Google crashes supposedly secure Aviator browser
Goog: 'Your code sucks' ... WhiteHat: 'You sell-out users'
A spat between Google and Whitehat Security has erupted after engineers at the search giant revealed dangerous vulnerabilities found in the latter's anti-Google privacy-centric Chrome spin-off browser.
The holes in the Aviator browser reported by Google security bods Justin Schuh and Tavis Ormandy described include a remote code execution bug revealed before White Hat was told of the problem.
"You probably shouldn't be using the WhiteHat Aviator browser if you’re concerned about security and privacy," Schuh said in a blog, later labelling the project of low quality and White Hat's response "the kind of thing just gives open source a bad name".
His blog was, he said, an attempt to outline by way of example the difficulties in securing web browsers, stating that Google employs a 30-strong Chrome security team, another dozen Googlers and "none of us are ever short on work."
"Superficial branding" work meant Aviator was two releases behind Chrome, other bugs demonstrated what Schuh said an indication the added code did not "seem to have been written with a sufficient understanding of how Chrome works, or with adequate regard for security".
"Take this case where explicit debug breaks are disabled for seemingly no reason at all," he wrote.
"In Chrome that call is expected to safely terminate sandboxed processes in a whole slew of situations where the process cannot safely recover, but in Aviator all of those cases have now been turned into potentially exploitable vulnerabilities."
WhiteHat labs vice president Robert Hansen responded, rejecting Schuh's claim that the added privacy in Aviator could be made in Chrome using the Disconnect extension and some tweaks on the grounds that the average user did not know how to do this.
"Let me make it clear, we never claimed to be as fast as Google at releasing updates," Hansen said.
"Google gets the benefit of making in excess of $50 billion-a-year from ads by marketing it's users to advertisers. Therefore, Google has a lot of vested interest in keeping the browser up to par and capable of delivering more ads to those users. To say we are outmatched is an understatement."
He said Aviator had added features such as the ability to stop referring URLs being sent cross domain and having private mode activated by default which were not options available in Chrome.
Schuh issued an update hitting back that the small company still did not explain why it added branding at the expense of staying up to date with Chromium releases and firing a salvo in dubbing Aviator code "simply of extremely low quality and littered with fairly trivial security vulnerabilities".
"So, even if they fixed all the vulnerabilities they added, I don't see how they could ever keep this up to date against disclosed vulnerabilities already fixed in the stable version of Chrome," he said.
"Overall though, I'm just increasingly disappointed that the response continues abdicating responsibility for such sweeping and inaccurate claims (e.g. 'the web's most secure and private browser'), or that making the source public somehow absolves them of that responsibility." ®
Users concerned enough with privacy would probably be motivated to learn how to activate functions such as Disconnect and various other security tweaks, and would know that when something is free, they are the product. And researchers who find vulnerabilities in code should make some efforts to privately-disclose the bugs, notably if their own company wishes others to do so for its products.
Sponsored: Becoming a Pragmatic Security Leader