MobilityLeaks: Chrome, David K Pwnd
On 5/10/2011 9:34 AM, David K wrote:
Without a public release and a 0day report to all government and vendor entities, this will be fixed and probably won’t be an issue going forward. They specifically say this is one of the most advanced pieces of code they’ve ever seen too, something this high level and involved will probably not yield many issues for people who use chrome. Also, this is the first time it’s been hacked. Congrats to google.
Holy crap! I wonder how this disaster will play out for Google. Best case Chrome is doomed, hopefully they can isolate the fallout to their web browser and not general public faith in their few other operations making them flame out faster than the Blackberry folks.
Oh wait, I already know how it’s going to play out as it’s a healthy part of their MO: Only a few people will care for a short period of time, maybe a few articles on some major publications but nothing front page, during which time, especially if these guys are gentlemen and supply Google with enough details, this will be patched, updates pushed and VUPEN Security, in addition to a nice dose of publicity, may be given up to $3,133.7 under Google’s bug bounty program which by the way has paid out somewhere in the hundreds of thousands to encourage hackers to hack their software in this fashion so that they may make it more secure, the net result being a more rapidly secured array of products and services. Google invites this leverage.
Microsoft’s strategy, conversely, is not to do that and instead wait a good several months until they have very, very little choice but to fix something that’s wide open and generating enough noise and youtube demonstrations.
Which approach do you like better?
Tehese guys are clearly not releasing this publicly but they’d be fools to only get $3k for the exploit.
I didn’t read up on the situation but is that in fact the case that these guys released usable zero day hacking code? I can go download this code and lace up our site with identify theft viruses? Or did they just put out a proof, or testament, of concept? The only hack I’m seeing here is you.
Let’s say neither of us bothered to read up on that, rather let’s just continue to speculate — you think they wouldn’t play ball with Google even if it meant additional publicity in the form of a public acknowledgment of the success of this security research company as well as handling the situation "white hat" style (responsibly)?
And suppose you’re right, and presume these guys did in fact find something as bad as it sounds and aren’t interested in anything from Google, do you think this will take Google more than an impressively short period of time to clean this up and get enough people to update so that this is thoroughly mitigated with many websites disseminating exploits made as a result of this discovery before it’s been sufficiently dealt with?
Meanwhile in the time it took me to write that millions of Windows computers were even more fucked by a fresh pile of >1000 day viruses. No one’s switching back to IE as a result of this which will, like Blackberry, continue to hand people over to Chrome, business as usual (like you’re handing over journalistic credibility to me). All you do here is spew FUD, stupid polls, hyperbole, flamebait and general fanboyism. It’s kind of sad and no amount of girly pictures will make up for it.
They are not releasing the code. They are patching people’s computers which they service/secure. That’s their angle. They want to make a few bucks and they did some impressive shit here. Chrome is heavily sandboxed and that’s what its strength is. They were able to to get through those layers. Whatever they did likely applies to lots of other apps/browsers as well in fact. It probably means lots of people need to go back to the drawing board…and they’re not giving up this exploit for that little money. It’s not ransom but they can make more off of it than the $3k weithout releasing the code.
You know what’s almost interesting, this VUPEN company with their "Government clients" also managed to do the same thing to Safari, not far behind Chrome at the moment in market share, and nobody cared. In the same competition in March, Internet Explorer was also compromised to this extent twice on the first and second day.
Mobile phone platforms were also assigned as targets during this competition. As for Microsoft, the selected researchers for "Windows Phone 7 did not show up."
Which reminds me, if this spooked me from using the Android stock web browser, I could install Firefox whereas you could not do shit except hope you’ll get your next pre-update within triple the time you had initially anticipated.