Forgot your password?
typodupeerror
Bug Chrome Google Security

Google Engineers Deny Hack Exploited Chrome 244

Posted by samzenpus
from the pics-or-it-didn't-happen dept.
CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"
This discussion has been archived. No new comments can be posted.

Google Engineers Deny Hack Exploited Chrome

Comments Filter:
  • by Haven (34895) on Thursday May 12, 2011 @10:18AM (#36107348) Homepage Journal

    Time to treat it as such.

    • by LWATCDR (28044)

      A bit harsh but between chrome.angrybirds.com and HTML5 Video Flash is going to be at best a legacy technology.
      Anyone know any good tutorals on javascript/HTML5/WebGL?

      • by Grishnakh (216268)

        I'm pretty sure O'Reilly has a bunch of books on HTML5.

        Not that I'd ever endorse a Microsoft solution, but I wonder how Silverlight/Moonlight compare to Flash in security (not to mention just plain being a total POS). Flash is a disaster, and we need to move away from it.

        • No one uses it so it's totally secure.
          • by Grishnakh (216268)

            Not true. I've seen Silverlight/Moonlight used on Microsoft sites, such as yesterday's Slashdot article about the MS guy who collects weird computer gadgets. The article linked to a Microsoft page that was basically a virtual museum with all his devices (weird keyboards, mice, etc.), and to view it, you could choose either HTML or Silverlight.

            Of course, I can't recall seeing any non-MS sites requiring Silverlight.....

            • by _0xd0ad (1974778)

              Doesn't Netflix require Silverlight?

              • by Grishnakh (216268)

                Good call, I totally forgot about that. That's a pretty big one.

              • by Rob Y. (110975)

                They require silverlight to stream movies, but the rest of the site doesn't.

                • by _0xd0ad (1974778)

                  That was what I meant... but what's there to do on Netflix other than stream movies? Then again, I don't use it, so maybe I just wouldn't know.

                  • by Cinder6 (894572)

                    Rent movies from the regular mail-in rental service. The streaming selection can be pretty horrendous outside of TV episodes.

        • by n0-0p (325773)
          I've audited parts of Silveright in the past, and it's actually quite good. Most importantly, I've reported some vulnerabilities and they turned around the fixes much faster than other Microsoft product teams I've reported against.
    • by jo42 (227475)

      Anyone care to speculate just why Flash is so full of security holes?

      You'd think that one of the largest and most talented software development companies based in a region of earth with some of the best, brightest and most educated software engineers with access to the best tools of the trade in the solar system could get such a minor piece of code right...

      • by Aerorae (1941752)
        Not that I know any better, but it wouldn't surprise me if they've never stopped building off of macromedia's shockwave code.
      • by tukang (1209392)
        Acrobat is just as bad so I'm going to guess that their software engineers aren't as good as you think or they have serious management problems. Either way, the problem is with Adobe and not a technical one.
        • Same probs as MS Office, I'd wager. The desire to drive new sales through new corporate corner case features that no users really want, drives huge security architecture issues into the product that manifest as endless bugs like this. Smart engineers spend all their time patching b/c they are not consulted on the big design issues which create these problems. Security, as usual, is an after thought.

      • [quote]You'd think that one of the largest and most talented software development companies based in a region of earth with some of the best, brightest and most educated software engineers with access to the best tools of the trade in the solar system could get such a minor piece of code right...[/quote] outside of largest, that description doesn't really apply to Adobe.
      • by NoSleepDemon (1521253) on Thursday May 12, 2011 @11:48AM (#36108734)
        Being one of those not so rare flash developers that hates flash, I would indeed care to speculate

        Our investigation begins no further than the massive kludge that is the Flash interface. The program has been designed for both developers and designers alike, and where the two meet, there are dragons... and exploits. The Flash IDE suffers from some truly awful bugs (dragging tabs, resizing tweens, replacing text in the text editor to name but a few), then there are the game breakers like font positions appearing differently on PC vs Mac. So Adobe's difficulty in creating a program that unifies two different ways of thinking is already apparent.

        Putting aside sloppy interface design, a big problem with Flash is that AS3 has still not been adopted by the majority of 'developers', IAB standards in fact mandate the use of Flash Player version 8, which uses AS2 / Actionscript Virtual Machine 1. One of their reasons being that Flash 9 is too slow (rubbish, it's 10x faster). So because AS3 is not the standard, each and every time you run flash player, you're also running flash player with support for Flash all the way down to version 1 (which was shakey to begin with), and all the bugs that entails. Simply put, Flash is too much of a clusterfuck to fix, we're basically looking at AS2 being the IE6 of Flash.

        This link goes in depth about exploits in Flash: http://events.ccc.de/congress/2008/Fahrplan/events/2596.en.html [events.ccc.de] There was a video to it as well, but I can't seem to find it right now. The sheer ease with which Flash can be exploited is actually quite horrifying.
      • by 0123456 (636235)

        You'd think that one of the largest and most talented software development companies based in a region of earth with some of the best, brightest and most educated software engineers with access to the best tools of the trade in the solar system could get such a minor piece of code right...

