News

Google Engineers Blame Adobe for Chrome Hack

Google is speaking out after Monday's news that a French security firm had found a zero-day exploit in Chrome's code

Vupen, the security group in question, announced it had found an issue with Chrome running on Windows systems that allows a hacker to bypass all security features, including Chrome's sandbox mode. In response, members of Google's Chrome engineering team took to Twitter, LinkedIn and other social media outlets to place the blame on Adobe. They claim the security issues are associated with a recently discovered vulnerability found in Adobe's Flash code.

"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn," wrote Chris Evans, Google's information security engineer and tech lead, in a Tweet this morning. "Do Java bugs count as a Chrome pwn too, because we support NPAPI?"

Also joining in on the Google Twitter defense this morning was Tavis Ormandy, an engineer at Google: "As usual, security journalists don't bother to fact check. VUPEN misunderstood how sandboxing worked in Chrome, and only had a flash bug." Ormandy was the security researcher that publicly disclosed a Windows XP help flaw in July, eliciting reaction from Microsoft.

Ironically, Vupen's claims about the Google Chrome security vulnerabilities could not be broadly verified because the security firm stated it would not release the specifics of the zero-day hack to the public.

Chaouki Bekrar, Vupen's founder and head researcher, defended the company's confirmation of the exploit. Bekrar jumped into the Twitter war of words by assuring that the hack is, in fact, legitimate. Responding directly to Chris Evans' Tweet, Bekrar wrote, "Flash bugs are equivalent to Chrome sandbox escapes from an attacker's perspective. You're thinking like developers."

Bekrar also noted on his Twitter feed today that the hack had been verified to work on both Chrome versions 11 and 12, running on a Windows machine.

Google has not officially released a statement on the matter.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.