Discussion in 'Security and Anti-Virus Software' started by Hungry Man, May 9, 2011.
Is the flash sandbox Flash code or Chrome code?
Google code. It's definitely still a chrome exploit. Like the google engineer said, there's no denying that. But they made it out to be... i dono... 100% Chrome. What I mean by that is that it sounded as if they exploited the chrome browser and then got out of the chrome sandbox. What they did was exploit an adobe bug and then get out of the chrome sandbox.
There's a pretty clear difference there but it does come down to Chrome's sandbox and that's why it's a legit exploit. It's just kinda... lame.
"It’s a legit pwn, but if it requires Flash, it’s not a Chrome pwn. – Chris Evans, a Google security engineer and Chrome team lead."
That engineer seems to vehemently disagree with you.
It seems like a Flash bug/exploit has been used in conjunction with a Chrome sandbox vulnerability/exploit.
As the chrome sandbox is an integral part of the chrome browser, I don't see how breaking/exploiting the sandbox doesn't equate to breaking/exploiting the browser.
Also, if Chrome developers are actively working with Adobe on their specific Flash version, a bug in that Flash version will always reflect on Google/Chrome also.
At least more than when a vanilla version of Flash is exploited.
Google won't win this battle of semantics.
They should simply own up.
That is, as far as they can of course because VUPEN isn't disclosing to them as long as Google doesn't pay up.
Pretty harsh of those frenchies but then again, it's their prerogative/business model to not agree to Google's scheme of 'Here-is-what-we-decide-to-pay-you-for-your-research.
Even if Google/Chrome engineers are seriously ticked off by it.
Yup. The engineers seem to disagree amongst themselves. It's understandable.
They should absolutely take responsibility. I think the only reason they're reluctant is because flash is handled by another company and their developers only get to patch development builds, they don't have google engineers working on the source code alongside Adobe that I know of.
I don't think Google could buy the exploit from Vupen. The government is willing to pay out tons of money but Google doesn't have as much money as governments do. If it's a bidding war they will lose. It's cheaper for them to simply work it out themselves.
That's the only thing where I disagree and then I'll give it a rest...
Check 2011, even a percentage of Q4 'Cash, Cash Equivalents & Marketable Securities' will do. link
Heck, I'm willing to bet money that VUPEN would agree to shut down and retire for a percentage.
Google is filthy rich and their 'Give-us-your-exploit-research-rewarding-scheme' is.....well, rather meager sometimes.
Most of their exploits pay pretty damn well. 1000+ dollars to make a program crash? That's pretty good.
But no, the government still has more money than google.
Separate names with a comma.