Slashdot Mirror
Google Engineers Deny Hack Exploited Chrome
CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"
Time to treat it as such.
its a Chrome "pwn". If you bundle it, you own it. You see Apple going the opposite direction by un-bundling Flash because it didn't want to own the security issues and battery draining properties associated with it. They recognized their brand was getting tarnished via that association and decided to make Adobe stand on their own.
It's funny how often flash holes get exposed.
when was the last time we got to see the source for flash?
It should be treated just like any other piece of potentially harmful code.
Seriously, at this point, it seems like Adobe is actively trying to make Flash suck.
Please hurry, webm.
If google bundles Flash with Chrome and the user's exposed to exploit, then it's pretty much google's responsibility for letting this happen in the first place. Doesn't invalidate VUPEN's claim one bit, as every chrome installation is still susceptible to direct exploitation.
You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?
Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.
*BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.
I guess I was mistaken.
A company takes care to actually go through code, assembly, source, any means really, figure out a hack that's specific to Chrome ... and somehow, they are the ones misunderstanding the code. Somehow that answer doesn't satisfy me :)
Also, the answer would be equivalent to having my code use Sqlite as a dll, I bundle it in my package, I install it, it's mine ... but somehow when someone hacks my application through a (very theoretical - example only! move on trolls ;) ) sqlite bug, I would have the exit door saying "oh yes, you can hack my app, it's defenseless, but it's not my fault, it's sqlite here! *points*"
Please ... Chrome ... You bundle it, you vouch by it, you got hacked, you recognized, don't start making excuses please. It's no big deal, it's only a bug, like there are countless in ALL applications throughout the world.
All the Malware/Virus problems windows has that can be attributed to 3rd party programs, this means now Microsoft is vindicated? My question is, does this Flash exploit work in other browsers? Or does it specifically take advantage of something wrong with Chrome? Cos if it's the latter, then whether it's a "Flash problem" or not, it still means Chrome is the vector.
It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.
If the dike fails and the land gets flooded, who cares if the dike was earth or stone? The point is that the place is flooded.
And that analogy is apropos considering what's going down here.
I call it 'The Aristocrats'
"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn. Do Java bugs count as a Chrome pwn too, because we support NPAPI?" link
According to Google then, the vulnerability *does* sidestep the sandbox.
The Google response reminds me of when MS was in the habit of using PR to quash security reports instead of writing code good. Someone would come up with an exploit and MS would say it was not a well configured updated system so the fixing the code that fell to the exploit was not the responsibility of MS. The security people would then run the exploit again with an fresh out of the box installation with all updates, and the machine would again be compromised. MS would then respond by saying that user could easily configure the machine to not fall to the exploit, so it was a user issue and not a MS issue. The thing is that is the out of the box configuration is not secure, then the machine is not secure. If an Android phone comes with flash out of the box, and Flash is not secure, then the machine is not secure. It does not matter how fancy and pretty and secure the rest of the code may be.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Assuming that's it's just a flash bug, and not a sandbox escape as well (even the limited flash sandbox) then really it's up to adobe to fix. That being said chrome because it bundles flash has had a history of patching flash bugs before adobe does. But considering that very little details are out from Vupen on the exact nature of the exploit, it's really just speculation.
I think the general impression I got from reading about chrome was that they did indeed sandbox flash, so it might be a good idea for them to clarify with a blogpost, since it seems that the general conclusion is that most people thought the same (as opposed to only a limited sandbox which is rolling out in phases).
I don't think this is going to change my choice of browser either way, and I think it's quite impressive if this is indeed an exploit, and just how long chrome held out.
As an uninterested third party (I didn't really read the article, just the thread) who writes code for a living, the person responsible for the bug is the one who wrote the code, and the person you complain about the bug to is the one who makes the change to the code to fix it.
So who employs the person who hopefully fixes this bug at some point?
Are these so-called professionals all 13 or something?
Anything short of running in a VM (hardware supported or purely in software), is not a "sandbox" in my book.
It is a Chrome flaw introduced by Google's use of the word "sandboxed" that really doesn't imply a sandbox at all.
Additionally, compiling JS to machine code and having Chrome execute that data is not "sandboxing" either.
