Tag Archives: IE8
ReadWriteWeb is reporting that the beta of Firefox 3.6.3, dubbed Lorentz, is testing a new feature in the browser where plugins are isolated by tab in the event that it crashes. This allows for a singular unstable tab to crash instead of the whole browser. This may sound familiar to those who use Chrome, and will be a new feature in a future stable release of Firefox.
What’s funny is that rival browsers are making no bones about taking Google’s browser ideas and turning them into their own. Microsoft’s IE8 InPrivate, which is the same thing as Chrome’s Incognito mode, comes to mind. Witness the crash screen in Lorentz compared to Chrome’s:
Heading down this path is great for browsers overall, but it seems funny at times when you see competing browsers copying Chrome’s functions in order to keep up with its frenetic pace of development. Indeed, Chrome has quickly gone from version 1.0 in 2008 to 4.0 stable a few months ago.
One of the reasons for early adoption has been Google’s decision to auto-update Chrome. While initially this was heavily criticized, you can see here how fast Chrome has migrated to newer versions because of this functionality:
You can try out the new Firefox Lorentz by downloading it from here. Lorentz only isolates QuickTime, Flash, and Silverlight as their own processes. You can, however, customize it to do so for other plugins such as Adobe Reader through these instructions.
In a video that is meant to show off the security features of Internet Explorer 8, Product Manager Pete LePage takes aim at the Chrome browser, claiming that because IE8 allows users to search in a separate box rather than doing so in an all-in-one inbox box that Google is possibly compromising a user’s security by reporting every term back to Google.
“By keeping these boxes separate, your privacy is better protected and the addresses of the sites you’re visiting aren’t automatically shared with Microsoft, or anyone else,” LePage says in the video.
“As I start to type an address into the address bar, Fiddler [a Web debugging proxy] shows that for nearly every character I type, Chrome sends a request back to Google,” LePage says. “I haven’t even hit enter yet to load the website and Google is already getting information about the domain and sites I’m visiting.”
This only partially true. You are capable of changing your search provider in Chrome, and when you do the information that you search for in the Omnibox will send it back to the engine of your choosing. Just because IE8 has two separate boxes for these functions does not make it safer.
The option for sending information back to Google when you start typing into the Omnibox can be turned off by following these instructions. I know this because I downloaded Fiddler myself and tried it to make sure.
LePage also goes on to promote the virtues of IE8′s InPrivate feature, which allows users to surf the web anonymously. Interestingly, this feature sounds eerily similar to Chrome’s Incognito mode which has been a part of Google’s browser since 2008.
Look, there’s no doubt here that Internet Explorer is facing a decline in market share. A recent graph out by Net Applications shows that Internet Explorer is dropping while Chrome is gaining. At the same time, competitors like Safari (which can be traced to Mac adoption), Firefox and Opera are filling in the space where users once had Internet Explorer as their preferred browser. If Microsoft does not go on the offensive with videos like this they risk losing even more market share.
Expect Microsoft to heavily market IE8 and eventually IE9. They will also do well if they keep copying key elements of other popular browsers if they hope to stay relevant, one of the other “industry standard” practices LePage talks about in the video.
While news has been sparse since Day 1 of Pwn2OWn, word is that Chrome was the only major browser to make it through the entire competition unscathed. That means it even got through the vaunted Windows XP Day 3, where many expected that Chrome would be exploited by using some of XP’s inherent holes. Not to mention withstanding the service packs that XP is nine years old.
Major browsers such as IE8, Safari and Firefox were hacked within minutes of the start.
Pwn2Own, by the way, is a contest that awards “researchers” cash prizes for successfully hacking computer platforms – prizes in the range of $10,000 to $15,000 plus the computer that they are hacked on.
