Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: VUPEN Security pwns Google Chrome - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VUPEN Security pwns Google Chrome

French security research group, VUPEN, announced earlier today that they have managed to subvert Google Chrome's sandbox to permit execution of code.

The announcement, which is light on details, and a demo are available on VUPEN's website. The most interesting aspect of the announcement was the declaration "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services." Apparently this list does not include Google. Definitely an interesting twist on responsible disclosure.

Update: Further details and Google's response are available on Brian Kreb's blog.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

 

Rick

269 Posts
ISC Handler
Alex, I'll take "Responsible Disclosure" for 200 please.....
Anonymous

Posts
Jeers to VUPEN then. "we broke it. We can break it again." "We'll tell our clients it's broken" "But we won't tell the developers so they can..."

<drumroll please>

"fix it".
Al

4 Posts Posts
I thought maybe VUPEN was a black hat org based on their ideas of "disclosure" but nope, it's a real company and this is their idea of just doing business, enabling their customers to target their enemies, waiting for the highest bidder, and holding the public hostage.

What a bunch of assholes.
Jasey

92 Posts Posts
Providing notice for an unpatched vuln to your customers while the vendor prepares a fix seems reasonable, but to withhold it from the vendor is something altogether different. They are either so arrogant as to believe that the bad guys haven't/won't discover this vuln, or, like HBGary, they are just plain evil.
Anonymous

Posts
Well, it looks like I'm going to have to agree with you guys on the evil part. Here's a little quote from their front page about their offerings:

"Exploits for Offensive Security. Get access to weaponized and highly sophisticated exploits specifically designed for LEA and Intelligence Agencies."

In other words 'we have absolutely no interest in seeing this (alleged) vulnerability fixed'...
Vincent T

12 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!