Chrome apes IE8, adds clickjacking, XSS defenses
Adds five new security features to Chrome 4, including two IE8 debuted last March
Computerworld - Google yesterday announced it has added several new security features to Chrome, including two that were first popularized by rival Microsoft in Internet Explorer 8 (IE8) last year.
The newest "stable" build of Chrome -- Google's term for a production-quality edition -- includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team.
Of the five features, two are notable because they're already part of IE8, a browser many consider behind the times -- and one that has trouble keeping up with competitors, such as Chrome and Mozilla's Firefox, which are upgraded more frequently.
Chrome now supports "X-Frame-Options," a security feature that helps sites defend against "clickjacking" attacks, Barth announced.
Microsoft added an anti-clickjacking feature to IE8, although one of the security researchers who first reported the problem the year before, said IE's new feature would have "zero impact" on protecting users.
Clickjacking was first used in September 2008 by Robert Hansen, CTO of SecTheory LLC and Jeremiah Grossman, CTO of Whitehat Security, to describe browser-based attacks that tricked users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and theoretically can be used to empty online bank accounts, secretly turn on Web cameras or change a computer's security settings.
The other Chrome security feature inspired by IE8 is cross-site scripting protection. "In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS," Barth said. "The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script."
Cross-site scripting attacks were prominent in 2008, less so last year, and are often used by identity thieves as part of a broader phishing campaign.
Barth acknowledged that the XSS filter now in Chrome resembles the one in IE8, as well as the NoScript add-on for Firefox. The difference, Barth argued, is that Chrome's filter comes courtesy of WebKit, the open-source browser rendering engine that is the foundation of Chrome as well as Apple's Safari. Because the XSS filter is integrated with the engine, said Barth, it "can catch scripts right before they are executed, making it easier to detect some tricky attack variations."
Microsoft delivered the final version of IE8 in March 2009.
Google upgraded Chrome for Windows to version 4.0 last Monday. The new edition patched 13 security vulnerabilities, and added support for both bookmark synchronization and browser extensions.
Chrome can be downloaded for Windows XP, Vista and Windows 7 from the company's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at
@gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed
.
Browser wars
- Microsoft wraps up ads aimed at Google with IE9 pitch
- German gov't endorses Chrome as most secure browser
- Google's punishment of Chrome drops browser's share, says metrics firm
- Firefox 10 relieves add-on updating pain
- Mozilla OKs Firefox 10 launch this week
- Google patches several serious Chrome bugs
- Mozilla slows pace of Firefox 9 upgrades
- Google patches Chrome, beefs up malicious file blocking tech
- Mozilla to launch enterprise Firefox this month with 7X slower pace
- Mozilla persuades Firefox 3.6 users to dump old browser
Read more about Web 2.0 and Web Apps in Computerworld's Web 2.0 and Web Apps Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Why Business Ethernet Services?
- Everybody's heard the cliché, "the network is your business." But that's not going to help you choose the best wide area networking service...
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will... All Web 2.0 and Web Apps White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Web 2.0 and Web Apps Webcasts
