The saga of the latest zero-day vulnerability and exploit for the Google Chrome browser took another mysterious turn over the weekend. The 19-year-old Georgian security researcher who found the vulnerability in the browser was called up for compulsory military duty in his country and was unable to deliver his presentation Saturday at the Malcon security conference in India.
Conference organizer Rajshekhar Murthy told Threatpost in an email that Ucha Gobejishvili was called in last minute and was not able to travel to New Delhi.
Gobejishvili told Security Ledger he found the vulnerability in July in a DLL that is part of the browser, and that it has a silent and automatic download capability. The attack would allow remote code execution on any machine, and would work on the latest patched version of Chrome. Gobejishvili would have demonstrated the exploit on Windows, though he said it would work on most platforms.
Murthy told Threatpost that Gobejishvili said the exploit uses a new Java zero-day vulnerability. Gobejishvili, however, had not shared any details with Google and said he would not release the attack code because of the critical nature of the vulnerability.
Google engineer Justin Schuh said Gobejishvili has reported several bugs to Google in the past. Schuh said he was skeptical of Gobejishvili’s claims.
“I don’t want to imply that there may not be people out there with legitimate Chrome 0days. To the contrary, Chrome is a complex project with a lot of attack surface and the target of many very talented researchers,” Schuh wrote on his Google+ page. “I’m just dubious of such claims from someone unfamiliar with very basic security concepts (like the difference between OOM and memory corruption).”
Adding to the cloud of skepticism from Google is the fact that Gobejishvili chose not to share details with Google, potentially passing on a $60,000 bug bounty. Twice this year, a hacker going by the handle Pinkie Pie has cashed in on the hefty bounties. Most recently at the Pwnium contest sponsored by Google during the Hack in the Box conference in Malaysia, Pinkie Pie was able to develop an attack against Chrome that included a sandbox escape. Earlier this year at the CanSecWest conference, Pinkie Pie won the Pwn2Own contest by stringing together an attack against three vulnerabilities in Chrome.
Google put up $2 million in bounties at Hack in the Box, with the top payout of $60,000 for a full Chrome exploit, and $50,000 for a partial exploit of the browser.
“This is in response to feedback, and reflects that any local account compromise is very serious. We’re happy to make the web safer by any means — even rewarding vulnerabilities outside of our immediate control,” said Google software engineer Chris Evans.