Chrome Hack Denied By Google Engineers
As reported previously by FavBrowser, Google Chrome’s sandbox has allegedly been hacked. Nevertheless, several security engineers over at Google have now denied this, countering claims that a security company discovered a vulnerability in Chrome that could let attackers hijack Windows PCs running the browser.
The bug that security company Vupen exploited to hack Chrome was in Adobe’s Flash which comes bundled with Chrome, not in Chrome itself, said the engineers. A Google spokesman said that investigation was still ongoing, but the engineers decided to make themselves heard.
As usual, security journalists don’t bother to fact check. Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug. – Tavis Ormandy, a Google security engineer.
It’s a legit pwn, but if it requires Flash, it’s not a Chrome pwn. – Chris Evans, a Google security engineer and Chrome team lead.
No one is saying it’s not a legit exploit. The point is that it’s not the exploit Vupen claimed. – Justin Schuh, a Google security engineer.
Vupen was blunt int its refusal to share information on the matter when asked to confirm the source of the vulnerabilities it exploited.
We will not help Google in finding the vulnerabilities. Nobody knows how we bypassed Google Chrome’s sandbox except us and our customers, and any claim is a pure speculation. – Chaouki Bekrar, Vupen’s CEO and head of research.
Vupen changed its vulnerability disclosure policies last year when it announced it would no longer report bugs to vendors, as is the case with many researchers. Information would only be revealed to paying customers.
While the Google engineers appeared to recognize that a bug in Flash was involved in Vupen’s exploit, they also defended the sandbox technology, meant to isolate Flash from the rest of the computer, even as it apparently failed to prevent an attack.
About (Author Profile)
Being passionate about software, Armin joined FavBrowser.com in early 2011 and has been actively writing ever since. Having accepted the challenge, he also enjoys watching anime, indulging in good books, staying fit and healthy, and trying new things.
Of course Google’s engineers would say that because they made it and they don’t want to be embarrassed by something like this. :P
True, but we also know what Flash is like. The knowledgeable folk always give it a bad rep.
Flash isn’t the best at being secure, but even Apple has problems without it. Remember Pwn2Own?