Visibility = Vulnerability
To design unhackable software, also ensure it is never used. You know, like Opera.
Researchers say they've developed attack code that pierces key defenses built into Google's Chrome browser, allowing them to reliably execute malware on end user machines. The attack contains two separate exploits so it can bypass the security counter measures, which include address space layout randomization (or ASLR), data …
To design unhackable software, also ensure it is never used. You know, like Opera.
>The Vupen researchers said they plan to share technical details of the exploit only with government customers “for defensive and offensive security.” Neither Google nor the public will be privy to the specifics.
This indicates a conscious decision at some point to be bastards.
That's only a good thing if you consider government to be good. What if the buyer is the CIA? Or the Chinese government? Or Mossad?
Is it not painfully obvious that the first order of business should be to __fix__ the problem?
They intend to warn these government customers about the problem, right? So instead of said customers using a fixed browser, they continue to use the vulnerable one, but with the benefit of knowing about it. ("Gee, Mr. Freebit, we won't fix your brakes but we will make sure you have a detailed understanding of precisely why you couldn't avoid rear-ending that school bus.")
Was the first thing that came to mind upon reading this...
"The Vupen researchers said they plan to share technical details of the exploit only with government customers “for defensive and offensive security.” Neither Google nor the public will be privy to the specifics."
My thoughts exactly.
"We'll tell everyone about it, except those in a position to actually fix it"
So; they plan to target the spooks without letting us verify if it works; and maybe finding that it's essentially a non-event. they fire up a calculator because it is -still in the sandbox- and cannot read any OS files; maybe not even any browser data.. Maybe it's just a cheezy java calculator that only shows they could bombard us with flash spam and not really exploit anythign of note.
In that case' if I was them, I'd do exactly the same, sell to the idiotically gullible (just shout terrorist and they'll sign) security industry; and hawk this around the IT pres to generate publicity, but never reveal how lame your 'hack' is.
Just change the "F" to a "T"....
Best practice always used to be to talk to the vendor first. These people seem to be saying that they'll only share their findings with their customers. Or to put it another way, if you want the information, you'll have to pay them.
White hat? Hardly. Possibly not black hat, but maybe brown....
...for this type of crappy attitude. Besides, does this open them to Google's lawsuit?
...that's only government customers (and no information as to which governments they mean). Meanwhile, until Google or some other white hat with better than half a clue burns time and expertise in a redundant exploration for the same problem so Google can fix it, everyone other than this government elite must slog along with a browser with a known vulnerability that its creator cannot yet fix.
Their website says explicitly that they will sell the information to the government... I wouldn't exactly call that "white hat"
There needs to be a new hat color....
Anyone disagree with "BROWN HAT", because it entails something oozing from en(d)trails... and often smells, generates yells, and fills odious well...
So they broke a browser running on Windows, you'll excuse me if I don't find that cause for alarm. Now if they can demonstrate the same issue on an Apple, or on a Debian / RedHat / xBSD system, then yes, its cause for short-term alarm.
So an exploit that might impact millions of computer users is less important than one that might impact a few tens of thousands of computer users?
You need to get your priorities sorted out.
Windows runs on most of the machines on the planet. Why would you not be concerned if most of the machines on the planet were vulnerable to this exploit?
"The Vupen researchers said they plan to share technical details of the exploit only with government customers “for defensive and offensive security."
i think i hear the sound of cash registers <kerching>
Obviously $3133.7 is a laughable amount of money to these white hats
Why is it that they didn't show the process list *after* the exploit? Plus, someone could easily push something to execute from remote. I just can't trust this video. It might be true, but it seems fishy.
As far as I can see, the key problem is evidence.
That video proves exactly NOTHING - for all you know, the person who recorded it could have created a webpage with "you've been pwned" (which is a juvenile phrase in itself), and pressed Windows-R, "calc" while the video was running.
If you observe, the "calc" process does not seem to have been spawned as a subprocess of Chrome - they obscure the part where you could see this.
So, as far as I can tell this is BS - this is not a zero day vulnerability, this is a zero PROOF one. Until I hear a confirmation from a 3rd party that has some credibility or from Google, this has just been a pretty cheap attempt to get their, *cough* services *cough* advertised on the back of Google.
If I were Google I'd filter them out of the search results, but that would suggest a sense of humour on their part.
Oh, they did achieve something, though. Now the world knows you should never use them for anything sensitive - God knows who they'll sell to..
This is possibly a PR bomb for them, but it tells us there's probably real money being made by such companies selling exploits to highest bidders
It's not clear from the video they do anything other than run the pre-installed Windows calculator. Which is still bad but not the same as downloading an app as well. Did I miss the evidence or do we have to take their word for it - why not download a custom app that makes this clear?
"We are (un)happy to announce.."
Sounds like you have a nice little product in your sales portfolio now. And loads of free publicity for the fact? Why would you be (un)happy about that?
If there is some text on your browser window which says "Your browser is being pwned!" then just turn off the machine!
do you expect from a commercial operation that holds valuable information? They could tell google about it, leading to an immediate fix and destroying the value of the information, or they could sell it to the highest bidder (who will presumably use it to spy on people and shut down nuclear power projects in hot countries.)
Let's face it, this is worth more than $3000. Come on google, get out a big bag of bling, we don't want anyone spying on us but you.
So -- the old protection racket, then? Or what else would they mean by "offensive" security... Asshats, as someone above said, sounds about right.
All it takes is psexec to do the same looking thing from a different computer, that could explain the wait, "starting psexec service on remote computer" or whatever it is.
Well I must congratulate this bunch of utter twats!
