MobilityLeaks - 10 May 2011
Author: Doug Simmons

On 5/10/2011 9:34 AM, David K wrote:

Exploited: Google Chrome Pwned by VUPEN

Chris Leiter:

Without a public release and a 0day report to all government and vendor entities, this will be fixed and probably won’t be an issue going forward.  They specifically say this is one of the most advanced pieces of code they’ve ever seen too, something this high level and involved will probably not yield many issues for people who use chrome. Also, this is the first time it’s been hacked. Congrats to google.  

Doug Simmons

Holy crap! I wonder how this disaster will play out for Google. Best case Chrome is doomed, hopefully they can isolate the fallout to their web browser and not general public faith in their few other operations making them flame out faster than the Blackberry folks.

Oh wait, I already know how it’s going to play out as it’s a healthy part of their MO: Only a few people will care for a short period of time, maybe a few articles on some major publications but nothing front page, during which time, especially if these guys are gentlemen and supply Google with enough details, this will be patched, updates pushed and VUPEN Security, in addition to a nice dose of publicity, may be given up to $3,133.7 under Google’s bug bounty program which by the way has paid out somewhere in the hundreds of thousands to encourage hackers to hack their software in this fashion so that they may make it more secure, the net result being a more rapidly secured array of products and services. Google invites this leverage.

Microsoft’s strategy, conversely, is not to do that and instead wait a good several months until they have very, very little choice but to fix something that’s wide open and generating enough noise and youtube demonstrations.

Which approach do you like better?

David K:

Tehese guys are clearly not releasing this publicly but they’d be fools to only get $3k for the exploit.

Doug Simmons

I didn’t read up on the situation but is that in fact the case that these guys released usable zero day hacking code? I can go download this code and lace up our site with identify theft viruses? Or did they just put out a proof, or testament, of concept? The only hack I’m seeing here is you.

Let’s say neither of us bothered to read up on that, rather let’s just continue to speculate — you think they wouldn’t play ball with Google even if it meant additional publicity in the form of a public acknowledgment of the success of this security research company as well as handling the situation "white hat" style (responsibly)?

And suppose you’re right, and presume these guys did in fact find something as bad as it sounds and aren’t interested in anything from Google, do you think this will take Google more than an impressively short period of time to clean this up and get enough people to update so that this is thoroughly mitigated with many websites disseminating exploits made as a result of this discovery before it’s been sufficiently dealt with?

Meanwhile in the time it took me to write that millions of Windows computers were even more fucked by a fresh pile of >1000 day viruses. No one’s switching back to IE as a result of this which will, like Blackberry, continue to hand people over to Chrome, business as usual (like you’re handing over journalistic credibility to me). All you do here is spew FUD, stupid polls, hyperbole, flamebait and general fanboyism. It’s kind of sad and no amount of girly pictures will make up for it.

nice

David K:

They are not releasing the code. They are patching people’s computers which they service/secure. That’s their angle. They want to make a few bucks and they did some impressive shit here. Chrome is heavily sandboxed and that’s what its strength is. They were able to to get through those layers. Whatever they did likely applies to lots of other apps/browsers as well in fact. It probably means lots of people need to go back to the drawing board…and they’re not giving up this exploit for that little money. It’s not ransom but they can make more off of it than the $3k weithout releasing the code.

Doug Simmons:

You know what’s almost interesting, this VUPEN company with their "Government clients" also managed to do the same thing to Safari, not far behind Chrome at the moment in market share, and nobody cared. In the same competition in March, Internet Explorer was also compromised to this extent twice on the first and second day.

Mobile phone platforms were also assigned as targets during this competition. As for Microsoft, the selected researchers for "Windows Phone 7 did not show up."

Which reminds me, if this spooked me from using the Android stock web browser, I could install Firefox whereas you could not do shit except hope you’ll get your next pre-update within triple the time you had initially anticipated.

Humpbacked fatass.









About Author

Biographical info.. hmm. I have a history of not being able to strike the balance between what is "safe" to put into these forms and what is, in my mind at least, funny. Can't do it.

