Slashdot Mirror


Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It"

chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."

3 of 106 comments (clear)

  1. Re:Certainly has a legitimate track record by __aaqvdr516 · · Score: -1, Flamebait

    I'm getting a Google Error 500 (Server Error). I guess that's appropriate for an AC attempting to "call out" a security researcher?

  2. it works on all Windows systems by Anonymous Coward · · Score: -1, Flamebait

    Of course their security is defective.

    Which part of "Microsoft Product" did you not understand?

  3. Re:Certainly has a legitimate track record by jafiwam · · Score: -1, Flamebait

    I particularly like this part from his bug report:

    VERSION Chrome Version:Ubuntu 11.4 version Operating System: [Ubuntu 11.4]

    Man I love that version of chrome. What do you call a security researcher who cant even identify his platform in his bug reports?

    That's a line-follow error, not a "I don't know what Chrome Version means" error. The response, is in response to the line below.

    That shows the guy didn't check his work and isn't detail oriented. That does imply things about what he can do to find a security hole in a .DLL but it's not you make it out to be.

    The guy is from Georgia, that's all I need to know about fraud and idiocy in this case. There's nothing coming out of former Soviet Bloc countries but spam, fraud, and other illegal thuggery crap. All the smart or moral folks left long ago.