by Neil MacDonald | May 13, 2011 | Comments Off on Google’s Chrome Browser has a Zero Day – So?
I saw this article recently describing an attack against one or more zero day vulnerabilities in Google’s Chrome browser. Worse, the attack reportedly is able to break outside of the “sandbox” (created by the use of mandatory integrity controls within Windows) and execute code at a different trust level. The attack is reportedly not stopped by ASLR or DEP either.
The firm that demonstrated the attack, Vupen, doesn’t disclose the vulnerabilities to the vendors and instead charges its customers for access to its intelligence. So, at this point there are no patches available since Google won’t be able to fix the vulnerabilities until it has more detailed information.
There are a few lessons from this news:
- Google’s code writers are human just like any other vendor. Their code will have zero days, just like Microsoft, Apple, Oracle and any other software provider.
- Should you switch browsers? Hardly. Our advice remains to standardize on two or more browsers.
- At some point, Google will have a patch for these underlying vulnerabilities in Chrome. Does your patching process extend to alternative browsers? If not, are you aware that Google’s Chrome (and Firefox for that matter) browser installs and runs even when users are configured as “standard user”? It is quite possible that large numbers of Chrome and Firefox users are there that you just aren’t aware of.
- DEP, ASLR and similar features of the Windows OS raise the bar for the attackers, but they aren’t silver bullets. There are no silver bullets. However, even though the Windows OS is protected, not all software is written to take advantage of this protection. Ask your software vendors if they support these protection mechanisms explicitly.
Evaluating the Security Risks to Blockchain Ecosystems
Blockchain is early in its development, and long-term investments can be risky. Security and risk management leaders must temper the hype with effective risk-mitigation techniques.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.