Google engineers deny Chrome hack exploited browser's code
Vupen used a bug in bundled Flash, say Google devs; 'Not a Chrome pwn'
Computerworld - Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser.
Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browserfor over a year.
Google's official position, however, has not changed since Monday, when Vupen announced it had successfully hacked Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.
"The investigation is ongoing because Vupen is not sharing any details with us," a Google spokesman said today via email.
But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's.
"As usual, security journalists don't bother to fact check," said Tavis Ormandy, a Google security engineer, in a tweet earlier today. "Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug."
"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn," tweeted Chris Evans, a Google security engineer and Chrome team lead, using the security-speak term for compromising an application or computer.
Justin Schuh, whose LinkedIn account also identifies him as a Google security engineer, chimed in with, "No one is saying it's not a legit exploit. The point is that it's not the exploit [Vupen] claimed."
When asked to confirm the source of the vulnerabilities it exploited, Vupen was blunt in its refusal to share any information.
"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation."
Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors -- as do many researchers -- but instead would reveal its work only to paying customers.
Today's Twitter back-and-forth between Google's engineers and Bekrar grew heated at times.
- Workarounds to purge search bar from Firefox's new tab page are available
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!