VUPEN Security pwns Google Chrome

Published: 2011-05-09
Last Updated: 2011-05-10 00:23:39 UTC
by Rick Wanner (Version: 1)
5 comment(s)

French security research group, VUPEN, announced earlier today that they have managed to subvert Google Chrome's sandbox to permit execution of code.

The announcement, which is light on details, and a demo are available on VUPEN's website. The most interesting aspect of the announcement was the declaration "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services." Apparently this list does not include Google. Definitely an interesting twist on responsible disclosure.

Update: Further details and Google's response are available on Brian Kreb's blog.

-- Rick Wanner - rwanner at isc dot sans dot org - - Twitter:namedeplume (Protected)


Keywords: Chrome VUPEN
5 comment(s)


Alex, I'll take "Responsible Disclosure" for 200 please.....
Jeers to VUPEN then. "we broke it. We can break it again." "We'll tell our clients it's broken" "But we won't tell the developers so they can..."

<drumroll please>

"fix it".
I thought maybe VUPEN was a black hat org based on their ideas of "disclosure" but nope, it's a real company and this is their idea of just doing business, enabling their customers to target their enemies, waiting for the highest bidder, and holding the public hostage.

What a bunch of assholes.
Providing notice for an unpatched vuln to your customers while the vendor prepares a fix seems reasonable, but to withhold it from the vendor is something altogether different. They are either so arrogant as to believe that the bad guys haven't/won't discover this vuln, or, like HBGary, they are just plain evil.
Well, it looks like I'm going to have to agree with you guys on the evil part. Here's a little quote from their front page about their offerings:

"Exploits for Offensive Security. Get access to weaponized and highly sophisticated exploits specifically designed for LEA and Intelligence Agencies."

In other words 'we have absolutely no interest in seeing this (alleged) vulnerability fixed'...

Diary Archives