Slashdot Mirror

← Back to Stories (view on slashdot.org)

Revealed: Chrome Really Was Exploited At Pwnium 2013

Posted by timothy on from the for-some-values-of-exploited dept.

Freshly Exhumed writes with an "inconvenient truth" as reported at Internet News: "Google Chrome running Chrome OS was hailed as being a survivor in the Pwnium/Pwn2own event that hacked IE, Firefox and Chrome browsers on Windows. Apple's Safari running on Mac OS X was not hacked and neither (apparently) was Chrome on Chrome OS. Google disclosed [Monday] morning that Chrome on Chrome OS had in fact been exploited — albeit, unreliably. The same researcher that took Google's money last year for exploiting Chrome, known publicly only as 'PinkiePie' was awarded $40,000 for exploiting Chrome/Chrome OS via a Linux kernel bug, config file error and a video parsing flaw." Asks Freshly Exhumed: "So, was it really Google Chrome, or was Linux to blame?"

6 of 102 comments (clear)

  1. Linux or Chrome? by dintech · · Score: 4, Insightful

    So, was it really Google Chrome, or was Linux to blame

    Wasn't it both? They're both a component in the same vector.

    1. Re:Linux or Chrome? by dintech · · Score: 4, Insightful

      I do know this. The attack was via Chrome. It may have exploited a bug in Linux underneath, but so does any attack on Windows or MacOSX via browsers. Nice try at being at trolling but you'd be better off over at 4chan.

    2. Re:Linux or Chrome? by dintech · · Score: 5, Insightful

      You are mistaken. If Chrome allowed a bug in the OS to be exploited via Chrome, both are at fault. Please consider that no OS is secure. That doesn't mean that browser developers should just give up on security.

    3. Re:Linux or Chrome? by dintech · · Score: 4, Insightful

      If we're talking about a kernel call that may allow escalations of privileges and you are not yourself sanity checking what that what's coming from some box on the internet, then fucking yes, be suspicious. You know something about code but seem to know very little about security in the real world. You my friend are the most dangerous kind of programmer around.

  2. Re:The answer is: Yes by L4t3r4lu5 · · Score: 4, Insightful

    I would argue that if the bug is exploitable in non-ChromeOS kernels then Linux is to blame. If the bug was introduced by the ChromeOS implementation, then it's the fault of ChromeOS.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  3. Re:Misleading by BasilBrush · · Score: 5, Insightful

    You don't seem to understand how Pwn2Own works. People don't arrive at the contest, pick an OS/Browser and then start looking for an exploit.

    They begin weeks in advance looking for exploits. IF they find one, then they go to the contest and select the appropriate platform and demonstrate the exploit. Their demonstration may fail, because the versions of the software on the contest platform might be different from what they were practicing with.

    That no one "attempted to hack" OSX and Safari at the competition this year is because in the past few weeks of trying, no one has found an exploit for it. It's certainly not the case that they could have won the prize, but couldn't be bothered.