0-Day exploit bypasses Chrome sandbox

Discussion in 'Security and Anti-Virus Software' started by Hungry Man, May 9, 2011.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Notebook user

    Reputations:
    2,503
    Messages:
    1,794
    Likes Received:
    1
    Trophy Points:
    56
    Is the flash sandbox Flash code or Chrome code?
     
  2. Hungry Man

    Hungry Man Notebook Virtuoso

    Reputations:
    661
    Messages:
    2,357
    Likes Received:
    0
    Trophy Points:
    55
    Google code. It's definitely still a chrome exploit. Like the google engineer said, there's no denying that. But they made it out to be... i dono... 100% Chrome. What I mean by that is that it sounded as if they exploited the chrome browser and then got out of the chrome sandbox. What they did was exploit an adobe bug and then get out of the chrome sandbox.

    There's a pretty clear difference there but it does come down to Chrome's sandbox and that's why it's a legit exploit. It's just kinda... lame.
     
  3. Baserk

    Baserk Notebook user

    Reputations:
    2,503
    Messages:
    1,794
    Likes Received:
    1
    Trophy Points:
    56
    "It’s a legit pwn, but if it requires Flash, it’s not a Chrome pwn. – Chris Evans, a Google security engineer and Chrome team lead."

    That engineer seems to vehemently disagree with you.

    It seems like a Flash bug/exploit has been used in conjunction with a Chrome sandbox vulnerability/exploit.
    As the chrome sandbox is an integral part of the chrome browser, I don't see how breaking/exploiting the sandbox doesn't equate to breaking/exploiting the browser.
    Also, if Chrome developers are actively working with Adobe on their specific Flash version, a bug in that Flash version will always reflect on Google/Chrome also.
    At least more than when a vanilla version of Flash is exploited.

    Google won't win this battle of semantics.
    They should simply own up.
    That is, as far as they can of course because VUPEN isn't disclosing to them as long as Google doesn't pay up.
    Pretty harsh of those frenchies but then again, it's their prerogative/business model to not agree to Google's scheme of 'Here-is-what-we-decide-to-pay-you-for-your-research.
    Even if Google/Chrome engineers are seriously ticked off by it.
     
  4. Hungry Man

    Hungry Man Notebook Virtuoso

    Reputations:
    661
    Messages:
    2,357
    Likes Received:
    0
    Trophy Points:
    55
    Yup. The engineers seem to disagree amongst themselves. It's understandable.

    Well I agree with you. For one thing it begs the question "What is a Chrome exploit then?" I mean.... what if they'd used webkit exploits? Webkit isn't google started but they work on it and it's bundled with their browser. Same goes for the V8 javascript engine.

    They should absolutely take responsibility. I think the only reason they're reluctant is because flash is handled by another company and their developers only get to patch development builds, they don't have google engineers working on the source code alongside Adobe that I know of.

    I don't think Google could buy the exploit from Vupen. The government is willing to pay out tons of money but Google doesn't have as much money as governments do. If it's a bidding war they will lose. It's cheaper for them to simply work it out themselves.
     
  5. Baserk

    Baserk Notebook user

    Reputations:
    2,503
    Messages:
    1,794
    Likes Received:
    1
    Trophy Points:
    56
    That's the only thing where I disagree and then I'll give it a rest...;)

    Check 2011, even a percentage of Q4 'Cash, Cash Equivalents & Marketable Securities' will do. link
    Heck, I'm willing to bet money that VUPEN would agree to shut down and retire for a percentage.
    Google is filthy rich and their 'Give-us-your-exploit-research-rewarding-scheme' is.....well, rather meager sometimes.
     
  6. Hungry Man

    Hungry Man Notebook Virtuoso

    Reputations:
    661
    Messages:
    2,357
    Likes Received:
    0
    Trophy Points:
    55
    Most of their exploits pay pretty damn well. 1000+ dollars to make a program crash? That's pretty good.

    But no, the government still has more money than google.
     
Thread Status:
Not open for further replies.

Share This Page