Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It"

← Back to Stories (view on slashdot.org)

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It"

Posted by samzenpus on Wednesday November 21, 2012 @03:53PM from the secret-security dept.

chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."

63 of 106 comments (clear)

Min score:

Reason:

Sort:

Certainly has a legitimate track record by Tontoman · 2012-11-21 15:55 · Score: 3, Insightful

He certainly has a history of uncovering exploits. Here are his youtube videos: http://www.youtube.com/user/longrifle0x
1. Re:Certainly has a legitimate track record by Anonymous Coward · 2012-11-21 16:04 · Score: 5, Insightful
  
  He's doing it for fame, not for profit. By selling out a single hole, he gets a one-time check. By talking about it in the abstract, he gets attention. Perhaps a lot of attention, and people listening to him speak. Some people value attention more than money.
2. Re:Certainly has a legitimate track record by Anonymous Coward · 2012-11-21 16:05 · Score: 5, Insightful
  
  Sorry, but this is one of the most clueless security researchers on the planet.
  See https://code.google.com/p/chromium/issues/detail?id=108651
3. Re:Certainly has a legitimate track record by Anonymous Coward · 2012-11-21 16:16 · Score: 2, Interesting
  
  He's doing it for fame, not for profit. By selling out a single hole, he gets a one-time check. By talking about it in the abstract, he gets attention. Perhaps a lot of attention, and people listening to him speak. Some people value attention more than money.
  or maybe he just wants to advertise his product before setting the price
4. Re:Certainly has a legitimate track record by trdtaylor · 2012-11-21 16:48 · Score: 5, Interesting
  
  He's advertising to sell to one of the big 0-day sellers in the world. Probably get a lot more than 60,000 for something this useful
5. Re:Certainly has a legitimate track record by Anonymous Coward · 2012-11-21 17:04 · Score: 5, Interesting
  
  No, it just means Google had an error.
  The issue in question has this source code:
  <script>
  var cxrili=new Array("1337","longrifle0x?");
  var a=0;
  while (a=1)
  {
  document.write(cxrili[a])
  a++;
  }
  </script>
  Researcher claims this crashes chrome, turns out it just crashes the tab nicely with what they call a "sad" tab.
  Researcher then says: "Hmm.. really? I tested it on two other PC and got result." because he clearly didn't understand what they said.
  They then close the "bug".
  Nice ad hominem and appeal to authority though. Jackass.
6. Re:Certainly has a legitimate track record by LordLimecat · 2012-11-21 17:06 · Score: 4, Interesting
  
  I particularly like this part from his bug report:
  
  VERSION
  Chrome Version:Ubuntu 11.4 version
  Operating System: [Ubuntu 11.4]
  Man I love that version of chrome. What do you call a security researcher who cant even identify his platform in his bug reports?
7. Re:Certainly has a legitimate track record by Justin_Schuh · 2012-11-21 17:50 · Score: 5, Informative
  
  Here's every "security" report he's made against Chrome. None were valid.
8. Re:Certainly has a legitimate track record by mark-t · 2012-11-21 18:02 · Score: 1
  
  Personally, I think that he doesn't have something that Google would actually pay as much for as he'll get from the publicity he receives by making this announcement.
  
  --
  File under 'M' for 'Manic ranting'
9. Re:Certainly has a legitimate track record by dissy · 2012-11-21 19:40 · Score: 4, Informative
  
  I seriously doubt any of the big zero-day sellers (or buyers for that matter) would be interested in an "exploit" where you use java script to change the *status bar* (Not address bar) to spoof what URL a link actually goes to.
  Yes, that really is what this person considers an exploit, and he has never discovered nor shown he understands anything more complex than that :P
10. Re:Certainly has a legitimate track record by Pieroxy · 2012-11-21 20:21 · Score: 3, Insightful
  
  And Google staff has a great temper on that one. I would have pointed out "Programming for Dummies" to the guy straight out and I would have banned him from my bug tracker. I mean, by this bug alone you can see the guy is utterly clueless about CS in general.
  
