New address spoofing flaw smudges Google’s Chrome

Google’s Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google.

Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California search behemoth.

“I don’t see Apple Safari vulnerable in the same way,” he writes in an email to The Register. “They share the same engine(webkit).”

continue reading

Did Google reverse-engineer Windows?

Peter Bright writes:

Since its release a few weeks ago, curious developers have been sniffing through the source code for Google’s new Chrome web browser. Chrome’s source is interesting for a variety of reasons: there’s the new V8 JavaScript virtual machine with its boasts of near-native code performance, the WebKit rendering engine that does all the hard work of understanding and displaying web pages, and (last but not least), Chrome’s secure sandbox designed to minimize the impact of any security flaws that might exist in both the browser and plugins alike. It is this secure sandbox that has piqued the curiosity of some observers, and for a reason that many may find surprising. From reading the source, it looks as though Google has reverse-engineered Windows, and that’s explicitly prohibited by the Windows EULA.

But before looking at the question of disassembly, it’s worth taking a look at how Chrome is put together and at why its security architecture is interesting.

Continue reading at ars technica