back to article Mystery Chrome 0-day exploit to be unveiled in India on Saturday

A Georgian security researcher is due to present details of an unpatched vulnerability in Google's Chrome browser at the Malcon security conference in India over the weekend. Years ago the circumstances of Ucha Gobejishvili's presentation would hardly have raised an eyebrow but that was before Google began offering up to $60, …

COMMENTS

This topic is closed for new posts.
  1. hugo tyson
    Pint

    DLL?

    Does this mean it's Windoze only?

    1. Anonymous Coward
      Anonymous Coward

      Yawn

      "Does this mean it's Windoze only?"

      No. But it may mean that it's Windows only.

      There's only one thing more tiresome than Windows and that's 'Windoze' (or your preferred tedious variant of choice).

      1. Anonymous Coward
        Anonymous Coward

        Re: Yawn

        See also: Farcebook, Micro$oft, Crapple, sheeple etc. etc.

        Ha-ha, ha, ha, i see what you did there, you are "hilarious" and original.

    2. TeeCee Gold badge
      Facepalm

      Re: DLL?

      Depends whether that's DLL as in ".dll" in which case it may be, or DLL as in the generic term "Dynamically Linked Library" in which case it quite probably isn't.

      While all ".dll"s in Windows should be DLLs, not all DLLs out in the world have ".dll" appended to the name.

  2. JDX Gold badge

    a demo of the first Windows Mobile 8 malware

    Skype?

    (I don't agree but figured it would get a giggle)

    1. TeeCee Gold badge
      Happy

      Re: a demo of the first Windows Mobile 8 malware

      Don't knock it. Now they've got the irrelevance of the 8 version sorted out, the Skype devs have been freed up to do other things.

      New version for Android shipped and actually works[1]. Yippee.

      [1] That's "works" as in doesn't go titsup.com rather than connect if you flip tails rather than heads, has video that actually moves and can be used with the device's internal mic without the other end needing the volume wound up past 11.

  3. Anonymous Coward
    Anonymous Coward

    penetration tester?

    Thought this was a Bootnotes story for a minute

  4. Anonymous Coward
    Anonymous Coward

    Youthfulness

    I'm not surprised at the callowness of some of the high profile conference participants - it all means so much more when you are in your teens and there are more spare hours where for your own sanity you need to keep your brain distracted from the contents of your trousers.

    In my day it was Prestel or the school EcoNet but I'm sure the fundamentals are not too different.

    And they won't be wowed & distracted by four colour digital images of Midge Ure at Live Aid.

  5. Eddie Edwards
    Facepalm

    A little background ...

    If it's the same Ucha Gobejishvili that discovered these beauties, then Google probably haven't stopped laughing since his speech was announced:

    https://code.google.com/p/chromium/issues/list?can=1&q=reporter%3Alongrifle0x

    He's been trolling Google with these all year. Exploits discovered include making the status bar say something that isn't the URL of the link you're hovering over, by using the Javascript API that lets you do that.

  6. Anonymous Coward
    Anonymous Coward

    Most of the "exploits" this researcher has found aren't exploits. The only reason he is even newsworthy at the moment is because he claims to have an exploit (very likely he doesn't going by his track record) but doesn't want to sell it or get a reward for it.

    The Firefox 13 "remote DoS" he came up with is running Javascript on a page and just creating a massive variable to use up memory.

    A previous security report he made about Chromium is the same. Running Javascript and using up lots of memory so that tab will crash. You can find all his other reports on the Chromium bug tracker and they're all invalid reports as they're not security flaws.

    The video converter "buffer overflow" involves creating a brand new DLL with his exploit code in. Why bother writing a buffer overflow if you've already got the ability to create and run a DLL in that process?

    The one place he does have some success is with SQL injection and XSS flaws. He's clueless about actual buffer overflows and other code execution flaws.

    1. Anonymous Coward
      Anonymous Coward

      Re: A little background ...

      He does seem rather keen to make himself look like a complete idiot.... frankly if that is all he can come up with then I suspect his 0 day exploit is just another pile of poop.

  7. Matthew Anderson

    Heard it all before, and now we will get the run down on some half assed exploit that requires more than your average exploit to be vuln to the masses. I can hear all the sighs of relief now after said conference is done.

  8. amanfromMars 1 Silver badge

    Instant Flash Mobs for Crash and Burn Situations ...... Dire Straits

    He says he's holding off on publishing details because the issue is dangerous, though paradoxically he doesn't seem to be working with Google in helping to develop a fix. He doesn't appear to be working with exploit brokers either. Gobejishvili's general reticence is shrouded in some mystery.

    Some bugs are dangerous and cannot be fixed. Then do things move on to the organisation of exploitation. One then can fully understand and commend reticence for shrouding mysterious discoveries.

    Such times in CyberSpace are as a loded pause to consider one's general position and specific direction of wished travel.

    1. Anonymous Coward
      Coffee/keyboard

      Re: Instant Flash Mobs for Crash and Burn Situations ...... Dire Straits

      Are you ill from Curiosity? That was coherent and reasonable.

  9. Joe__S

    Makes perfect sense to me

    1. Find exploit

    2. Make the news by not excepting Googls $60k

    3. Wait for some shady figure to offer you over $60k for it

    4. If they don't then take Google's offer

    Joe

    1. TeeCee Gold badge
      WTF?

      Re: Makes perfect sense to me

      I think (4) has a bit of a problem. If he details it at a conference and Google then use the information to find and fix the problem, he's a bit stuffed there.

      What were you thinking? The vuln's his IP[1] and he could sue if they fix it without paying him?

      [1] If there are any IP lawyers reading, there is a world of difference between sarcasm and a bloody brilliant idea. Not that you're likely to understand that.......

  10. Anonymous Coward
    Anonymous Coward

    So.....

    .... it's Sunday morning here in the US... so where is this amazing 0-day exploit then???

    1. Anonymous Coward
      Anonymous Coward

      Re: So.....

      I'm waiting, too.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019