The first thing that's going to happen is they people will dump a perfectly good browser and find another one. I don't use Chrome but there's nothing wrong with it from I hear. This will make these nobs feel like heroes until their management realise they have seriously pissed off Google ( do I hear the sound of very expensive Italian shoes that only those in the legal profession could afford? ) who drag these dingbats through the courts to get the information that's rightfully theirs.
Security researchers then get painted in a poor light as a bunch of money grabbing dirtbags ready to make a cheap buck of anything they can find a hole in.
There's holes here alright, some serious big a-holes!
Ummm wth is with the "oh noes Vupen researchers are evilz as they is not giving away their infos for free!!!111!!" posts on here?
Vupen pay their researchers to find issues like this. They then use that information to make money. It's not exactly a new business model is it? If you want the info buy it. If you can't afford it or don't like the price tag, find a way to do without.
Security researchers are under no more duty to disclose the info for free than drug researchers are to provide patent free info on how to make new drugs. You may *wish* they were, but let's be honest here - would you spend millions developing something new if you were then obliged to give it away free? What you are advocating (not just Fuzzy, but everyone on here complaining about Vupen) is Communism. Last I checked it didn't work so well.
If you want to blame anyone blame Google for their coding (or is that reserved for MS?), and their p*** poor "bounty". I'm sure they'll be looking through their code for the causes and looking to fix it. In the mean time feel free to take precautions if you feel you are a target for government hacking (like remembering to take your lithium*).
* not aimed at anyone particularly - just a note that if you believe "they" are out to get you, and you are reading El Reg, chances are you forgot to take your pills this week.
Responsible disclosure is not Communism -- and nobody is requiring security researchers to give the info away. The article didn't say that Google would have to pay for the info. It said that Vupen WOULD NOT PROVIDE the info to Google.
Oversimplifying others' arguments is not a sound basis for your own argument. Nobody's advocating Communism, and only a few of us on here believe there's a government out to get us ; )
Selling anything for "offensive" purposes is not an ethical business practice. Just about any other action by Vupen is acceptable, until you throw in the combination of not even offering the info to Google (i.e, violating a standard white-hat principle by not working towards a fix) and specifically offering the exploit for sale for offensive purposes (i.e, violating another standard white-hat principle by actually using or selling the exploit for use.)
Software is complex enough nowadays that blaming a developer for a security flaw in their millions of lines of code is akin to blaming an engineer because one component of a jet didn't perform to specification. It may make you feel better, but it doesn't make the rest of the jets out there any safer.
Umm, I think you ought to re-read the post - I said requiring ppl to give away things of value for the benefit of society is equatable with Communism. Ppl are commenting how Vupen should be *required* to give the info to Google for free (or at the very least for much less than it is worth). That can be compared with Communism.
If we required such things of ppl, why would anyone bother to research anything? Research costs money. We currently seek to recoup that by monetising our investment in research, usually by selling the info or a product created as a result of the new knowledge gained.
I think you ought to read the SANS definition of Responsible Disclosure too. It specifically and intentionally draws a distinction between "white hats" and "security firm[s]". Vupen are not the only security firm to follow this practice - it is industry standard to use the info you find (i.e exploits) to protect your clients who pay a princely sum for 0-day protection. I don't see you complaining about them. Sometimes they sell that info to the vendor, but they never just give the info to the vendor for free.
Vupen will provide the details to Google. If they pay. You reckon that they would refuse to hand over the details in return for £10bil? No, of course not (Vupen is backed by venture capital whose one and only purpose is to generate return on investment). The fact is Google won't pay what others will, and the "others" will pay a rather higher sum if the info is *only* provided to them.
The info is clearly less valuable if Google are sold it too. If Google want it, then they need to pay the market rate.
Saying that Vupen and others are "ass hats" doesn't strengthen your argument. Quite the contrary unfortunately.
Don't you guys know anything about standard exploit procedure?
You always launch calc to show that you have access to execute arbitrarily code. And Vupen would never lie about something like this, so this has to be true.
Why don't the they sell the exploit to google? Well, I think it's more worth than (2x) $1337. Is this the right thing to do? Nah, but it's profitable.
Not to mention they are using a pic of the Birmingham Bull Ring in a corporate video. Do they have permission for that? :)
Hands up who only read the press release.
From VUPEN's "about us" page:
"VUPEN follows a private responsible disclosure policy and reports all discovered vulnerabilities to the affected vendor under contract with VUPEN, and works with them to create a timetable pursuant to which the vulnerability information may be publicly disclosed."
From the Press Release:
"... the exploit code and technical details ... are exclusively shared with our Government customers as part of our vulnerability research services."
(note the mention of their "vulnerability research services")
From the info page on VUPEN's Threat Protection Program:
"VUPEN Threat Protection Program (TPP) aims to deliver exclusive and highly technical research reports and attack detection guidance for undisclosed vulnerabilities discovered in-house by VUPEN researchers, providing timely, actionable information and guidance to help mitigate risks from unknown and critical vulnerabilities or exploits. This is a proactive approach to aid governments and corporations in making decisions in response to potential threats on a real-time basis and in advance of public disclosure, applying appropriate protective actions and maintaining a secure environment while the affected vendor is working on a patch."
In other words, VUPEN will notify Google of the vulnerability (eventually), thye just won't provide exploit code or the technical research reports. It is then up to Google to decide what information about the vulnerability they disclose to the public.
... that spawning a new process for a browser with a non-privileged account isolated from the file system with something akin to chroot would go a long way of mitigating the effects of any exploit.
You mean like the Chrome sandbox, say? You know, the one that they managed to break out of...