A flaw in my VM's interpretor that allows code to escape the sandbox is one thing, running non-virtualized machine code that itself can be exploited is quite another.
At some point, you must stop, wipe your brow, and consider your trek through the desert -- Is there really an edge to this sandbox? Did I miss the line drawn in the wind-swept sand or have I been lied to yet again?
Visual Basic FTW!
Will Chrome OS bundle flash or allow it to install?
One of the selling points of Chrome OS is the security. If someone can PWN my laptop and keylog my user level passowrd remotely then having my data on the cloud is dangerous. Right now even if someone compromises flash my computer is protected by multiple levels of user access controls and backups. with chrome OS once someone can access my account they can do it from anywhere without physcial access.
This is not a gripe about the cloud as much as it pointing out how you can go around claiming the sandbox keeps you safe if your browser lets you punch holes in the sandbox. Because chrome OS connects your filesystem cloud to your general browsing via the browser it is more incumbent to secure it.
Right now whenever IE or Firefox has some dangerous hole I can switch to a different browser. But if I use chrome OS I can't safely surf the we whatsoever until it is patched.
Some drink at the fountain of knowledge. Others just gargle.
The way I see is simple: Adobe produced such the pathetic POS that Flash is that even the current Chrome sandboxing technology, which is already very good, cannot contain the Flash exploit.
Can't decide if you are serious or a good troll, but to defend that it is ok that Google's sandbox is compromised because the code doing it was so bad?? Which would be by definition any code compromising a sandbox (which it in this case doesn't btw. Flash isn't sandboxed in Chrome, which is not immidiately apparent when Google toot their sandboxing and Flash integration)
Flash probably doesn't work inside a sandbox, it probably gets up to all manner of disgusting tricks to get the shitty performance that it does.
Mod me flamebait or troll, I don't care, but anything that makes Tavis Ormandy whine with butthurt makes my day.
Was he upset the issue wasnt responsibly disclosed, and they went right to the media? Oh the horror! Who would DO that!?
Does anyone else find "pwn" to be fucking annoying?
The programmers at these companies are totally [b]clueless[/b] when it comes to security.
You don't know that. Programmers just implement what they're told to implement. The people to blame are the software architects, and probably also the executives. If the executives wanted security to be a priority, they'd direct their architects to make it happen.
between chrome.angrybirds.com and HTML5 Video Flash is going to be at best a legacy technology.
HTML5 audio and video are a mess. No audio and video codec works in all browsers. The pack-in browsers (IE and Safari) use only patented MPEG family codecs, while all the aftermarket browsers (Firefox, Chrome, Opera) use only Free codecs. Besides, either Adobe Flash Player or Google Chrome Frame will be needed at least until all IE installations are upgraded to IE 9 or later, which won't happen until 2014 when Windows XP reaches its end of life.
You can already view a lot of YouTube as HTML5 vids
Newly uploaded videos and some of the videos most popular among the general public have been transcoded to WebM, but transcoding the "long tail" will have to wait.
then it is google/chrome's fault, and google should quit bundling flash and let Adobe maintain their plugins...
Politics is Treachery, Religion is Brainwashing
the most popular use of Flash is video
But even once video is converted to HTML5, several remain:
How do you recommend making those with HTML5 technologies?
Headline length is limited, and "pwn" saves four characters vs. "exploit".
Google admits this seems to be a real attack but it seems to be a Flash exploit. Since Flash seems to be an utter piece of sh^H^H not-so-good program, they've sandboxed it somewhat to get rid of a lot of attack vectors. However, in TFA they're publicly stating that their sandbox isn't perfect and that it won't stop all attacks. Google's Flash sandbox is better than nothing but it ain't perfect.
What I really think is the issue here is this french security firm that admittedly has a new zero-day against Flash and a way of compromising the Google Flash sandbox and they refuse to let Google or Adobe fix it. Instead, they've decided to profit from it selling the info to who knows what kind of organizations. That's immoral and should be downright illegal. Why isn't that the headline?
Since Flash comes bundled with Chrome any Flash exploit becomes a Chrome exploit. Google should stop blaming the media for not fact checking and start fixing their mess.