  --
  Write boring code, not shiny code!
11. Re:Certainly has a legitimate track record by hairyfeet · 2012-11-21 21:54 · Score: 1
  
  Actually he can make more money off the bug by selling his services for lectures and consulting than he can by just selling it to Google. Having a rep of finding vulnerabilities in major software like Chrome will get you more work, whereas that check will be gone quick enough.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
12. Re:Certainly has a legitimate track record by WindBourne · 2012-11-21 21:58 · Score: 1, Insightful
  
  I would suggest keep in mind that some ppl are not native english speakers, and therefore make more mistakes.
  However, I do not believe that is the case here.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
13. Re:Certainly has a legitimate track record by ameen.ross · 2012-11-21 23:05 · Score: 5, Informative
  
  LMAO
  The very first video where he purportedly shows an Office 2010 0-day vulnerability ("it has silent and automatically download function"), I noticed he right clicked the desktop and clicked pressed "refresh"...
  He then moves on to show that he really is running Office 2010, and then he opens a link, not a word file, which opens MS Word and then opens a local, not silently downloaded, executable: Putty. He finishes by typing "1337" in the connectbox of Putty.
  There are unthinkably many scenarios that lead to this behavior, but this dude having been able to find an actual 0-day vulnerability in any software is not one of them.
  
  --
  $(echo cm0gLXJmIC8= | base64 --decode)
14. Re:Certainly has a legitimate track record by wonkey_monkey · 2012-11-22 01:13 · Score: 1
  
  and then he opens a link, not a word file
  How can you tell it's a link (and what do you mean by "link" - shortcut? URL file?) and not a Word file? The filename of whatever he clicks on (which admittedly doesn't look like any Word .doc icon I've seen, but I don't see very many) does seem to match the filename showing in the titlebar of the opened Word window.
  Not that I don't believe this guy really is clueless.
  
  --
  systemd is Roko's Basilisk.
15. Re:Certainly has a legitimate track record by ameen.ross · 2012-11-22 02:08 · Score: 1
  
  If you look closely sometimes you see the little icon that designates a shortcut. I don't know why it isn't visible all the time, may have something to do with the recorder he used. Also look at some of his other video's, he basically does the exact same thing everytime.
  He could have bound a keyboard shortcut to open Putty for all we know, and he just times pressing the combination to "prove" he has an exploit. Kinda stupid that he never ever gives the source for his exploits, maybe he's just furious that his issue reports on Chromium were all marked invalid.
  
  --
  $(echo cm0gLXJmIC8= | base64 --decode)
16. Re:Certainly has a legitimate track record by ark1 · 2012-11-22 02:17 · Score: 1
  
  He certainly has a history of uncovering exploits. Here are his youtube videos: http://www.youtube.com/user/longrifle0x
  
  Notice the comment section was disabled on all his video. He certainly does not like having his crap exposed publicly.
17. Re:Certainly has a legitimate track record by LordLimecat · 2012-11-22 03:34 · Score: 1
  
  When you go to the Chrome "about" screen, I dont believe the words "ubuntu 11.4 version" ever pop up. I believe the version is an all numeric string that is the same regardless of what language you speak, like "23.0.1271.64 m"
18. Re:Certainly has a legitimate track record by wonkey_monkey · 2012-11-22 04:39 · Score: 2
  
  If you look closely sometimes you see the little icon that designates a shortcut.
  Oh, I see what you mean now - I think you've mistaken the optional Windows item selection checkbox for a shortcut indicator.
  http://www.sevenforums.com/tutorials/10111-select-items-check-boxes.html
  But yes, you're right, that video is proof of nothing.
  
  --
  systemd is Roko's Basilisk.
19. Re:Certainly has a legitimate track record by ameen.ross · 2012-11-22 04:56 · Score: 1
  
  Oh right, anyway it would still be anything, like a batch script of which he changed the icon or whatever.
  
  --
  $(echo cm0gLXJmIC8= | base64 --decode)
20. Re:Certainly has a legitimate track record by fahrbot-bot · 2012-11-22 05:00 · Score: 1
  
  Never trust a guy with 7+ vowels in his name...
  
