Chrome apes IE8, adds clickjacking, XSS defenses
Adds five new security features to Chrome 4, including two IE8 debuted last March
Computerworld - Google yesterday announced it has added several new security features to Chrome, including two that were first popularized by rival Microsoft in Internet Explorer 8 (IE8) last year.
The newest "stable" build of Chrome -- Google's term for a production-quality edition -- includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team.
Of the five features, two are notable because they're already part of IE8, a browser many consider behind the times -- and one that has trouble keeping up with competitors, such as Chrome and Mozilla's Firefox, which are upgraded more frequently.
Chrome now supports "X-Frame-Options," a security feature that helps sites defend against "clickjacking" attacks, Barth announced.
Microsoft added an anti-clickjacking feature to IE8, although one of the security researchers who first reported the problem the year before, said IE's new feature would have "zero impact" on protecting users.
Clickjacking was first used in September 2008 by Robert Hansen, CTO of SecTheory LLC and Jeremiah Grossman, CTO of Whitehat Security, to describe browser-based attacks that tricked users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and theoretically can be used to empty online bank accounts, secretly turn on Web cameras or change a computer's security settings.
The other Chrome security feature inspired by IE8 is cross-site scripting protection. "In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS," Barth said. "The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script."
Cross-site scripting attacks were prominent in 2008, less so last year, and are often used by identity thieves as part of a broader phishing campaign.
Barth acknowledged that the XSS filter now in Chrome resembles the one in IE8, as well as the NoScript add-on for Firefox. The difference, Barth argued, is that Chrome's filter comes courtesy of WebKit, the open-source browser rendering engine that is the foundation of Chrome as well as Apple's Safari. Because the XSS filter is integrated with the engine, said Barth, it "can catch scripts right before they are executed, making it easier to detect some tricky attack variations."
Microsoft delivered the final version of IE8 in March 2009.
Google upgraded Chrome for Windows to version 4.0 last Monday. The new edition patched 13 security vulnerabilities, and added support for both bookmark synchronization and browser extensions.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Web Apps in Computerworld's Web Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Face Time Anytime Real-time communications facilitates team collaboration from nearly anywhere in the world. With facts and figures you can use to justify an investment
- Riverbed Stingray Application Firewall: Securing Cloud Applications with a Distributed Web Application Firewall Responsibility over IT security is moving away from the network and IT infrastructure and to the application and software architecture itself. IT organizations...
- Now is the time to implement a video conference solution Video conferencing is getting a lot of buzz lately due to the recent cost decrease, making it tangible for many law firms. It's...
- Video drives engagement Achieving maximum results means building a solid platform and network infrastructure. As digital age unfolds, it's clear that the ability to communicate effectively...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Web Apps White Papers | Webcasts