Improving web browser security

Wednesday, July 22, 2009 4:06 PM



Malware is the source of a large number of reported security incidents on the Internet. Since Internet users can become infected in many different ways, the proliferation of malware is a very hard problem to solve. One part of the solution is to improve the robustness of web browsers such that security compromises due to browser bugs are minimized. We work hard to scrutinize our own code for potential vulnerabilities. We also contribute to research in this area with projects like the Browser Security Handbook and open source releases of the fuzzers involved in our software testing.

Some of you may have noticed that while working on Google Chrome, we have also discovered and responsibly reported a number of security issues in other browsers. Various scenarios lead us to report these bugs:

  • Some browsers share code bases with Google Chrome, and we collaborate with those browser vendors.
  • We develop generic fuzzers that are applicable to most browsers and that we want to share with others.
  • We spend time analyzing behavior in different browsers, and we sometimes discover bugs in the process.
  • It benefits our users and the Internet as a whole if we work collaboratively on better web browser security.

A few of the more interesting bugs we've researched recently include: this one in Opera uncovered by Michal Zalewski's <canvas> fuzzer; a HTTP 449 response code issue in IE found by Tavis Ormandy; contributions to Safari 4's security by Robert Swiecki, SkyLined, and Dean McNamee (and others); an XMLHttpRequest leak in Firefox discovered by Marius Schilder; and a cross-domain leak in Chrome / Safari (the two share a common base) unearthed by Chris Evans.

The collaboration works both ways. We'd like to thank the following browser vendors:
Microsoft for helping with SSL interactions with HTTP proxies, Mozilla for sharing fuzzers, and Apple for sharing and coordinating Webkit-based bugs.

Together as a security community, our combined efforts to find vulnerabilities in browsers, practice responsible disclosure, and get problems fixed before criminals exploit them help make the Internet an overall safer place for everyone. We'd also like to thank all those who have helped us by contributing to Google Chrome.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

6 comments:

seo said...
This comment has been removed by a blog administrator.
CCTV Camera said...
This comment has been removed by a blog administrator.
Jobs Online for Work At Home said...
This comment has been removed by a blog administrator.
News Blog said...
This comment has been removed by a blog administrator.
amoebe said...

HI there all,

I was wondering if there is some sort of tutorial on how to use the malware api in combination with php.

I have searched for quite some time and all i see are blogs with peopple that are willing and asking the same. If someone can explain me ill promise to make a instruction vid and post it ;-)

Thanks in advance!!

Peter

blscott said...

I understand that a malware feed is available to qualified organizations. I believe we qualify. Who should I speak with about this? blscott@livesquare.com