heard about it first here:
http://forums.informaction.com/viewtopic.php?f=8&t=3979&p=17380#p17352

(read Maone’s reactions, that’s interesting)

source there:
http://arstechnica.com/security/news/2009/03/chrome-is-the-only-browser-left-standing-in-pwn2own-contest.ars

The arstechnica article linked above and the lifehacker link on the NoScript forum are both over a year old. Is there anything more current which supports the “Chrome left standing” hype the articles seem to convey?

Maone’s reactions are a lot more interesting than the articles. I’m glad to be reminded that Sandboxie is no panacea. If I allow it to, even sandboxed malware can read most of my personal information and phone it home. I instruct my firewall or Sandboxie not to allow that to happen.

Edit: To answer my question about current info, I went right to the source, the sponsor of the Pwn2Own 2010 competition, DVLabs. TippingPoint | DVLabs | Pwn2Own 2010
The article has an interesting trackback:
Chrome Browser, Unhacked - Gadgetwise Blog - NYTimes.com

For the second year, all the browsers fell except Chrome. No one even tried to hack it.

Why isn’t entirely clear. Chrome has some security advantages, but its survival doesn’t mean the browser is unbreakable or the most secure, says TippingPoint’s Aaron Portnoy, who organized Pwn2Own. Researchers come to the contest with attacks in their pockets, and like malicious hackers they tend to focus on the most broadly used software. Chrome has a small, albeit growing, market share of 6.1% in March, according to Net Applications.

“People think that their time is better spent finding bugs in more popular software because it’s worth more money,” Mr. Portnoy said. Nevertheless, Chrome, as the newest browser on the market, includes security advances that make it an “interesting target.”

The arstechnica article linked above and the lifehacker link on the NoScript forum are both over a year old

oh my god I just didn’t notice, sorry about that … this said it’s so obvious that sandboxing won’t protect you from online threats life credential theft; it may somehow protect your system from viruses or trojans but what happens online happens online; many people have also a wrong interpretation of private browsing in Chrome or IE…

edit: and thanks for your link ;)…got to read your article in the NYT now…

Hi Logos,

Safe browsing is a specific attitude because the browser owner is aware of the dangers that lure on the Internet, and these are manifold and come from various angles. There are however some things one can do. Use your browser as a normal user reduces the risk of malware creating havoc on the machine considerably. Preventing suspicious scripts to run (through the use of NoScript add-on) both could help towards enhanced security and privacy (i.e. less tracking), prevent certain third party request from the browser (Request Policy extension) is another form of protection, regulation through specific configurations of ABP (ad-blocking) could also be helpful.
GoogleChrome is a gigantic keylogging project for Google (researchers have found that using a proggie like Fiddler 2.0 to see what it does in these respects). SRWare’s Iron has torn these aspects out of the GoogleChrome browser, but still certain separate browser processes can hit malcode (and the avast webshield will flag these). So until a form of good script blocking comes to the GoogleChrome browser it is a bit faster and a more recent browser concept but it isn’t secure.
I think sponsors of the browser and the ad launchers would not welcome a browser and browser users that block all there obfuscated tracking and ad-serving and have ad-blocking inside the browser, else all browsers would have NS by default and a problem would have left this world for the foreseeable future. There is another second best solution that is to try and prevent by using a specific hostfile and tools like SpywareBlaster, but as the malware theater is ever-changing like the ocean you would always be running after the facts, because a reputable website could have been hacked a minute ago.
So if you aware of these facts, you know what to do,

polonus

I’ve been running fiddler2 while running successively Chrome and Firefox (+ ABP and NS)… well you know what the results are…I already tried the host file solution by adding manually a list of ad servers in it; works fine but must be updated manually and this doesn’t match ABP potential. Tried hostman and like some others reported got some really high CPU loads >>> laptop unusable. So may be hostexpert…I’m getting off topic

