Mini-Newsletter From Your Google Chrome Security Team

We’re always working hard to enhance the Chrome browser with bug fixes, new defenses and new features. The release of Chrome 10 is no different, and there are some items worth highlighting:
Chrome 10: Flash sandboxing
With Chrome 10, our first cut of the previously announced Flash sandboxing initiative is now enabled by default for the Windows platform on Vista and newer. Additionally, because we automatically update Flash to the latest and most secure version, this should provide useful defense in depth.
Chrome 10: Out-of-date plug-in warnings
As we previously mentioned, we believe that some of the most significant opportunities to increase user security revolve around plugins. We’ve made a number of improvements in this area, including actively encouraging users to update their plug-ins to the most secure version. Chrome now detects when a plug-in is out of date and blocks it with a simple infobar. This infobar helps guide the user towards updating their plug-in with the latest security fixes.
Chrome 10: Plug-in blocking enhancements
Some of our more advanced users prefer fine-grained control over which plug-ins they wish to run — which can have security and privacy benefits. Chrome has long had a feature which blocks plug-ins by default (Wrench menu -> Preferences -> Under the hood -> Content Settings -> Plug-ins). We’ve improved this feature by adding a context menu to the blocked plug-in placeholder. This menu lets users control which plug-ins do and do not run. Using a context menu helps prevent clickjacking attacks that try to bypass the block. Plug-in placeholders can also be hidden (for example, if they are floating over and obscuring real content), and the actual plug-in that wishes to run is made apparent.
Chromium Security Rewards program still going strong
We mentioned in passing in the 9.0.597.107 release notes that our rewards program has passed $100,000 of rewards. We’d like to re-iterate our thanks to all the named researchers in our Hall of Fame. We’re continually delighted with the stream of interesting and clever bugs that we receive, so it will be exciting to see what the rest of 2011 brings. Remember, we love giving out money!
Still hiring!
We are always looking to expand the Google Chrome Security Team, and we’re looking for a wide range of talents. We can promise exciting and varied work, working to protect hundreds of millions of users and working alongside the best in the industry. Why not have a look at our job posting?

Rolling out a sandbox for Adobe Flash Player

Since this past March, we’ve been working closely with Adobe to allow Flash Player to take advantage of new sandboxing technology in Chrome, extending the work we’ve already done with sandboxing for HTML rendering and JavaScript execution. This week, we’re excited to roll out the initial Flash Player sandbox for our dev channel users on Windows XP, Vista and 7.

This initial Flash Player sandbox is an important milestone in making Chrome even safer. In particular, users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox. This first iteration of Chrome’s Flash Player sandbox for all Windows platforms uses a modified version of Chrome’s existing sandbox technology that protects certain sensitive resources from being accessed by malicious code, while allowing applications to use less sensitive ones. This implementation is a significant first step in further reducing the potential attack surface of the browser and protecting users against common malware.

While we’ve laid a tremendous amount of groundwork in this initial sandbox, there’s still more work to be done. We’re working to improve protection against additional attack vectors, and will be using this initial effort to provide fully sandboxed implementations of the Flash Player on all platforms.

We’ll be posting updates as we continue working with Adobe to add new security improvements to the Flash Player sandbox. For those of you on the dev channel for Windows, you’ll be automatically updated soon, and we look forward to your feedback as you test it out. If you prefer to disable this initial sandbox in your Chrome dev experience, add –disable-flash-sandbox to the command line.

Compatibility Issues With EMET

We have discovered compatibility issues between Google Chrome and Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). EMET is used to deploy and configure security mitigation technologies, often for legacy software. However, because Chrome already uses many of the same techniques (and more), EMET does not provide any additional protection for Chrome. In fact, the current version of EMET interferes with Chrome’s security and prevents Chrome from updating.

We are working closely with Microsoft on a solution to these issues. In the meantime, we advise users and enterprises not to attempt to configure EMET to work with Chrome.

Posted by Ian Fette, Product Manager and Carlos Pizano, Software Engineer