This exploit was never stated whether it work for chrome dev or stable. In dev, flash has been sandboxed finally.
If it manages to bypass the sandbox in DEV, then yeah it's a bug in chrome.
Otherwise, if it only works for stable, then it's simply a matter of time before dev is pushed to stable. It's well known that flash has a variety of security issues so it's not much of a surprise. Google reason for bundling flash remains valid. Remember, this site does not represent the norm where flash exists in over 95% of all users whether google bundles it or not. Google main reason was to make it easier to keep flash up to date. Not much google can do with 0-day exploits for flash other then get the update to users as fast as possible when ADOBE fixes it.
If it shipped in Chrome, it's code Google distributed. Google-pwn.
If the sandbox was so good it would have contained the flash exploit since that's its entire point. A sandbox is basically useless if it can be sidestepped regardless of what was exploited.
No matter how much you want it to be gone, Flash is like ActiveX and IE. A necessary piece of software for many production applications in use today. To take those pieces away means costing corporation several thousands if not millions in re-inventing their wheels. Corporations don't like to that, and many IT budgets aren't fat enough to do it. No matter how much Steve Jobs bitches about it his argument is irrelevant - at least at this point in time.
It will take the industry a good many years to shift away from their crappy software suite dependencies (IE, Flash, Active-X, etc, etc) but until that happens, we are stuck with Flash so let's just stop with all the whining.
boycott slashdot February 10th - 17th check out: altSlashdot.org
This message does not seem very good for chrome it? I do not like to use chrome because the plugin in firefox for my work was not designed very handy.
http://celebrityface.net/ Celebrity photo, video, and gossip blog featuring the latest hot celebrities including Britney
I clicked on a link present in the google search page and this link installed malware on my computer. Wait, this is a problem in google search, it's not my browser's fault, do your fact checking first before accusing my browser.
Everyone is talking bout how it is a chrome pwn, i am sorry but it is simply not so. It is not cross platform, it uses a vulnerability in windows on top of the vulnerability in flash (yes I know it is bundled with chrome). If it were a chrome pwn it would work in windows, mac, and linux.
Obviously chrome has most of their ducks in a row as their code run on a non windows machine is not vulnerable to this type of attack. Your telling me chrome is at fault because windows has a flaw?? I don't think so.
HTML5 Ogg videos play just fine with the QuickTime Ogg Component.
The last time I checked, the QuickTime Ogg Component was not available for iOS.
Sorry guys but if you're going to fully integrate Flash into your browser you have to take ownership for any problems that arise as a result. You're integrating it, you're shipping it, it's up to you to QA the entirety of your release.
On another note, Chrome integration of Flash is the #1 reason I stick with Firefox.
'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"
Could you not say 'It's a legit pwn, but if it requires Chrome, it's not a Flash pwn.'"
Now which is the evil twin? Google or Microsoft???
You are correct, it doesn't work. Previously if you forced plugin sandboxing, things like webcam&mic support would break, and probably much more. It also wouldn't be able to save or read anything from the filesystem except from LocalLow. This is due to Microsoft's implementation not Google's.
You were lucky, your bugs were "deemed" security issues. Ask me about the 5 show stoppers I remember off the top of my head from the ones I reported over the decades: .C source file. Answer: None
- Never returns from a system call under certain conditions Answer: "You can't delete a file right after creating it." Wow, lets add that to all university programming courses shall we???
- File modified time is different after the DST transition depending on whether you accessed (e.g. findfirst / findnext / findclose) the file before the DST transition and thus the directory entry is in cache. As you can imagine, this one was a real pain to track down, but it sure was satisfying to finally find it. Answer: "This doesn't happen in the next version of Windows. Get your customers to upgrade." (100k's of licenses)
- Compiler blows up if you have a comment that crosses a 0x2000 boundary in the file. Proven with a simple
- Using the network to access workstation A from workstation B while accessing workstation B from workstation A causes deadlock. Proven with simple network copies from batch files. Answer: We will fix part of the problem, but that will only reduce the likelihood, not eliminate it.
