drjbhl
Ramblings of an old Doc
Google Engineers Deny Chrome Problem
Published on May 12, 2011 By DrJBHL In Personal Computing

 

Google engineers have denied Vupen’s claim of a Chrome vulnerability. They state it’s an Adobe Flash problem. The Chrome browser comes bundled with Adobe Flash.

"Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug. It's a legit pwn, but if it requires Flash, it's not a Chrome pwn," tweeted Chris Evans, a Google security engineer and Chrome team lead.

"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation." – Computer World

Bekrar refused to reveal the information to Google stating they only do that for customers (viz. “pay to play”)

"The Flash sandbox blog post went to pains to call it an initial step," said Evans. "It protects some stuff, more to come. Flash sandbox (does not equal) Chrome sandbox."

The blog Evans referred to was published in December 2010, where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."

Chrome’s sandbox is present only in the Windows version. Bekrar also wrote, "Chrome's built-in plug-ins such as Flash are launched inside the sandbox which was created by Google, so finding and exploiting a Flash or a WebKit vulnerability will fall inside the sandboxes and will not circumvent it. A sandbox bypass exploit is still required."

This is the critical point, because Chrome is a ‘secure’ browser because of it’s sandboxing technology. In the “Pwn2Own” contest, Google offered a $20,000 prize to the hacker who could break it, but no one took it on. That’s not the same as ‘everyone tried, but couldn’t do it’.

I guess Bekrar figures his researchers’ work is worth a far more lucrative contract with Google. I also think he’s probably right.

Source: http://www.computerworld.com/s/article/9216627/Google_engineers_deny_Chrome_hack_exploited_browser_s_code?taxonomyId=17&pageNumber=2


Popular Articles in this Category
Safe and free software download sites for windows
Keep an Eye Out!
A new and more functional PC Manager widget from MS
Popular Articles from DrJBHL
Safe and free software download sites for windows
A new and more functional PC Manager widget from MS
Comments
1
Heavenfall
on May 12, 2011

Interesting, although the situation has the potential to generate a lot of bad will quickly between the parties depending on how it's played.

Are there any legality issues involved in scenarios like this? Are the "hackers" breaking any laws, or does google have any legal claim to their findings? Obviously this is a blow to the image of chrome as a safe browser, can that be interpreted as a form of slander?

2
DrJBHL
on May 12, 2011

The hackers aren't really breaking any laws because the results are private as to the nature of any successfu;/unsuccessful hacks.

More like an open consultancy... Don't know but don't believe Google has a claim on someone else's work, because they obtained the browser freely. The very nature of Vupen's work makes what they do 'legal', and they don't publicize results, so Google can't claim it's being discriminated against.

The fact that they found something doesn't mean they have to give it away, since they aren't under any contractual obligation.

"Slander" refers only to the "spoken" word. I believe you're referring to "Libel"  which applies to the written word, and the claim isn't libellous if it's true. If it isn't, then libel might apply, but I believe 'actual damages' would have to be proven.

Remember, I'm a non-lawyer, so you're getting an 'amateur' (if not amateurish) explanation. A more Pro amateur would be Jafo.  

3
Dr Guy
on May 12, 2011

DrJBHL
reply 2
A more Pro amateur would be Jafo.

Pro Amateur?  So he is a jumbo shrimp?

4
DrJBHL
on May 12, 2011

 

Dr Guy
reply 3

Quoting DrJBHL, reply 2A more Pro amateur would be Jafo.

Pro Amateur?  So he is a jumbo shrimp?

Dr Guy has sealed his own fate, I believe.

Jafo The Dark Prince shall be visiting you. Bwah hah hah.

5
Uvah
on May 12, 2011

I are Jafo of Borg......you will be ass-imilated. Resistance is......oops......wrong thread. Sorry.

Meta
Views
» 7295
Comments
» 5
Category
» Personal Computing
Comment
Recent Article Comments
Let's see your political mem...
LightStar Design Windowblind...
Let's start a New Jammin Thr...
A day in the Life of Odditie...
Safe and free software downl...
Veterans Day
A new and more functional PC...
Post your joy
AI Art Thread: 2022
WD Black Internal and Extern...
Sponsored Links
Terms of Service Privacy Policy About Us Contact Us Stardock.com
© 2024 Stardock Corporation. All rights reserved.
JoeUser v1.0.0.0