Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It"

Posted by samzenpus on from the secret-security dept.

chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."

7 of 106 comments (clear)

  1. Certainly has a legitimate track record by Tontoman · · Score: 3, Insightful

    He certainly has a history of uncovering exploits. Here are his youtube videos: http://www.youtube.com/user/longrifle0x

    1. Re:Certainly has a legitimate track record by Anonymous Coward · · Score: 5, Insightful

      He's doing it for fame, not for profit. By selling out a single hole, he gets a one-time check. By talking about it in the abstract, he gets attention. Perhaps a lot of attention, and people listening to him speak. Some people value attention more than money.

    2. Re:Certainly has a legitimate track record by Anonymous Coward · · Score: 5, Insightful

      Sorry, but this is one of the most clueless security researchers on the planet.

      See https://code.google.com/p/chromium/issues/detail?id=108651

    3. Re:Certainly has a legitimate track record by Pieroxy · · Score: 3, Insightful

      And Google staff has a great temper on that one. I would have pointed out "Programming for Dummies" to the guy straight out and I would have banned him from my bug tracker. I mean, by this bug alone you can see the guy is utterly clueless about CS in general.

      --
      Write boring code, not shiny code!
    4. Re:Certainly has a legitimate track record by WindBourne · · Score: 1, Insightful

      I would suggest keep in mind that some ppl are not native english speakers, and therefore make more mistakes.
      However, I do not believe that is the case here.

      --
      I prefer the "u" in honour as it seems to be missing these days.
  2. Clueless by Anonymous Coward · · Score: 2, Insightful

    Maybe he's talking about this lol. Or mybe this one. tl;dr dude is clueless.

  3. Re:Fermat's Last Exploit by Anonymous Coward · · Score: 2, Insightful

    i don't think the repliers got the fermat's reference :)