  --
  It must have been something you assimilated. . . .
21. Re:Certainly has a legitimate track record by WindBourne · 2012-11-22 06:09 · Score: 1
  
  Actually, on mine, it does:
  Version 20.0.1132.47 Ubuntu 12.04 (144678)
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
22. Re:Certainly has a legitimate track record by Tontoman · 2012-11-26 13:05 · Score: 1
  
  Maybe not so legitimate, but he is certainly an active hacker. For example : http://laetitia-schlumberger.com/index0.php and http://horeblawski.eu/euricms/
  Softpedia profiled this person in an article: http://news.softpedia.com/news/Hackers-Around-the-World-No-Flaws-Escape-This-Georgian-s-Longrifle0x-252180.shtml
  However, a subsequent comment by the author says:
  "When this article was published the researcher was a respected member of an important security research team. In the meantime, his work became more "controversial."
Researcher Claims To Have Chrome Zero-Day by Anonymous Coward · 2012-11-21 16:02 · Score: 1, Funny

Google Says "Prove It"
World yawns
Clueless by Anonymous Coward · 2012-11-21 16:05 · Score: 2, Insightful

Maybe he's talking about this lol. Or mybe this one. tl;dr dude is clueless.
1. Re:Clueless by Anonymous Coward · 2012-11-21 16:06 · Score: 1
  
  oop link is https://code.google.com/p/chromium/issues/detail?id=108651
This researcher has a poor track record by Anonymous Coward · 2012-11-21 16:12 · Score: 5, Informative

This security researcher has a track record of not understanding even basic security concepts.
Basic misunderstanding of "memory corruption" vs. an "out of memory" condition: https://code.google.com/p/chromium/issues/detail?id=108651
Basic misunderstanding of web security and the capabilities of Javascript: https://code.google.com/p/chromium/issues/detail?id=148636
This does not preclude the case where he's stumbled across something real, but it seems highly unlikely.
1. Re:This researcher has a poor track record by Anonymous Coward · 2012-11-21 17:06 · Score: 1
  
  The same goes for, you chief - be constructive (No - i'm not the person who originally posted this)
  This security researcher has a track record of not understanding even basic security concepts.
  Basic misunderstanding of "memory corruption" vs. an "out of memory" condition: https://code.google.com/p/chromium/issues/detail?id=108651
  Basic misunderstanding of web security and the capabilities of Javascript: https://code.google.com/p/chromium/issues/detail?id=148636
  This does not preclude the case where he's stumbled across something real, but it seems highly unlikely.
2. Re:This researcher has a poor track record by AK+Marc · 2012-11-21 17:09 · Score: 1
  
  Half the time Slashdot makes them clickable, so I never bother either, but sometimes it works anyway. Meh.
  
  --
  Learn to love Alaska
3. Re:This researcher has a poor track record by tbird81 · 2012-11-21 19:24 · Score: 1
  
  In Firefox, just select the url, right click, and "Open Link in New Tab".
  You can't do this in Chrome (last time I tried about a year ago) which is one of the reasons I stayed with FF.
4. Re:This researcher has a poor track record by Anonymous Coward · 2012-11-21 21:58 · Score: 1
  
  Oh dear God, check this one:
  https://code.google.com/p/chromium/issues/detail?id=142864
5. Re:This researcher has a poor track record by tbird81 · 2012-11-21 23:21 · Score: 1
  
  Thanks ACs. I still probably won't try it again, as I didn't find it any fast, and hated that auto-updater that ran constantly in the background it installed.
  (I'm not sure if it still does that either, but I'm happy with FF at moment.)
Fermat's Last Exploit by Anonymous Coward · 2012-11-21 17:42 · Score: 5, Funny

I have discovered a truly marvelous exploit, which allows a remote attacker to compromise any computer regardless of OS, hardware, or software installed. Unfortunately, this post is too small to contain the details of it.
1. Re:Fermat's Last Exploit by micheas · 2012-11-21 19:14 · Score: 1
  
  There are many marvelous exploits that attack the problem existing between keyboard and chair.
  
  --
  Work bio at MMWD
2. Re:Fermat's Last Exploit by crutchy · 2012-11-21 19:26 · Score: 5, Funny
  
  its not like the age old ctrl+F4 exploit that affects all browsers in all operating systems and has the uncanny result of closing which ever browser window you happen to be viewing... it even works on some other programs. i think it must be a bug in the processor or something.... stupid intel
3. Re:Fermat's Last Exploit by Anonymous Coward · 2012-11-21 19:57 · Score: 2, Insightful
  
  i don't think the repliers got the fermat's reference :)
4. Re:Fermat's Last Exploit by Psicopatico · 2012-11-21 20:47 · Score: 2
  
  I have discovered a truly marvelous exploit, which allows a remote attacker to compromise any computer regardless of OS, hardware, or software installed. Unfortunately, this post is too small to contain the details of it.
  The user?
  