        If you'd used Adobe Premiere prior to the total rewrite they did a few years ago you wouldn't be surprised that Flash is an insecure pile of poo.

      • by Macrat (638047)
        mod parent FUNNY!
  • by manonthemoon (537690) on Thursday May 12, 2011 @10:18AM (#36107350) Homepage

    its a Chrome "pwn". If you bundle it, you own it. You see Apple going the opposite direction by un-bundling Flash because it didn't want to own the security issues and battery draining properties associated with it. They recognized their brand was getting tarnished via that association and decided to make Adobe stand on their own.

    • "It's a legit pwn, but if it requires Flash, it's not a Chrome pwn. Do Java bugs count as a Chrome pwn too, because we support NPAPI?" link [twitter.com]

      • by peragrin (659227)

        Flash is embedded into chrome by google. you can't remove it.

        therefore the bug belongs to google chrome because in Chrome a flash is not just a plugin but an integrated piece.

        • by gad_zuki! (70830)

          Really? I just did about:plugins and clicked disable on Flash.

          Or use flashblock.

          Or start Chrome with -disable-plugins

          • by Omega996 (106762)
            there's a world of difference between disabling plugins/malware sinkholes and removing them. I agree with others that if Google's going to have their little reach-around agreement with Adobe and bundle their stuff in Chrome, then Google needs to take responsibility for the flaws/exploits/problems this causes or exposes.

            Maybe someday the Google collective will realize that improvement cannot be realized if one doesn't admit to one's mistakes and act on that information. No doubt that's "just around the corne
          • I think Flashblock should be installed by default on all major browsers.

    • by Rogerborg (306625) on Thursday May 12, 2011 @10:32AM (#36107588) Homepage

      Agreed. This isn't accidental, and Google aren't the victims here. If you benefit from shovelling a steaming pile of crap, you get to eat a piece of it from time to time.

      The problem here is that Flash is either a "plugin" or it isn't. If they decide that it is a plugin, then it is Chrome, and it's Google's problem. If they decide it's not a plugin, they should stop calling it one and letting it auto-run whatever content Joe Malware is serving up.

      But if they don't even acknowledge that there's a problem, then how on earth do they intend to solve it?

      • Will Chrome OS bundle flash or allow it to install?

        One of the selling points of Chrome OS is the security. If someone can PWN my laptop and keylog my user level passowrd remotely then having my data on the cloud is dangerous. Right now even if someone compromises flash my computer is protected by multiple levels of user access controls and backups. with chrome OS once someone can access my account they can do it from anywhere without physcial access.

        This is not a gripe about the cloud as much as it poin

        • by Omega996 (106762)
          I believe that question was anwered by some of the Google I/O stuff yesterday - Flash is going to be an integral part of ChromeOS.

          I believe that ChromeOS will be secure just like I believe that 75% of businesses can do business using only ChromeOS - that is, not at all.
    • And if you need a car analogy: Ford and Firestone [wikipedia.org].
    • by geekoid (135745)

      That's not reasonable at all.

      They don't own the code to flash.

      And unbundling(debundling?) flash doesn't help because the user will need to loaded anyways.

      If Apple really cared, they would have a warning.
      http://www.apple.com/downloads/macosx/internet_utilities/adobeflashplayer.html [apple.com]

      All that said, yes I wish they wouldn't bundle it..in fact I wish no one would bundle it.

      • by Grishnakh (216268)

        The web browsers bundle it, or at least make it easy to load it as a plug-in, because so many sites (esp. YouTube) require it. If they didn't allow it to be loaded, users would be screaming bloody murder. Of course, with HTML5 supporting video natively, this shouldn't really be a problem any more, but you know how it takes forever for everyone to move to new standards.

        Maybe if the browser makers got together and agreed to lock it out in favor of HTML5, and Google got rid of Flash on YouTube in favor of HT

        • You can already view a lot of YouTube as HTML5 vids, or use separate YouTube applications on both desktop and mobile devices.

          • You can already view a lot of YouTube as HTML5 vids

            Newly uploaded videos and some of the videos most popular among the general public have been transcoded to WebM, but transcoding the "long tail" will have to wait.

            • by tlhIngan (30335)

              Newly uploaded videos and some of the videos most popular among the general public have been transcoded to WebM, but transcoding the "long tail" will have to wait.

              Have multiple browsers then - the long tail is still served up as h.264 since the flash based player does h.264 for the higher qualities.

              Though you raised an interesting question about that - since the majority of YouTube videos are still in h.264 format, and Chrome can't play them now since it dropped h.264 in favor of WebM...