- Compiler produces incorrect code with no warning or error with a fairly simple tertiary statement involving based pointers. Answer: You should upgrade to 32 bit, everyone will be doing it. (This was a long time ago.)
If CEO's knew what seasoned developers know about Microsoft, they would run away in fear.
Once it is bundled, for all practical purposes it becomes part of a singular product. Consumers really don't care who wrote the code, only that someone broke in.
Imagine if Ford bought radios from Samsung and used as standard equipment in all their cars, and someone figured out how to use a radio signal to hack into the cars computer through the radio and unlock the doors and start the engine. Now imagine Ford engineers standing on the pulpit preaching it wasn't our fault, it was Samsungs.
Nobody cares. You shipped a product that contains another parties work, and when it fails, you get the blame. If you can not handle it, do not cry on the street corner, simply refuse to ship flash.
You integrated Flash into the god-damn browser, that makes it a browser vulnerability.
http://www.google.com/support/forum/p/Chrome/thread?tid=7d3f092af444f164&hl=en
http://www.google.com/support/forum/p/Chrome/thread?tid=0c7d7cda7c1abc15&hl=en
And on and on.. almost never-ending lists of angry frustrated users trying to figure out why Flash + Chrome is crashing.
It's time that Google either cut-and-run, or demand Adobe open up Flash so they can pull their sleeves back and do some serious hacking the Flash core.
flash is a part of google chrome so google stfu and fix your damn product
I don't care who your suppliers are, imagine a world were a car maker says that cars it makes are not defective when they are because the parts that fails are not made in-house. This is hugely moronic.
please write your own implementation of flash! adobe is dragging it's feet and will always be a problem!
xoxo,
Dr Tiny Cat
Anons need not reply. Questions end with a question mark.
Depends...
If you link statically, then yes, it's your bug.
If you link dynamically, then no, it's not your bug.
I am not saying who caused it, mind. Just that by packaging it into your code, you are the one who gets to handle the bug.
As Google is packaging Flash, it's a Chrome bug, but not a bug in Chrome. Important difference.
The real reason Apple decided to unbundle Flash was that Flash is patched quite often to fix these vulnerabilities. So the time between when a new version of OS X goes gold master and it lands on people's computers, there could be a major update for Flash. Better to download it when you need it rather than install a defunct version. Apple has no over-arching philosophical problem with a patched version of Flash running on a Mac. And considering a disc doesn't update itself, the older the install disc, the greater the risk. And when it comes to a possible download version of OS X Lion (or hopefully on a USB Stick rather than a DVD) then better to not download more than you absolutely need to.
Maybe they've added a second camera on the iPhone 4
The iPhone 4 does indeed have a front-facing camera called the "FaceTime camera". Several Android-powered phones also have a front-facing camera.
So that should only leave three major platforms.
Which are they? Remember that IE and other Windows-based browsers can be considered two separate platforms since IE dropped NPAPI support way back in version 5.5 SP2. I still count Windows ActiveX, Windows NPAPI, Mac OS X, Linux, iPhone 4, and Android.
Personally, I've never seen a need for a webcam in a web browser, aside from [...] video chat
You haven't seen a need because nobody has made a demonstration of what a webcam in a web browser can do, and nobody has made such a demonstration because neither Google nor anybody else has yet offered a webcam plug-in for all sites to use apart from Adobe. I'm sure there are more creative minds than myself who can think of applications for a webcam other than video chat.
An HTTP download (as opposed to a scatter protocol like torrent) is just a stream that gets saved to your disk instead of played as it xfers. A stream is just a download you decided not to save.
A stream is a download whose user interface makes it difficult to save a usable copy. The file name is random, the temporary folder to which it is saved is marked in the file manager as a "hidden" folder, and it might even be encrypted with a secret key that isn't saved to your disk.
The distinction lies only in the heads of pointy-hair bosses who don't understand what's really happening.
And these pointy-haired bosses are the owners of copyright who have licensed the setting, music, or other components for use in your work. Authors of derivative works have had to deal with licensors who misunderstand a medium ever since there was a medium to misunderstand.
Besides: half an hour to download the video and become disinterested on your site, or three minutes to watch a similar animation as it downloads on the other site? End users will still click away to the other site.