(8) Readers Comments

  1. First off Sasquatch, I’m not fat. But you seem far more interested in this whole thing than I am. I circulate some news…you rampage. In fact, what you just did by posting this gave the Chrome exploit more attention then I was, by far.
    Oh and no one showed up to take a crack at WP7 because no one had a vulnerability that worked but that’s an aside issue.
    If you ask me, you’re pretty sour that MS just bought Skype and took all the headlines and now Google I/O announcement is crumbs. Get used to it…the 800-pound gorilla is back.

  2. Maybe they should have bought Google instead.

  3. …still laughing at Humpbacked Fatass, if for nothing else, Simmons didn’t try to add it in like last time.

    A long, long time ago, my friend’s grandmother told me that your innocence isn’t defined by the world’s guilt. With that in mind I must ask: If chrome was exploited, why point out who else was too?

    Oh and since we want to play the update game again:

    Explain to me the difference between

    Case 1: Android

    and

    Case 2: WP7

    Here’s a hint, the Fascinate just now got Froyo, an update that’s about 1 year old now…Where’s Gingerbread? hmm….

    Hell, let’s go into overtime

    Case 3: WP7-Worldwide

    …there’s a mighty amount of “delivering update” cells aren’t there? (España, arrepentida).

    -Fight aka the Sheriff

  4. @thefight: Doug, this is pure ownage. But the problem is, I just can’t get excited over a bunch of free browsers. Honestly, who cares? It’s a browser.

  5. Thanks for the chart. Great to see. When IE becomes irrelevant then all the jerk offs of the world will look for another browser to exploit. Hey, that’s actually already happening.

  6. How did this go from Chrome and VUPEN to WP7 and browswer usage?

  7. yss: Well I was going to segue into how that chart kind of looks like other trends related to Microsoft, like the value of their company and their new partner, but I got sidetracked.

    Though they put themselves on the map today and worked on their website I don’t believe they have any “Government” (capital G for some reason) clients and all their Forbes 500 clients, don’t believe they exist either. But maybe we should “reach out” to their email which is ks4s83et2yvjhkvmz2kz@q.o-w-o.info for confirmation. Or perhaps to request a quote on a secret exclusive Chrome update to protect us from this threat.

    Furthermore I don’t think snubbing Google, if that’s in fact what they’re doing, is good for anyone including them.

    Joe: If you said who cares about IE10 and GPU optimization benchmark razzle dazzle tests I’d agree with you but having a lot of people using your free browser, and having the only browser with a share that’s heading north fast, that’s valuable too especially if your angle with most of the products and services you offer or intend to offer is to house all that shit in that browser, even make laptops and an operating system that is essentially nothing but the web browser, which the majority of time makes the new installer of it much more likely to use Google in a manner that benefits Google in all sorts of ways including ways they haven’t even started to think of. It’s a big deal, big enough to get the feds on your ass if you don’t keep a low profile with your free browser.

    Jim: Cute. But this is by no means the first successful exposure of flaws Google has gone way out of their way to encourage the public to compete with each other, mainly for bragging rights which to some are valuable, to pull their security pants down but to do so exercising a little restraint from zero day full disclosure:

    We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the Internet.

    In addition to soliciting the public to assist in securing their stuff and harnessing that energy in certain ways Google also offers security tips to the public on the house whether they use Google for anything or not (http://googleonlinesecurity.blogspot.com/). Google provides many public services that are arguably pretty distant from benefiting their bottom line including, for a random arcane example, producing mod_pagespeed, an Apache web server module, which makes servers faster including mine. I didn’t tear apart every line of the source code (it’s open source and free) but to my knowledge it does nothing along the lines of helping Google datamine, just makes Apache significantly more efficient (we run Apache by the way, wish we had root so I could install this thing).

    Strange how even with the success of Windows 7, the best selling thing ever which includes IE right smack on the desktop, well, you saw the chart.

    Maybe they use this to mine data, maybe not, who cares, but you should try Google’s DNS servers which are easy to remember, 8.8.8.8 and 8.8.4.4. Pretty fast and they don’t hijack and redirect you to some stupid advertisement if you type in a nonexistent host.

  8. @Doug Simmons: You’re a fucking idiot.