A few days ago, I posted a video clip from VUPEN Security claiming that they had hacked the Chrome browser. They claimed that their find was secret, saying on their own site, “For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our Government customers as part of our vulnerability research services.”
I was hesitant to post it initially before I could get more information about what was really going on. Now it’s questionable whether this was an actual hack or the exploitation of a Flash vulnerability. Google Information Security Engineer Tavis Ormandy had this to say on Twitter: “VUPEN misunderstood how sandboxing worked in chrome, and only had a flash bug.”
Ormandy goes on to say that the exploit could be used on any browser there is an NPAPI implementation of Flash like the one currently used in Chrome. And while full sandboxing of Flash is coming to Chrome in the future, it’s not quite ready to go yet. We’ve already seen the PDF viewer plugin fully sandboxed and Flash is next on the list of to-dos for Google to better secure that plugin.
There are always going to be issues with vulnerable plugins in Chrome; the question is how Google is going to go about confronting these problems. One of the ways that Google is planning on addressing this is by using the Pepper Plugin API, also known as PPAPI. As of right now, PPAPI Flash is being tested on Chromium and is available on the CR-48, so there is some testing of Pepper going on right now.
You can read more about Pepper here. This VUPEN video sounds more like marketing material for the company now more than an actual flaw in Chrome. I think my first impression was right for once.
What do you think about the VUPEN Security video. Is it a Chrome flaw or a Flash vulnerability?