Main Area and Open Discussion > Living Room

Google Chrome Hacked, Sandbox Escaped

<< < (2/2)

phitsc:
I don't know. I think I've read somewhere that of the popular browsers, Chrome was indeed found to be the most vulnerable one. But I think that was a report sometime end of last year.

Edit: here's something from Nov. 2010: http://www.favbrowser.com/internet-explorer-is-safer-than-google-chrome-and-firefox/

Mark0:
It seems that things may be quite a bit different than initially reported:

'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'
--- End quote ---

Computer World - Google engineers deny Chrome hack exploited browser's code

As noted also in today keynote at Google I/O, at the moment Flash on Chrome is partially sandboxed; it too (like web pages / tab are now) will be full sandboxed in the near future. Anyway, for the moment, a partial sandbox, in addition to the Flash automated update, is far better than nothing.

Deozaan:
"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation."

Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors -- as do many researchers -- but instead would reveal its work only to paying customers.-http://www.computerworld.com/s/article/9216627/Google_engineers_deny_Chrome_hack_exploited_browser_s_code
--- End quote ---

Does this mean that Vupen are black hat hackers? Or they're white hat hackers using blackmail?

Navigation

[0] Message Index

[*] Previous page