work, IT had not updated Firefox from 3.5 but I go this update option to v4 with no admin rights required. I was a happy bunny that day. I don't use IE either but it does seem like they have added autoupdate: http://tech18.com/ie9-automatic-update-feature-chrome-firefox.html – Rakkhi May 17 '11 at 09:07
  • @Rakkhi - My point is, with Mozilla and Microsoft, browser updates are in the end *optional*. Even the article you link says Mozilla is only forcing the auto-update to *offer* users the opportunity to upgrade their browser. They're never forced to put in a patch that they don't want, or one that may cause the browser to render an essential web application in a way that makes it unusable. Google, on the other hand, offers no choice. You use the browser (and, in some cases, plugin) version that Google gives you, or not at all. – Iszi May 17 '11 at 14:14
  • @Iszi you are right. Google's approach is better for security at the risk of breaking things (although they test well on canary and dev channels before releasing to production). Firefox and IE9 better than what they were but non techs may not update. – Rakkhi May 17 '11 at 14:19
  • 1
    While your claim breaching the "chrome's browser and sandbox has never been done" was true at the time of the post; it should be noted that flaws were found this march - one at google's pwnium that required disclosure of vulnerability and was patched in ~24 hours; and one at pwn2own which was not disclosed and I'm not sure if the vulnerability has been patched or is still out in the wild. http://www.techspot.com/news/47731-google-rushes-out-chrome-patch-for-sandbox-exploit-other-still-lurks.html – dr jimbob Jun 22 '12 at 17:25
12

I don't think we can say drive-by downloads are history (if you're using Chrome). Chrome does implement sand boxing but it's not impossible to escape the contained process space. The sand boxing and safe browsing only decrease the likelihood of attacker being successful.

Ben
  • 605
  • 4
  • 11
12

It is admitted that drive-by download attacks occur only thanks to the user's interaction as it was the case, for instance, with the HDD Plus virus where visitors of the compromised website needed to double click at least on rad.msn.com banners.

But actually there have been drive-by download attacks that run successfully on IE, Safari, Chrome and Firefox without requiring the user's interaction. For instance, CVE-2011-0611 was a 0-day vulnerability up to April 13th, 2011 (meaning a short while before you asked this question). It was used to infect the homepage of the Human Right Watch website in UK. The infected page contains a rogue <script src=newsvine.jp2></script> element. This tricks the browser into caching and executing newsvine.jp2 as JavaScript code. It was a drive-by cache attack which is just a case of drive-by download attacks. The caching is successful, but the file cannot be executed as JavaScript because it is actually a renamed malicious executable corresponding to a backdoor from the pincav family.

Another rogue script element found on the infected page is <script src="/includes/googlead.js"></script>, which unlike most drive-by download attacks, loads a local .js file. The JavaScript code in googlead.js creates an iframe that executes the SWF exploit from a domain controlled by the attackers.

By the same year you asked this question, there was an other example of a drive-by download attack of which no browser was safe as long as they run a vulnerable version of JRE at that time (CVE-2011-3544). Thousands of visitors of the Amnesty International's homepage in UK were thus infected by Trojan Spy-XR malware. The attacks continued until June 2011, so later after you asked this question: Google Chrome was not safe of it.

A little bit more than two years later after this question, on October 24th, 2013, the famous php.net website has been infecting its visitors by a drive-download attack through a hidden iframe tag. The attack concerned also Google Chrome.

Also you mentioned Google Chrome could be that safe because of its sandbox mechanism: well, all browsers are sandboxed, not only Google Chrome, but still they are vulnerable to drive by download attacks because of their own vulnerabilities or those of the plugins installed within them.