Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Engineers Deny Hack Exploited Chrome

Posted by samzenpus on from the pics-or-it-didn't-happen dept.

CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"

9 of 244 comments (clear)

  1. flash is malware/adware by Haven · · Score: 3, Insightful

    Time to treat it as such.

    1. Re:flash is malware/adware by NoSleepDemon · · Score: 4, Insightful

      Being one of those not so rare flash developers that hates flash, I would indeed care to speculate

      Our investigation begins no further than the massive kludge that is the Flash interface. The program has been designed for both developers and designers alike, and where the two meet, there are dragons... and exploits. The Flash IDE suffers from some truly awful bugs (dragging tabs, resizing tweens, replacing text in the text editor to name but a few), then there are the game breakers like font positions appearing differently on PC vs Mac. So Adobe's difficulty in creating a program that unifies two different ways of thinking is already apparent.

      Putting aside sloppy interface design, a big problem with Flash is that AS3 has still not been adopted by the majority of 'developers', IAB standards in fact mandate the use of Flash Player version 8, which uses AS2 / Actionscript Virtual Machine 1. One of their reasons being that Flash 9 is too slow (rubbish, it's 10x faster). So because AS3 is not the standard, each and every time you run flash player, you're also running flash player with support for Flash all the way down to version 1 (which was shakey to begin with), and all the bugs that entails. Simply put, Flash is too much of a clusterfuck to fix, we're basically looking at AS2 being the IE6 of Flash.

      This link goes in depth about exploits in Flash: http://events.ccc.de/congress/2008/Fahrplan/events/2596.en.html There was a video to it as well, but I can't seem to find it right now. The sheer ease with which Flash can be exploited is actually quite horrifying.

  2. If it compromises a bundled runtime... by manonthemoon · · Score: 4, Insightful

    its a Chrome "pwn". If you bundle it, you own it. You see Apple going the opposite direction by un-bundling Flash because it didn't want to own the security issues and battery draining properties associated with it. They recognized their brand was getting tarnished via that association and decided to make Adobe stand on their own.

    1. Re:If it compromises a bundled runtime... by Rogerborg · · Score: 5, Insightful

      Agreed. This isn't accidental, and Google aren't the victims here. If you benefit from shovelling a steaming pile of crap, you get to eat a piece of it from time to time.

      The problem here is that Flash is either a "plugin" or it isn't. If they decide that it is a plugin, then it is Chrome, and it's Google's problem. If they decide it's not a plugin, they should stop calling it one and letting it auto-run whatever content Joe Malware is serving up.

      But if they don't even acknowledge that there's a problem, then how on earth do they intend to solve it?

      --
      If you were blocking sigs, you wouldn't have to read this.
  3. Pointing fingers won't help by Anne+Honime · · Score: 4, Insightful

    If google bundles Flash with Chrome and the user's exposed to exploit, then it's pretty much google's responsibility for letting this happen in the first place. Doesn't invalidate VUPEN's claim one bit, as every chrome installation is still susceptible to direct exploitation.

  4. Interesting perspective, Google by idontgno · · Score: 5, Insightful

    You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?

    Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.

    *BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
    1. Re:Interesting perspective, Google by Anonymous Coward · · Score: 5, Insightful

      The original blog post notes that the sandbox for Flash is a "first iteration" and that there is "more work to be done". NPAPI plugins are a huge pain point for browser security since they've traditionally been able to do whatever they want; just throwing them in the normal Chrome sandbox would break them. Sandboxing a plugin like Flash happens in several steps.

      Does the initial sandbox have holes? Yes. Does it reduce the attack surface though? Yes. Is it going to be improved further to close those holes? Yes.

  5. don't bundle by fermion · · Score: 4, Insightful
    Years ago Flash was actively budled with Safari on Apple. It was so bundled that when one updated Safari, Flash would be restored. It was impossible to remove Flash from an Apple computer because once Flash was on the computer, it infected all browsers. The issue, for those who love flash, was that the number of flash components on a web page often overwhelmed my computer. Of couse when Camino had flash blocking Apple autoloads of flash were not an issue.

    The Google response reminds me of when MS was in the habit of using PR to quash security reports instead of writing code good. Someone would come up with an exploit and MS would say it was not a well configured updated system so the fixing the code that fell to the exploit was not the responsibility of MS. The security people would then run the exploit again with an fresh out of the box installation with all updates, and the machine would again be compromised. MS would then respond by saying that user could easily configure the machine to not fall to the exploit, so it was a user issue and not a MS issue. The thing is that is the out of the box configuration is not secure, then the machine is not secure. If an Android phone comes with flash out of the box, and Flash is not secure, then the machine is not secure. It does not matter how fancy and pretty and secure the rest of the code may be.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  6. Flash sandboxed in only DEV version by Anonymous Coward · · Score: 0, Insightful

    This exploit was never stated whether it work for chrome dev or stable. In dev, flash has been sandboxed finally.

    If it manages to bypass the sandbox in DEV, then yeah it's a bug in chrome.

    Otherwise, if it only works for stable, then it's simply a matter of time before dev is pushed to stable. It's well known that flash has a variety of security issues so it's not much of a surprise. Google reason for bundling flash remains valid. Remember, this site does not represent the norm where flash exists in over 95% of all users whether google bundles it or not. Google main reason was to make it easier to keep flash up to date. Not much google can do with 0-day exploits for flash other then get the update to users as fast as possible when ADOBE fixes it.