Slashdot Mirror
Google Engineers Deny Hack Exploited Chrome
CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"
Time to treat it as such.
its a Chrome "pwn". If you bundle it, you own it. You see Apple going the opposite direction by un-bundling Flash because it didn't want to own the security issues and battery draining properties associated with it. They recognized their brand was getting tarnished via that association and decided to make Adobe stand on their own.
If google bundles Flash with Chrome and the user's exposed to exploit, then it's pretty much google's responsibility for letting this happen in the first place. Doesn't invalidate VUPEN's claim one bit, as every chrome installation is still susceptible to direct exploitation.
You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?
Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.
*BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.
I guess I was mistaken.
A company takes care to actually go through code, assembly, source, any means really, figure out a hack that's specific to Chrome ... and somehow, they are the ones misunderstanding the code. Somehow that answer doesn't satisfy me :)
Also, the answer would be equivalent to having my code use Sqlite as a dll, I bundle it in my package, I install it, it's mine ... but somehow when someone hacks my application through a (very theoretical - example only! move on trolls ;) ) sqlite bug, I would have the exit door saying "oh yes, you can hack my app, it's defenseless, but it's not my fault, it's sqlite here! *points*"
Please ... Chrome ... You bundle it, you vouch by it, you got hacked, you recognized, don't start making excuses please. It's no big deal, it's only a bug, like there are countless in ALL applications throughout the world.
All the Malware/Virus problems windows has that can be attributed to 3rd party programs, this means now Microsoft is vindicated? My question is, does this Flash exploit work in other browsers? Or does it specifically take advantage of something wrong with Chrome? Cos if it's the latter, then whether it's a "Flash problem" or not, it still means Chrome is the vector.
It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.
If the dike fails and the land gets flooded, who cares if the dike was earth or stone? The point is that the place is flooded.
And that analogy is apropos considering what's going down here.
I call it 'The Aristocrats'
"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn. Do Java bugs count as a Chrome pwn too, because we support NPAPI?" link
The Google response reminds me of when MS was in the habit of using PR to quash security reports instead of writing code good. Someone would come up with an exploit and MS would say it was not a well configured updated system so the fixing the code that fell to the exploit was not the responsibility of MS. The security people would then run the exploit again with an fresh out of the box installation with all updates, and the machine would again be compromised. MS would then respond by saying that user could easily configure the machine to not fall to the exploit, so it was a user issue and not a MS issue. The thing is that is the out of the box configuration is not secure, then the machine is not secure. If an Android phone comes with flash out of the box, and Flash is not secure, then the machine is not secure. It does not matter how fancy and pretty and secure the rest of the code may be.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
As an uninterested third party (I didn't really read the article, just the thread) who writes code for a living, the person responsible for the bug is the one who wrote the code, and the person you complain about the bug to is the one who makes the change to the code to fix it.
So who employs the person who hopefully fixes this bug at some point?
Anything short of running in a VM (hardware supported or purely in software), is not a "sandbox" in my book.
It is a Chrome flaw introduced by Google's use of the word "sandboxed" that really doesn't imply a sandbox at all.
Additionally, compiling JS to machine code and having Chrome execute that data is not "sandboxing" either.
A flaw in my VM's interpretor that allows code to escape the sandbox is one thing, running non-virtualized machine code that itself can be exploited is quite another.
At some point, you must stop, wipe your brow, and consider your trek through the desert -- Is there really an edge to this sandbox? Did I miss the line drawn in the wind-swept sand or have I been lied to yet again?
Will Chrome OS bundle flash or allow it to install?
One of the selling points of Chrome OS is the security. If someone can PWN my laptop and keylog my user level passowrd remotely then having my data on the cloud is dangerous. Right now even if someone compromises flash my computer is protected by multiple levels of user access controls and backups. with chrome OS once someone can access my account they can do it from anywhere without physcial access.
This is not a gripe about the cloud as much as it pointing out how you can go around claiming the sandbox keeps you safe if your browser lets you punch holes in the sandbox. Because chrome OS connects your filesystem cloud to your general browsing via the browser it is more incumbent to secure it.
