Slashdot Mirror
Google Engineers Deny Hack Exploited Chrome
CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"
I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.
I guess I was mistaken.
All the Malware/Virus problems windows has that can be attributed to 3rd party programs, this means now Microsoft is vindicated? My question is, does this Flash exploit work in other browsers? Or does it specifically take advantage of something wrong with Chrome? Cos if it's the latter, then whether it's a "Flash problem" or not, it still means Chrome is the vector.