Chrome is said to have some security issues...one of them is an outdated WebKit.(IMG:Google)

The first thing to remember is that Chrome is open-source and, as such, Google knows security researchers will pick apart its browser and outline all its flaws. This is one of the main reasons for releasing it as an open-source product. With that said, Google should have known better than to release its Chrome browser with a less than polished version of Apples WebKit. The current version of Chrome uses Apples WebKit version 525.13.

This version, according to researcher Aviv Raff, was used in the Windows beta of Safari 3.1, the same version that was vulnerable to the carpet b****ing attack -- Chrome uses Safari 3.1 as the rendering engine, which is why if your Web site works in Safari, then Chrome will display it properly. Apple fixed the issue through its Safari 3.2 update. However, Chrome appears to be a version late and a dollar short in keeping up.

Aviv Raff created a proof-of-concept (PoC) to show how Chrome can be exploited: 

This PoC will automatically download a JAR file and place it in the downloads folder (there are reports that in some cases it will download it to the Desktop, as in Safari. In those cases, the Safari-Pwns-IE exploit can be easily converted to Chrome-Pwns-IE exploit), Raff said.

Unfortunately, whenever Google Chrome downloads a file, it creates a download bar at the bottom of the page, which seems, for the untrained eye, as part of the page. The downloaded filename is displayed as a button, and the one click on this button will execute the file.

The problem is that this vulnerability requires the user to download a file they are unaware of, and then execute it. At the same time, there are safeguards and warnings.

If the file is an executable (e.g. .EXE, .BAT, etc.), Windows Explorer will show a warning that this file was downloaded from the Internet. In this case, Google Chrome does a good job by setting the Zone.Identifier in the alternative data stream, Raff points out.

This is not the only \'security\' issue posed. Another bug, discovered by Rishi Narang, can cause the browser to crash (a denial of tabs and service, if you will) simply because of a % character in the URL.

Google\'s browser is still clean and has many positive features. However, as long as there are outdated engines and some bugs in the code, then it will never top or compete too seriously with the likes of Mozilla\'s Firefox or Microsoft\'s Internet Explorer.

Considering that Chrome is more Google App-focused at present anyway, why would someone switch to Chrome full time? Are people really using this as a steady browser, conducting online banking or other critical uses? Granted, Chrome is EV SSL compliant.

As mentioned in the TTH Chrome review, it offers a nice break from tradition when surfing the Web. Use it for what it is, a slick browser that will help manage almost the entire Google line of services as well as allow you to visit normal non-critical Web sites.

If you need to do research of a security nature, business, or sensitive work online, then use Firefox or Internet Explorer, at least until Google releases the full and final version of Chrome.

Fame is but a fickle mistress. On Tuesday, Googles new toy, the Web browser known as Chrome, was seemingly king of the world. Now, thanks to some detailed clock cleaning, Googles browser is reported to be riddled with security problems. Not so fast, before you set the little-browser-that-could on fire, take some time to think things through.

The first thing to remember is that Chrome is open-source and, as such, Google knows security researchers will pick apart its browser and outline all its flaws. This is one of the main reasons for releasing it as an open-source product. With that said, Google should have known better than to release its Chrome browser with a less than polished version of Apples WebKit. The current version of Chrome uses Apples WebKit version 525.13.

This version, according to researcher Aviv Raff, was used in the Windows beta of Safari 3.1, the same version that was vulnerable to the carpet b****ing attack -- Chrome uses Safari 3.1 as the rendering engine, which is why if your Web site works in Safari, then Chrome will display it properly. Apple fixed the issue through its Safari 3.2 update. However, Chrome appears to be a version late and a dollar short in keeping up.

Aviv Raff created a proof-of-concept (PoC) to show how Chrome can be exploited: 

This PoC will automatically download a JAR file and place it in the downloads folder (there are reports that in some cases it will download it to the Desktop, as in Safari. In those cases, the Safari-Pwns-IE exploit can be easily converted to Chrome-Pwns-IE exploit), Raff said.

Unfortunately, whenever Google Chrome downloads a file, it creates a download bar at the bottom of the page, which seems, for the untrained eye, as part of the page. The downloaded filename is displayed as a button, and the one click on this button will execute the file.

The problem is that this vulnerability requires the user to download a file they are unaware of, and then execute it. At the same time, there are safeguards and warnings.

If the file is an executable (e.g. .EXE, .BAT, etc.), Windows Explorer will show a warning that this file was downloaded from the Internet. In this case, Google Chrome does a good job by setting the Zone.Identifier in the alternative data stream, Raff points out.

This is not the only 'security' issue posed. Another bug, discovered by Rishi Narang, can cause the browser to crash (a denial of tabs and service, if you will) simply because of a % character in the URL.

Google's browser is still clean and has many positive features. However, as long as there are outdated engines and some bugs in the code, then it will never top or compete too seriously with the likes of Mozilla's Firefox or Microsoft's Internet Explorer.

Considering that Chrome is more Google App-focused at present anyway, why would someone switch to Chrome full time? Are people really using this as a steady browser, conducting online banking or other critical uses? Granted, Chrome is EV SSL compliant.

As mentioned in the TTH Chrome review, it offers a nice break from tradition when surfing the Web. Use it for what it is, a slick browser that will help manage almost the entire Google line of services as well as allow you to visit normal non-critical Web sites.

If you need to do research of a security nature, business, or sensitive work online, then use Firefox or Internet Explorer, at least until Google releases the full and final version of Chrome.