Right now whenever IE or Firefox has some dangerous hole I can switch to a different browser. But if I use chrome OS I can't safely surf the we whatsoever until it is patched.
Some drink at the fountain of knowledge. Others just gargle.
What's bad is that Flash is actually an open specification (i.e., you can get the docs and read them for yourself, and implement your own flash viewer). Because of this, there's been not one, not two, but three free/open-source flash viewers: gnash, swfdec, and something else. I'm pretty sure the latter two have died out, but gnash is supposed to be the open-source replacement, yet in my experience it sucks just as much as Adobe's version: it creates tons of extra processes that never go away, and chews up CPU time like there's no tomorrow. I have to go manually kill all the gnash-player processes to keep my CPUs from being pegged.
Does anyone else find "pwn" to be fucking annoying?
The programmers at these companies are totally [b]clueless[/b] when it comes to security.
You don't know that. Programmers just implement what they're told to implement. The people to blame are the software architects, and probably also the executives. If the executives wanted security to be a priority, they'd direct their architects to make it happen.
You can already view a lot of YouTube as HTML5 vids
Newly uploaded videos and some of the videos most popular among the general public have been transcoded to WebM, but transcoding the "long tail" will have to wait.
then it is google/chrome's fault, and google should quit bundling flash and let Adobe maintain their plugins...
Politics is Treachery, Religion is Brainwashing
Chrome does or did support H.264. Safari will be an issue for a while but to work around it you can include two videos and then use browser detection to serve the one that you need.
Chrome Frame and or just updating to Chrome or Firefox will do for XP users
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
the most popular use of Flash is video
But even once video is converted to HTML5, several remain:
How do you recommend making those with HTML5 technologies?
Headline length is limited, and "pwn" saves four characters vs. "exploit".
Google admits this seems to be a real attack but it seems to be a Flash exploit. Since Flash seems to be an utter piece of sh^H^H not-so-good program, they've sandboxed it somewhat to get rid of a lot of attack vectors. However, in TFA they're publicly stating that their sandbox isn't perfect and that it won't stop all attacks. Google's Flash sandbox is better than nothing but it ain't perfect.
What I really think is the issue here is this french security firm that admittedly has a new zero-day against Flash and a way of compromising the Google Flash sandbox and they refuse to let Google or Adobe fix it. Instead, they've decided to profit from it selling the info to who knows what kind of organizations. That's immoral and should be downright illegal. Why isn't that the headline?
If it shipped in Chrome, it's code Google distributed. Google-pwn.
No matter how much you want it to be gone, Flash is like ActiveX and IE. A necessary piece of software for many production applications in use today. To take those pieces away means costing corporation several thousands if not millions in re-inventing their wheels. Corporations don't like to that, and many IT budgets aren't fat enough to do it. No matter how much Steve Jobs bitches about it his argument is irrelevant - at least at this point in time.
It will take the industry a good many years to shift away from their crappy software suite dependencies (IE, Flash, Active-X, etc, etc) but until that happens, we are stuck with Flash so let's just stop with all the whining.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Even if its google to blame (arguable), i wouldnt call it a mess when it took ages to succesfully bypass all its security features. If this is a mess, what description feats IE?
There's no patch for stupidity
This message does not seem very good for chrome it? I do not like to use chrome because the plugin in firefox for my work was not designed very handy.
http://celebrityface.net/ Celebrity photo, video, and gossip blog featuring the latest hot celebrities including Britney
I clicked on a link present in the google search page and this link installed malware on my computer. Wait, this is a problem in google search, it's not my browser's fault, do your fact checking first before accusing my browser.
Safari will play any audio/video codec that is supported by any of its plug-ins. HTML5 Ogg videos play just fine with the QuickTime Ogg Component.
Fandroids hate facts.
Chrome does or did support H.264.
Did; no longer does. Any installed versions that did have been automatically updated to a version that no longer does.
Not quite - the build in Flash will still happily play H.264 encoded Flash-videos. Why do people always ignore that most Flash videos now use that codec?
Fandroids hate facts.
Because the discussion was about the HTML5 audio/video tags, toward the goal of specifically eliminating Flash.
You do not have a moral or legal right to do absolutely anything you want.