Hi Logos,

A user that really wants to protect his browser security seldom will get off-topic. YoKenny is the expert on host-blocking without it seriously harming the computer speed. Yes there is a limit set to what you can do on a “Windhose box”, Ghostery add-on can be used to block trackers on the main domain without blocking all of the main domain: https://addons.mozilla.org/en-US/firefox/addon/9609

polonus

P.S. About Ghostery Blocking Feature where we are in between a rock and a hard place: http://getsatisfaction.com/ghostery/topics/ghostery_blocking_feature_breaks_web_functionality_on_many_sites#reply_1935687

I was actually surprised by Hostman behavior on Seven. I’ve used it on XP long ago and didn’t have these high cpu load issues…don’t know if Yokenny is a specialist but there was a thread where me and another poster mentioned this issue, and all he said was that he didn’t have it (the issue) on his system… and that Chrome wasn’t as good as Google wanted me to believe ;D (yeah main reason I want to modify my hosts file now as you know is because of those fake ad blockers in Chrome)

I wrote this as a comment somewhere on this page:

https://chrome.google.com/extensions/detail/gighmmpiobklfepjocnamgkkbiglidom?hl=en-US

I sometimes get all ads displayed briefly :). Anyway, I don't know if it's Chrome API limiting the ability of this adblocker to not retrieve the ads from servers, but that's a big minus when compared to the behavior of the original and much more powerful ABP in Firefox. Hiding the ads instead of not downloading them at all also means much tracking. Download and run Fiddler2 (Microsoft) and you'll get an idea of the number of connections established when browsing any site in Chrome. That's a shame. This adblocker is certainly no porting of the Firefox version, it just gives you the illusion that ads are blocked, again, they're just hidden while statcounters and all the internet crap keeps running in the background.

I think the situation is clear: Google will probably never allow the implementation of real adblockers or selective javascript blockers in Chrome. They live from ads, there’s nothing to expect and their API is how they send the message :

HostsMan runs fine on my system.

Yokenny you have UAC enabled……some services are disabled by you or HOSTMAN…….like hm.exe32?

@ Yezinki

UAC enabled and DNS Client service is disabled by HostsServer.

Yes @Logos and @YoKenny - the implicatuion of hostsfiles is rather different for Vista and W7

Good one: http://someonewhocares.org/hosts/

Because of the newer tracking methods, it is more diffcult to cover all with a hosts file, for instance the blocking of the whole of the doubleclick range, also in the light of the recent adcode malcode:
http://www.mvps.org/winhelp2002/hosts.htm
And, they the adlaunchers, aren’t all for it: http://yro.slashdot.org/article.pl?sid=05/06/23/1428223
They fear that the end of the free Internet will come if users block tracking and ads,
and what if ads and tracking become first choice malcode vectors. Will they use that as a pretext. Some users do not want to read a tiny bit of real info in between a pop-up and a pop-under floating adbanner, then the views of Ghostery also made by adlaunchers is much more realistic and they offer a real choice.
Implementing ABP rightly in GoogleChrome is a crime really, because the ever silently updating browser constantly evades the settings, only a code blocking bookmarklet works but only after the fact and when the Google monster etc. already has munched all your browser tracking data,

polonus

A question from a newbie ……….In simple words what benefits does one gain from installing HOSTAM…………besides a headache……am serious no kiddin……… Avast +MBAM resident protects from Malware etc….Ad block from ads? ???

it’s needed at least for Opera, IE, and Google Chrome that don’t have serious adblockers

Hi Logos,

The important trio of extensions in Fx and flock for this purpose are NS, RP and same thing is doable with the right ruleset, with thye Karma Blocker extension, sans GUI:

https://addons.mozilla.org/en-US/firefox/addon/5230

Personally, the developer serves up some bad karma for “third policy”. But you can certainly write a “host is” and “origin host is” rule, too! As the developer states: "An extremely powerful, yet lightweight, alternative to extensions like AdBlock Plus.

Especially useful for blocking third-party resources to help combat privacy leaks (cookies) and security problems (XSS).

Intended for the advanced user. It is highly recommended to read the documentation",

polonus