There has been a bit of back and forth quibbling going on between researchers at French security firm Vupen, claiming to have found and exploited a vulnerability in Google’s Chrome browser, and security researchers at Google, who claim the bug they exploited was actually in Adobe Flash, and therefore, was “Not a Chrome pwn.”
The web-scuffle arose after reports surfaced Monday in which Vupen researchers claimed to have discovered a number of holes in Google Chrome that enabled them to bypass the browser’s sandbox, as well as ASLR and DEP and run arbitrary code on a vulnerable machine. In fact, Vupen released a video demonstrating the hack, but went no further, not even reporting the details to Google. Evidently, the company has a policy of only releasing the details of such hacks to their paying customers and has been, therefore, a bit stingy with the facts.
Google security engineers clearly disagree with this claim and take offense to allegations that their notoriously secure browser had been hacked. They claim the vulnerability leveraged was in Adobe’s Flash Player, which according to a report by Greg Keizer at ComputerWorld, has been bundled in Chrome for over a year.
“The investigation is ongoing because Vupen is not sharing any details with us,” a spokesperson from Google told ComputerWorld.
Like embattled HBGary CEO Greg Hoglund before him, Google security engineer Tavis Ormandy, perhaps fairly, points his finger at security journalists, posting this message to his Twitter: “As usual, security journalists don’t bother to fact check. VUPEN misunderstood how sandboxing worked in chrome, and only had a flash bug.”
And Ormandy wasn’t the only Google engineer to plead his case on Twitter, Chris Evans and Justin Schuh, both identified by ComputerWorld as Google engineers, chimed in themselves, more or less saying that the hack was legitimate, but that it really had nothing to do with Chrome as Vupen had claimed.
Vupen didn’t take Google’s derision sitting down. Vupen CEO and head of research, Chaouki Bekrar fired back with his own Twitter post, saying, “When it comes to critical vulnerabilities, all software vendors/devs (including Google) always try to downplay the findings… #pathetic”
To which Schuh replied, “I was thinking something similar about researchers who inflate their accomplishments.”
“We will not help Google in finding the vulnerabilities,” Bekrar told Keizer in an email response to his questions. “Nobody knows how we bypassed Google Chrome’s sandbox except us and our customers, and any claim is a pure speculation.”
Bekrar eventually hinted that the exploit did indeed leverage a flash vulnerability, according to the report, he claims the hack exploited at least one bug on Chrome’s side as well.
Chris Evans directed Keizer to a Chromium blog post written in late 2010, which details the beginnings of a Flash sandbox which Google implemented to emulate Chrome’s sandbox. He says the two are similar, but distinct and that the Flash sandbox still has some work that needs to be done.