It won't happen until long after that. There are millions of XP installations around the world that do what their users want them to do. They won't be upgrading any time soon. IE9 not being on XP is fucking annoying for those of us who will need to support two versions of IE for a long time, just as we were seeing off IE6 and 7.
Sorry guys but if you're going to fully integrate Flash into your browser you have to take ownership for any problems that arise as a result. You're integrating it, you're shipping it, it's up to you to QA the entirety of your release.
On another note, Chrome integration of Flash is the #1 reason I stick with Firefox.
Because the discussion was about the HTML5 audio/video tags, toward the goal of specifically eliminating Flash.
If all it takes for Google to sort-of support H.264 is someone to pay for it, they could ask someone to sponsor it - like, say, Yahoo, or a bigger competitor of Yahoo maybe.
Fandroids hate facts.
HTML5 Ogg videos play just fine with the QuickTime Ogg Component.
The last time I checked, the QuickTime Ogg Component was not available for iOS.
No, but if Safari (I said nothing about Mobile Safari) can play any HTML5 video, why can't the "open" alternatives? Are they fundamentally broken?
Fandroids hate facts.
You integrated Flash into the god-damn browser, that makes it a browser vulnerability.
HTML5 audio and video are a mess. No audio and video codec works in all browsers. The pack-in browsers (IE and Safari) use only patented MPEG family codecs
I don't know about Safari, but IE9 can play WebM HTML5 video - though you need to download the codec from Google.
But Flash doesn't work at all on IOS and it is really not great on Android. Yes I am an Android users and it fails a lot and is slow even on my phone which is an Evo 4G.
Flash has no future. Adobe now has an HTML 5 authoring tool and more will come. Flash will linger for a while but HTML 5 works on IE9, Safari, Chrome, Opera, and Firefox. It works on the PC and in the Mobile space. With Google pushing more and more into the enterprise space I suspect Chrome and Chrome Frame to get a big foothold in the enterprise space. Frankly with the security issues with Flash I would bet that nobody wants a Flash free world more than most enterprise IT people.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
If CEO's knew what seasoned developers know about Microsoft, they would run away in fear.
If normal people knew what developers know about software, civilization would collapse.
Yep, it's like getting a tour of a hotdog factory.
Depends...
If you link statically, then yes, it's your bug.
If you link dynamically, then no, it's not your bug.
I am not saying who caused it, mind. Just that by packaging it into your code, you are the one who gets to handle the bug.
As Google is packaging Flash, it's a Chrome bug, but not a bug in Chrome. Important difference.
Maybe they've added a second camera on the iPhone 4
The iPhone 4 does indeed have a front-facing camera called the "FaceTime camera". Several Android-powered phones also have a front-facing camera.
So that should only leave three major platforms.
Which are they? Remember that IE and other Windows-based browsers can be considered two separate platforms since IE dropped NPAPI support way back in version 5.5 SP2. I still count Windows ActiveX, Windows NPAPI, Mac OS X, Linux, iPhone 4, and Android.
Personally, I've never seen a need for a webcam in a web browser, aside from [...] video chat
You haven't seen a need because nobody has made a demonstration of what a webcam in a web browser can do, and nobody has made such a demonstration because neither Google nor anybody else has yet offered a webcam plug-in for all sites to use apart from Adobe. I'm sure there are more creative minds than myself who can think of applications for a webcam other than video chat.
An HTTP download (as opposed to a scatter protocol like torrent) is just a stream that gets saved to your disk instead of played as it xfers. A stream is just a download you decided not to save.
A stream is a download whose user interface makes it difficult to save a usable copy. The file name is random, the temporary folder to which it is saved is marked in the file manager as a "hidden" folder, and it might even be encrypted with a secret key that isn't saved to your disk.
The distinction lies only in the heads of pointy-hair bosses who don't understand what's really happening.
And these pointy-haired bosses are the owners of copyright who have licensed the setting, music, or other components for use in your work. Authors of derivative works have had to deal with licensors who misunderstand a medium ever since there was a medium to misunderstand.
Besides: half an hour to download the video and become disinterested on your site, or three minutes to watch a similar animation as it downloads on the other site? End users will still click away to the other site.