SVG sounds like it would work great here -- you should check out SMIL
According to caniuse.com, browser support for W3C's SMIL recommendation is far from universal. Firefox 3.6 didn't support it, and IE 9 still doesn't support it. Nor does Android Browser for phones support it. And what authoring tool for SVG+SMIL animations do you recommend?
XP is 10 years old this year.
And still in wide use. Any name-brand PC purchased even in 2006 will have come with Windows XP on it.
IE6 is well under 3% now and falling
I didn't say IE 6; I said IE on Windows XP, which by now should mean upgradable to IE 8, as opposed to IE 9. According to this page, IE 8 has 33.06%, IE 7 has 7.35%, IE 6 has 10.85%, and IE 9 has only 2.41%. What source did you use, so that I can see its own breakdown of IE 6 through 8 (which doesn't support SVG) vs. IE 9 (which does)?
The stream API, formerly called the <device> element, has zero browser support. Adobe Flash Player, on the other hand, runs on almost every desktop PC. It also runs on any Android device with an OS version that was current around the time they started putting front-facing cameras on phones.
if Safari (I said nothing about Mobile Safari)
So what should sites serve to Mobile Safari? A still image "We're sorry; Apple has chosen not to support unpatented video codecs on your device"?
can play any HTML5 video, why can't the "open" alternatives? Are they fundamentally broken?
The free web browsers have to run on Windows XP and GNU/Linux, which don't include a licensed H.264 decoder.
It won't happen until long after that. There are millions of XP installations around the world that do what their users want them to do.
I don't think users of PCs running Windows XP want their PCs to get compromised by criminals the day after Microsoft stops offering security patches for Windows XP. During the last year of official support for Windows XP, criminals will likely be stockpiling zero-day exploits in preparation to release them to the wild once support ends.
IE9 can play WebM HTML5 video - though you need to download the codec from Google.
From the point of view of an end user, what distinguishes a legit WebM codec for IE or desktop Safari from a fake antivirus posing as a codec needed to play a video?
If "NPAPI" hasn't been supported since IE5.5, then I think it's safe to say it can be neglected
Safari (desktop version), Firefox, Google Chrome, and Opera still use NPAPI plug-ins. So we have NPAPI for all those and ActiveX for IE.
the mobile-phone carriers simply won't allow it because it would go over the internet and not generate high per-minute fees for them
Video chat that goes over the Internet uses megabytes of traffic, which gets counted against the user's monthly Internet traffic allowance the same way that voice gets counted against the user's monthly voice allowance.
I don't think people would hesitate downloading things from Google web servers (though "this release is a technology preview" might)
Another thing that makes users hesitate is if the only user in the Administrators group is out of the house. In the common case, Flash Player is already installed, and Google Chrome Frame and Google's WebM plug-in aren't. Or can these plug-ins be installed to a single Limited User's account?
Why can't the free browsers use available decoders for HTML5 media?
First, decoders available to you might not be available to your viewers. Mozilla wants to ensure that if a web page works on one desktop platform, it works on all. For example, if a user on Windows 7 or Mac OS X makes a web page, and it uses a patented MPEG codec, it'll play on Windows 7 Home Premium, Windows Vista Home Premium, and Mac OS X, but not Windows XP, Windows Vista Home Basic, Windows Vista Business, Windows 7 Starter, or GNU/Linux. Supporting only free codecs across all operating systems ensures that an author can't accidentally make a web page OS-specific.
Second, one reason that HTML5 technologies are being developed in the first place is to replace native plug-ins. In general, browser makers don't want to get blamed for problems with untrusted third-party video decoders. A carefully malformed video could trigger a defect in the decoder that causes the browser to stop responding, unexpectedly quit, or even execute arbitrary code that discloses or destroys the user's files. A browser maker can respond quickly to protect users with a repaired decoder if and only if the codec is built into the browser.
Now, so far as I know, MF codecs need registry entries to be located, and writing those does require admin permission.
So if I've made video in a free format about MF snakes on an MF plane, and want my audience to see the video, what's the best solution to deploy Google's MF codecs to the MF registry?
a demonstration please, don't put it in my veins, put it on my screen, i run chrome
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?