Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Engineers Deny Hack Exploited Chrome

Posted by samzenpus on from the pics-or-it-didn't-happen dept.

CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"

4 of 244 comments (clear)

  1. Interesting perspective, Google by idontgno · · Score: 5, Insightful

    You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?

    Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.

    *BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
    1. Re:Interesting perspective, Google by Anonymous Coward · · Score: 5, Insightful

      The original blog post notes that the sandbox for Flash is a "first iteration" and that there is "more work to be done". NPAPI plugins are a huge pain point for browser security since they've traditionally been able to do whatever they want; just throwing them in the normal Chrome sandbox would break them. Sandboxing a plugin like Flash happens in several steps.

      Does the initial sandbox have holes? Yes. Does it reduce the attack surface though? Yes. Is it going to be improved further to close those holes? Yes.

  2. Re:If it compromises a bundled runtime... by Rogerborg · · Score: 5, Insightful

    Agreed. This isn't accidental, and Google aren't the victims here. If you benefit from shovelling a steaming pile of crap, you get to eat a piece of it from time to time.

    The problem here is that Flash is either a "plugin" or it isn't. If they decide that it is a plugin, then it is Chrome, and it's Google's problem. If they decide it's not a plugin, they should stop calling it one and letting it auto-run whatever content Joe Malware is serving up.

    But if they don't even acknowledge that there's a problem, then how on earth do they intend to solve it?

    --
    If you were blocking sigs, you wouldn't have to read this.
  3. Re:Missed the point by Anonymous Coward · · Score: 5, Informative

    They do, but the sandbox for Flash is complete yet.

    They're right in that this is a flash vulnerability; it's exploitable regardless of which browser you're actually using. Marking it as a Chrome vulnerability does everyone a disservice by making people on other browsers think they're safe.