ISC Diary

Refresh Latest Diaries

Handler on Duty:
Johannes Ullrich
Contact Us

VUPEN Security pwns Google Chrome

Published: 2011-05-09,
Last Updated: 2011-05-10 00:23:39 UTC
by Rick Wanner (Version: 1)

French security research group, VUPEN, announced earlier today that they have managed to subvert Google Chrome's sandbox to permit execution of code.

The announcement, which is light on details, and a demo are available on VUPEN's website. The most interesting aspect of the announcement was the declaration "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services." Apparently this list does not include Google. Definitely an interesting twist on responsible disclosure.

Update: Further details and Google's response are available on Brian Kreb's blog.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: Chrome VUPEN

Comments

Alex, I'll take "Responsible Disclosure" for 200 please.....

posted by dsh, Tue May 10 2011, 13:12

Jeers to VUPEN then. "we broke it. We can break it again." "We'll tell our clients it's broken" "But we won't tell the developers so they can..."

<drumroll please>

"fix it".

posted by Al, Tue May 10 2011, 16:47

I thought maybe VUPEN was a black hat org based on their ideas of "disclosure" but nope, it's a real company and this is their idea of just doing business, enabling their customers to target their enemies, waiting for the highest bidder, and holding the public hostage.

What a bunch of assholes.

posted by Jason, Tue May 10 2011, 19:18

Providing notice for an unpatched vuln to your customers while the vendor prepares a fix seems reasonable, but to withhold it from the vendor is something altogether different. They are either so arrogant as to believe that the bad guys haven't/won't discover this vuln, or, like HBGary, they are just plain evil.

posted by Mo, Tue May 10 2011, 23:39

Well, it looks like I'm going to have to agree with you guys on the evil part. Here's a little quote from their front page about their offerings:

"Exploits for Offensive Security. Get access to weaponized and highly sophisticated exploits specifically designed for LEA and Intelligence Agencies."

In other words 'we have absolutely no interest in seeing this (alleged) vulnerability fixed'...

posted by IByte, Wed May 11 2011, 00:35

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

ISC Diary | VUPEN Security pwns Google Chrome

ISC Diary

Refresh Latest Diaries

Handler on Duty:
Johannes Ullrich
Contact Us

VUPEN Security pwns Google Chrome

Published: 2011-05-09,
Last Updated: 2011-05-10 00:23:39 UTC
by Rick Wanner (Version: 1)

French security research group, VUPEN, announced earlier today that they have managed to subvert Google Chrome's sandbox to permit execution of code.

The announcement, which is light on details, and a demo are available on VUPEN's website. The most interesting aspect of the announcement was the declaration "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services." Apparently this list does not include Google. Definitely an interesting twist on responsible disclosure.

Update: Further details and Google's response are available on Brian Kreb's blog.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: Chrome VUPEN

Comments

Alex, I'll take "Responsible Disclosure" for 200 please.....

posted by dsh, Tue May 10 2011, 13:12

Jeers to VUPEN then. "we broke it. We can break it again." "We'll tell our clients it's broken" "But we won't tell the developers so they can..."

<drumroll please>

"fix it".

posted by Al, Tue May 10 2011, 16:47

I thought maybe VUPEN was a black hat org based on their ideas of "disclosure" but nope, it's a real company and this is their idea of just doing business, enabling their customers to target their enemies, waiting for the highest bidder, and holding the public hostage.

What a bunch of assholes.

posted by Jason, Tue May 10 2011, 19:18

Providing notice for an unpatched vuln to your customers while the vendor prepares a fix seems reasonable, but to withhold it from the vendor is something altogether different. They are either so arrogant as to believe that the bad guys haven't/won't discover this vuln, or, like HBGary, they are just plain evil.

posted by Mo, Tue May 10 2011, 23:39

Well, it looks like I'm going to have to agree with you guys on the evil part. Here's a little quote from their front page about their offerings:

"Exploits for Offensive Security. Get access to weaponized and highly sophisticated exploits specifically designed for LEA and Intelligence Agencies."

In other words 'we have absolutely no interest in seeing this (alleged) vulnerability fixed'...

posted by IByte, Wed May 11 2011, 00:35

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives