Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Engineers Deny Hack Exploited Chrome

Posted by samzenpus on from the pics-or-it-didn't-happen dept.

CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"

2 of 244 comments (clear)

  1. Re:Interesting perspective, Google by Anonymous Coward · · Score: 4, Funny

    You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?

    Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.

    *BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.

    Wow man, it's a fucking browser bug. They didn't come to your house and kick your dog.

    Wait...wait...Did Facebook pay you to post this?

  2. Re:Interesting perspective, Google by b4dc0d3r · · Score: 4, Funny

    Since you used italicized Latin and referred to the company by their stock ticker symbol, I award your opinion extra weight. That you used an asterisked footnote to avoid ordering your thoughts coherently implies you are exactly the sort of free-thinking individual the rest of us should strive to be.

    I don't suppose you have a newsletter I could subscribe to?