OK, so Chrome made it through. But let’s think about this. Chrome has only been out since 2008, and there still aren’t that many users who have adopted it yet. W3schools, a web developer site, cites an 11.6% rate of users who visit their site as running Chrome for February 2010. And that is a site for early adopters of web technology! The real number for the entire web population is probably closer to five percent. That may be one of the reasons that researchers have yet to find vulnerabilities in it: they hack what they know, which are the other browsers out there.
Of course, there is also the idea that the other browsers on the market are simply weaker than Chrome which is also a possibility. There was some stir in the days leading up to the contest that Google quickly patched up a slew of security flaws in what was seen as a pre-emptive move. But when you are actually awarding outside experts with cash when they see a flaw in Chrome, it’s probably easier to patch up things that may be hard to see when they are right in front of you.
Yesterday’s first day for the Pwn2Own contest came and went literally for the Chrome browser. The competition, which pits security minded hackers against web browsers, operating systems and mobile phone platforms did however do a number on Apple products. Apple’s Safari browser was hacked on both Snow Leopard and the iPhone, while Charlie Miller, a previous winner, snagged ten grand by remotely taking control of Safari on a MacBook Pro. Miller is the one who was quoted a while ago saying that Chrome 4 without Flash on Windows 7 was the most secure computing environment out there today.
Also, IE8 on Windows 7 was successfully hacked on the first day of Pwn2Own, with researcher Peter Vreugdenhil getting past Windows 7′s data execution protection (DEP) and address space layout representation (ASLR) to exploit IE8. An hour after that, a freelancer named Nils was also able to use those same Windows vulnerabilities to also hack Firefox 3.6.
Yesterday was the day for Windows 7, and today the competition will face Vista, with tomorrow highlighting XP. Will Chrome fall on a less secure system? We shall see. Here is the complete three day schedule for Pwn2Own:
The target pairings for day one are:
- Microsoft Internet Explorer 8 on Windows 7
- Mozilla Firefox 3 on Windows 7
- Google Chrome 4 on Windows 7
- Apple Safari 4 on MacOS X Snow Leopard
- Microsoft Internet Explorer 7 on Windows Vista
- Mozilla Firefox 3 on Windows Vista
- Google Chrome 4 on Windows Vista
- Apple Safari 4 on MacOS X Snow Leopard
- Microsoft Internet Explorer 7 on Windows XP
- Mozilla Firefox 3 on Windows XP
- Google Chrome 4 on Windows XP
- Apple Safari 4 on MacOS X Snow Leopard
Most top prizes are in the $10,000 range, plus the hardware that is hacked on is also awarded. There is also a focus on these mobile platforms (and as we said that the iPhone has already been hacked):
- Apple iPhone 3GS
- RIM Blackberry Bold 9700
- Nokia E72 device running Symbian
- HTC Nexus One running Android
We’ll keep you posted, especially on the Google-related products.
Best known as the hacker that is able to consistently deliver results in the Pwn2Own contest which awards contestants for successfully exploiting OS vulnerabilities, Charlie Miller gave an interview recently and shared his thoughs about the most secure computing platform for users. While he was unable to comment on Chrome OS (he said he didn’t have enough info yet) his thoughts and the best browser and OS were of interest.
“Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about”, Miller told oneitsecurity. And while we agree with his point, it stands out that he would find that IE8 is comparable to Chrome in any way other than security. Chrome offers a better UI, is faster and has far better web compliance scores.
He discussed the potential of hacking Linux, saying that it would be relatively easy to pull off. But the low adoption rate of Linux as inhibited any motivation for researchers to try to point out flaws that are inherent to the system. Chrome OS is based off of a flavor of Linux so it will be interesting to see how it evolves from the perspective of security.
Miller is clearly not impressed by Flash, and that’s no surprise. With Pwn2Own’s 2010 contest coming up, the focus this year is going to be on exploiting mobile phones. That would probably be made easier if some of these platforms like the iPhone actually had Flash, so expect Android to be a big target with a lot of entrants trying to win the big prize by hacking that platform. The total prize allocation for the contest is set at $100,000.