  Looks like it fits well enough in this post...
  
  --
  Mastering the English language is fucking easy: all you have to do is to put an f* word in every fucking sentence.
5. Re:Fermat's Last Exploit by IAmGarethAdams · 2012-11-21 21:54 · Score: 1
  
  some operating systems
  FTFY
6. Re:Fermat's Last Exploit by tlhIngan · 2012-11-22 04:27 · Score: 1
  
  I have discovered a truly marvelous exploit, which allows a remote attacker to compromise any computer regardless of OS, hardware, or software installed. Unfortunately, this post is too small to contain the details of it.
  Yeah, too bad you have to either be admin, give admin permissions, use sudo or be root, ...
  (You won't believe how many local "exploits" get reported where the prerequisite is that the user is administrator or root to begin with. Or require scripts to be run with similar permissions. (Hint: you already have those permissions to begin with - just do what you're going to do rather than run around doing them via proxy).
7. Re:Fermat's Last Exploit by crutchy · 2012-11-23 16:11 · Score: 1
  
  in all fairness, the original fermat reference wasn't really that funny or even relevant... it possibly could have been if worded better
Odd indeed. by mark-t · 2012-11-21 17:45 · Score: 1

If he gives this lecture and somebody watching figures out how it works, then that somebody else could claim the bounty.

--
File under 'M' for 'Manic ranting'
1. Re:Odd indeed. by Psychotria · 2012-11-22 00:24 · Score: 1
  
  If he gives this lecture and somebody watching figures out how it works, then that somebody else could claim the bounty.
  I just wish I was going to the conference. The lecture is sure to be fun.
2. Re:Odd indeed. by citizenr · 2012-11-22 02:05 · Score: 1
  
  fun != funny
  
  --
  Who logs in to gdm? Not I, said the duck.
Big deal... by Anonymous Coward · 2012-11-21 17:55 · Score: 1

"it works on all Windows systems,"
Stopped reading after that
Re: it works on all Windows systems by johnsnails · 2012-11-21 20:11 · Score: 1

Stop repeating yourself...
http://mobile.slashdot.org/story/12/11/19/0438206/windows-phone-8-users-hit-some-snags?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+(Slashdot)

Of course it's defective! Which part of "Microsoft Product" did you not understand?
He has a video up of this exploit.... by Anonymous Coward · 2012-11-21 21:22 · Score: 1

He has a video of the Google Chrome exploit that he discovered up already:
http://youtu.be/AvkbhFmJcn4
He can get your browser to launch an arbitrary application on your PC when you open a webpage.
1. Re:He has a video up of this exploit.... by WindBourne · 2012-11-21 22:13 · Score: 1
  
  Nope. That did not show that. Just the opposite. He had a browser up, clicks on what appears to be a .doc, which simply creates a tab. However, I did not see the browser exec an app.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
2. Re:He has a video up of this exploit.... by beelsebob · 2012-11-22 01:37 · Score: 1
  
  So putty opened all by itself, right?
3. Re:He has a video up of this exploit.... by seann · 2012-11-22 04:17 · Score: 1
  
  The word document, which was already on his local system, which is already preset to trusted which can execute macros, executed putty.
  
  --
  I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
4. Re:He has a video up of this exploit.... by WindBourne · 2012-11-22 06:07 · Score: 1
  
  I thought so as well, but just ran the video again. Just dawned on me that he restarts the web page and putty comes up.
  Well, this guy MAY actually have something.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
5. Re:He has a video up of this exploit.... by stderr_dk · 2012-11-22 14:09 · Score: 1
  
  Well, this guy MAY actually have something.
  Or maybe the page has a hidden image loaded from a webserver running on localhost. The webserver is configured to start putty when someone connects...
  I did something like that 15+ years ago, so it's nothing new at all.
  