SVG sounds like it would work great here -- you should check out SMIL
According to caniuse.com, browser support for W3C's SMIL recommendation is far from universal. Firefox 3.6 didn't support it, and IE 9 still doesn't support it. Nor does Android Browser for phones support it. And what authoring tool for SVG+SMIL animations do you recommend?
XP is 10 years old this year.
And still in wide use. Any name-brand PC purchased even in 2006 will have come with Windows XP on it.
IE6 is well under 3% now and falling
I didn't say IE 6; I said IE on Windows XP, which by now should mean upgradable to IE 8, as opposed to IE 9. According to this page, IE 8 has 33.06%, IE 7 has 7.35%, IE 6 has 10.85%, and IE 9 has only 2.41%. What source did you use, so that I can see its own breakdown of IE 6 through 8 (which doesn't support SVG) vs. IE 9 (which does)?
The stream API, formerly called the <device> element, has zero browser support. Adobe Flash Player, on the other hand, runs on almost every desktop PC. It also runs on any Android device with an OS version that was current around the time they started putting front-facing cameras on phones.
if Safari (I said nothing about Mobile Safari)
So what should sites serve to Mobile Safari? A still image "We're sorry; Apple has chosen not to support unpatented video codecs on your device"?
can play any HTML5 video, why can't the "open" alternatives? Are they fundamentally broken?
The free web browsers have to run on Windows XP and GNU/Linux, which don't include a licensed H.264 decoder.
It won't happen until long after that. There are millions of XP installations around the world that do what their users want them to do.
I don't think users of PCs running Windows XP want their PCs to get compromised by criminals the day after Microsoft stops offering security patches for Windows XP. During the last year of official support for Windows XP, criminals will likely be stockpiling zero-day exploits in preparation to release them to the wild once support ends.
IE9 can play WebM HTML5 video - though you need to download the codec from Google.
From the point of view of an end user, what distinguishes a legit WebM codec for IE or desktop Safari from a fake antivirus posing as a codec needed to play a video?
If "NPAPI" hasn't been supported since IE5.5, then I think it's safe to say it can be neglected
Safari (desktop version), Firefox, Google Chrome, and Opera still use NPAPI plug-ins. So we have NPAPI for all those and ActiveX for IE.
the mobile-phone carriers simply won't allow it because it would go over the internet and not generate high per-minute fees for them
Video chat that goes over the Internet uses megabytes of traffic, which gets counted against the user's monthly Internet traffic allowance the same way that voice gets counted against the user's monthly voice allowance.
I don't think people would hesitate downloading things from Google web servers (though "this release is a technology preview" might)
Another thing that makes users hesitate is if the only user in the Administrators group is out of the house. In the common case, Flash Player is already installed, and Google Chrome Frame and Google's WebM plug-in aren't. Or can these plug-ins be installed to a single Limited User's account?
Why can't the free browsers use available decoders for HTML5 media?
First, decoders available to you might not be available to your viewers. Mozilla wants to ensure that if a web page works on one desktop platform, it works on all. For example, if a user on Windows 7 or Mac OS X makes a web page, and it uses a patented MPEG codec, it'll play on Windows 7 Home Premium, Windows Vista Home Premium, and Mac OS X, but not Windows XP, Windows Vista Home Basic, Windows Vista Business, Windows 7 Starter, or GNU/Linux. Supporting only free codecs across all operating systems ensures that an author can't accidentally make a web page OS-specific.
Second, one reason that HTML5 technologies are being developed in the first place is to replace native plug-ins. In general, browser makers don't want to get blamed for problems with untrusted third-party video decoders. A carefully malformed video could trigger a defect in the decoder that causes the browser to stop responding, unexpectedly quit, or even execute arbitrary code that discloses or destroys the user's files. A browser maker can respond quickly to protect users with a repaired decoder if and only if the codec is built into the browser.
Now, so far as I know, MF codecs need registry entries to be located, and writing those does require admin permission.
So if I've made video in a free format about MF snakes on an MF plane, and want my audience to see the video, what's the best solution to deploy Google's MF codecs to the MF registry?
H.264 in Flash is still Flash.
You still need to add Fallback code for the Flash OBJECT inside the HTML5 VIDEO.