Saturday, August 14, 2010

Some Chrome Browser Bugs

These bugs are caused by Chrome setting up a dependency on Microsoft third-party software. Chrome shares the IE browser's "Internet Properties" dialog box.

In Chrome, click the wrench icon then Options -> Under the hood -> Change Proxy Settings. The IE Internet Options dialog box displays. [Hard to believe.]


Note: The Mozilla FireFox browser avoids this dependency.


Environment:
  • Up to date Chrome 5.0.375.126
  • Up to date IE: 8.0.7600
  • Up to date FireFox: 3.6.8
  • Up to date Windows Pro 7
Bug #1 (security):
A malicious exploit specifically targeted at IE browsers that changes internet option parameters will also adversely affect Chrome's shared internet option parameters. For example: 1) Reducing browsing security levels, 2) Allowing active content to run, 3) Changing how the browser connects to the internet.

Countering these exploits against IE and Chrome may require an IE patch or update.

Bug #2 (security):
IE users in multiuser computer situations (cafes, classrooms, libraries) can reduce the browsing security level of Chrome users and vice-versa.

Bug #3 (security):
Chrome browsers running on Windows computers do not support SSL3.0/TLS1.x encryption.


Bug #4 (security and usability):
A Chrome user can try to change features that Chrome does not support in the internet parameters dialog box. For example: IE InPrivate browsing, SSL3.0, TLS1.x.


A user connecting with Chrome to a site requiring SSL3.0 will get an error message even though SSL3.0 is selected in Chrome.


Bug #5 (security and usability):
Under the internet properties "Advanced" tab there are several features marked with asterisks (*). A label notes that "* Takes effect after you restart Internet Explorer".


Question: Does a Chrome user who changes one or more * features need to open and close an IE browser session to activate the options in Chrome? From the Chrome GUI the required user behavior is completely unclear.


Bug #6 (security and usability)
: Chrome displays some duplicate parameters that are separately and inconsistently configurable. These duplicate parameters include configuring: 1) a start page, 2) auto-complete forms and passwords features, 3) a default browser.
  • Start page: You can set duplicate home page parameters that are different. Set the first value in Internet Properties -> General Tab -> Home page. Then set a different home page here: Options -> Basics -> Home page. Chrome will use the value you set here: Options -> Basics -> Home page, ignoring the home page value you set under internet properties. However, the value you set from Chrome under internet properties -> Home page will change the startup page for any IE users on that computer.
  • Auto-complete forms and passwords: You can set this feature inconsistently in two places. Set the first value under Internet Properties -> Content -> AutoComplete -> Forms and User Names and Passwords on Forms. Then set inconsistent values in the duplicate fields here: Options -> Personal Stuff -> Passwords and Form Autofill. Chrome will use the values you set here: Options -> Personal Stuff -> Passwords and Form Autofill, ignoring the values you set under internet properties. However, the values you set from Chrome under internet properties -> Content -> AutoComplete will take effect for IE users on the same computer.
  • Default browser: I have FireFox as my default browser. In Chrome, if I go to Basics -> Default browser it says: "Google Chrome is not currently your default browser. Make Google Chrome my default browser." In Chrome, if I go to Options -> Under the hood -> Change Proxy Settings -> Internet Properties -> Programs -> Default web browser it says: "Internet Explorer is not currently the default browser. Make default."
In my opinion, the above set of problems should be assigned the following bug severity levels:
  • Security: between medium and high
  • Usability: critical

No comments: