Google Dismisses VUPEN Hack of Chrome

Posted on 12. May, 2011 by in News

flattr this!

A few days ago, I posted a video clip from VUPEN Security claiming that they had hacked the Chrome browser. They claimed that their find was secret, saying on their own site, “For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our Government customers as part of our vulnerability research services.”

vupen

I was hesitant to post it initially before I could get more information about what was really going on. Now it’s questionable whether this was an actual hack or the exploitation of a Flash vulnerability. Google Information Security Engineer Tavis Ormandy had this to say on Twitter: “VUPEN misunderstood how sandboxing worked in chrome, and only had a flash bug.

Ormandy goes on to say that the exploit could be used on any browser there is an NPAPI implementation of Flash like the one currently used in Chrome. And while full sandboxing of Flash is coming to Chrome in the future, it’s not quite ready to go yet. We’ve already seen the PDF viewer plugin fully sandboxed and Flash is next on the list of to-dos for Google to better secure that plugin.

There are always going to be issues with vulnerable plugins in Chrome; the question is how Google is going to go about confronting these problems. One of the ways that Google is planning on addressing this is by using the Pepper Plugin API, also known as PPAPI. As of right now, PPAPI Flash is being tested on Chromium and is available on the CR-48, so there is some testing of Pepper going on right now.

You can read more about Pepper here. This VUPEN video sounds more like marketing material for the company now more than an actual flaw in Chrome. I think my first impression was right for once.

What do you think about the VUPEN Security video. Is it a Chrome flaw or a Flash vulnerability?

  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite

Related posts:

  1. Video: Chrome Vulnerability Exposed
  2. Run PPAPI Flash in the Renderer Process Appears in “About:Flags”
  3. Google Offering $20,000 for Successful Cr-48 Hack

2 Responses to “Google Dismisses VUPEN Hack of Chrome”

  1. Andres

    12. May, 2011

    “Is it a Chrome flaw or a Flash vulnerability?”

    To a customer, it probably doesn’t matter, right? If a site you visit can trigger an executable on your computer. You’re probably going to be upset. And whether the vulnerability is in flash or sandboxing is probably irrelevant. You’re likely going to blame Google for it. Regarless of where the vulnerability is, it’s probably very important for google to close it.

  2. Cougar Abogado

    12. May, 2011

    Andres, I can definitely see your point. I think this is why Google’s working to sandbox Flash.

    Seriously, the more I think of little knick knacks like this, the more I’m sold on the Chromebook concept.

    I frankly doubt it’s a Chrome hack (probably because of my negative bias toward France and my belief that the French government probably has a hand in VUPEN directly or indirectly). On the other hand, if it is, I can understand why VUPEN would want to keep it away from Google: It can use fear, instead of information to get Google to cough up.

    I personally dislike the tactic because I see it as a form of blackmail/ransoming. Then again, how does VUPEN get the price it wants, if it has to show Google how it did it?

    In the end, my question for VUPEN is, “Where were you on the night of Pwn2Own?

Leave a Reply

Name

Email

Website

Comment