  --
  alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr
6. Re:He has a video up of this exploit.... by WindBourne · 2012-11-22 21:22 · Score: 1
  
  Correct. That is possible. However, why do that for the publicity? That is SUCH negative publicity that he would never work in software again.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
Additional photo of hacker by Psychotria · 2012-11-22 00:22 · Score: 1

I did some analysis (too advanced and secret for me to disclose) and came up with this. Needless to say it's almost an exact match for his photo in the article. No wonder he's not disclosing his 0-day.
1. Re:Additional photo of hacker by crutchy · 2012-11-23 16:15 · Score: 1
  
  looks like you wiped your ass with a cheap bedsheet after eating waaaaaay to much mcd's
Re: it works on all Windows systems by johnsnails · 2012-11-22 01:01 · Score: 1

point taken.
Wait for the conference by PPH · 2012-11-22 05:05 · Score: 2

I'm sure this will attract more attention to the MalCon tent.

--
Have gnu, will travel.
Giving MalCon a bad name by brunes69 · 2012-11-22 11:24 · Score: 1

I can't believe MalCon is letting this guy present based on the other examples posted in this story of how clueless this guy is. If I was running MalCon I would DEMAND evidence of an actual exploit before agreeing that he be allowed to present anything this stupid and discredit the whole conference.
Re:Four out of five U.S. Presidents by fahrbot-bot · 2012-11-22 11:40 · Score: 1
Never trust a guy with 7+ vowels in his name...
Do you know how easy it'd be for someone with a middle name to trip that heuristic? By that measure, you'd trust only one of the last five U.S. Presidents.
- Ronald Wilson Reagan: oaioeaa (7)
- George Herbert Walker Bush: eoeeeaeu (8)
- William Jefferson Clinton: iiaeeoio (8)
- George Walker Bush: eoeaeu (6)
- Barack Hussein Obama: aaueioaa (8)
Your point being?
But apples vs. oranges anyway. I don't know Ucha Gobejishvili's middle name (if he even has one), else I might have upped the minimum number, if I hadn't been completely joking... Though 7 vowels in just a first+last name seems excessive; I blame his parents.
--
It must have been something you assimilated. . . .
Stephanie Peterson by tepples · 2012-11-22 12:04 · Score: 1

if I hadn't been completely joking
For me, it was just a fun thought exercise to see how your heuristic held up against real-world American names or otherwise plausible anglophone names like Stephanie Peterson: eaieeeo (7).

Though 7 vowels in just a first+last name seems excessive; I blame his parents.
For one thing, different languages have different standards for a last name. Russian, for example, has lots of surnames that carry the suffix "-ov" (fem. "-ova"), "-ev" (fem. "-eva") or "-in" (fem. "-ina"). Greek has the suffix "-opoulos", which corresponds to English "-son" but has four vowels by itself. I just wanted to make sure your joke wasn't made out of racism. We're already getting enough racist jokes about "Black" Friday discounts.
1. Re:Stephanie Peterson by fahrbot-bot · 2012-11-22 13:34 · Score: 1
  
  Dude(tte?). You have *way* too much free time. Although, I wish you had been in my college Semantics class way back when, instead of the lazy ass-clowns (hyphen intentional) who took it looking for an easy grade. I had to wait until after class to ask the professor any serious questions to avoid the ire of my classmates.
  Racism? Vowels don't see race, color, gender, etc ... - or orientation, though that (sometimes) "Y" is a little sketchy. Sure, maybe after a little wine... :-)
  BTW. Your example, "Stephanie Peterson?" Google didn't really clear that up for me: makeup artist, model, Psych professor ... ?
  
  --
  It must have been something you assimilated. . . .
2. Re:Stephanie Peterson by mgcarley · 2012-11-23 07:49 · Score: 1
  
  Georgian names aren't entirely dissimilar: "-shvili" is like "child of" (sort of like the Icelandic "-sson" or "-sonur"), and I wouldn't be surprised if "Gobeji" was the name of a village or something.
  
  --
  Founder & COO, Hayai India (hayai.in) / USA (hayaibroadband.com) // t: @mgcarley
Re:Somebody has something by crutchy · 2012-11-23 16:16 · Score: 1

aaahh... there's your problem.... you were using windows.

that will be $340 please
Re:I wonder how much botnet owners would pay ? by crutchy · 2012-11-23 16:21 · Score: 1

why not? i'm sure there are botnet owners who publish ads in the tabloids:

WANTED: GOOGLE CHROME ZERO-DAY EXPLOITS
WILL PAY BIG BUX
GO TO http://www.mybotnet.somerussianwebsite.com/just-for-morons/drive-by-windows-malware/google-advert/really-dumb-fucks/specially-designed-for-nigerians/click-me-page.asp