    • by mellon (7048)

      This is true, but it's actually worse than that. Chrome claims to sandbox plugins. If the exploit pwnz0red the Flash plugin, but the sandbox prevented the exploit from getting any further, that would be a success. Likewise, if the exploit is able to break out of the sandbox, that's a failure. It's a failure of Chrome, as well as a failure of Adobe's malware^H^H^H^H^H^H^Hplugin.

      • From TFA:

        "The Flash sandbox blog post went to pains to call it an initial step," said Evans [from Google]. "It protects some stuff, more to come. Flash sandbox [does not equal] Chrome sandbox."

        The blog Evans referred to was published in December 2010 [chromium.org], where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."

        So yeah, but no, Google never claimed the flash plugin was inside the Chrome sandbox, it's still a work in progress apparently. Of course that doesn't negate the fact that flash is bundled with Chrome and therefor all Chrome users are vulnerable. Still, most users would've installed Flash anyway, this way Google has at least some control over the security issues (though obviously not enough).

        Flash is not going away for awhile, especially as long as people keep using outdated browsers en masse and H

    • by gad_zuki! (70830)

      Adobe isnt giving them the code to flash. I'm sure Google could do a better job than them if they had the code. Google, as well as all browser makers, are in the unfortunate position of dealing with this a dangerous binary blob that everyone wants as a plugin.

      Google responsibly tried to sandbox it, and that sandbox has worked very well, but its no guarantee against adobes shit code. Not to mention, if they didnt auto-update it, then end users would never do it, thus more exploits. The sandbox isnt even the

      • by GIL_Dude (850471)
        You could actually see that the calc.exe process in the video Vupen put out was running a medium integrity level (which is standard user). It did not escape UAC and get elevated to the high integrity level. The person recording had process monitor open and displaying the column that shows the integrity level. So it would depend on what the exploit was trying to do. If it was "delete user files" or "send user information to some web site" the exploit would work fine. If it was "install this malware that requ
      • I'm sure Google could do a better job than them if they had the code

        You clearly haven't worked on a badly hacked 20 year old project. I shudder to think about what an awful mess Flash is internally.

      • by rsborg (111459)

        Adobe isnt giving them the code to flash. I'm sure Google could do a better job than them if they had the code. Google, as well as all browser makers, are in the unfortunate position of dealing with this a dangerous binary blob that everyone wants as a plugin.

        That's the nonsensical part, apparently *someone* wants it as a plugin... either that's the users (blame the user!) or it's Google (thanks to DoubleClick acquisition)

        I contend that Google began their path to the dark side the moment they put their hands upon Doubleclick... they were corrupted by the evil that is inherent in pure advertising (advertising being basically social engineering).

    • by Grishnakh (216268)

      Sorry, I don't buy this. Apple can un-bundle Flash on their iPhones because no one cares that much about looking at Flash sites on their iPhone. People are OK with their phones being limited in capabilities compared to their main computer; after all, the screen is tiny and you can't see much on it, so you're probably not going to be surfing a lot of Flash-heavy sites. On a desktop/laptop computer, however, it's a different story. Not supporting Flash means locking people out of a LOT of websites, most n

      • the most popular use of Flash is video

        But even once video is converted to HTML5, several remain:

        • Vector-animated short films, such as Homestar Runner or Weebl and Bob or half of Newgrounds. These would become ten times bigger if rendered to WebM or MP4.
        • Games, such as FarmVille and the other half of Newgrounds. Should these use SVG or Canvas? Neither works on IE on XP.
        • Applications that ask the user to turn on a webcam, such as online video chat.

        How do you recommend making those with HTML5 technologies?

        • by Grishnakh (216268)

          How do you recommend making those with HTML5 technologies?

          Vector-animated short films, such as Homestar Runner or Weebl and Bob or half of Newgrounds. These would become ten times bigger if rendered to WebM or MP4.

          Render them as WebM or MP4 and deal with the size increase. Let people download them if necessary, rather than streaming them.

          Games, such as FarmVille and the other half of Newgrounds. Should these use SVG or Canvas? Neither works on IE on XP.

          Use SVG or Canvas and tell the users to upgrade to ano

          • by _0xd0ad (1974778)

            Or make a special browser plug-in for this, as Google does with Gmail video chat. Google's plugin doesn't seem to have all the problems Flash does.

            As much as I dislike Flash, asking everybody to invent their own wheel doesn't sound right either. Maybe Google's plugin doesn't have all the problems Flash does, but I don't want every damn website to have to install its own plugin to use the webcam. That's just begging to be back in the hell where users are required to install "codecs" to play this video and suddenly their machine is a botnet zombie.

            At least if there's one single interface between a website and the mic/cam we can do our best to ensure tha

            • by Grishnakh (216268)

              As much as I dislike Flash, asking everybody to invent their own wheel doesn't sound right either. Maybe Google's plugin doesn't have all the problems Flash does, but I don't want every damn website to have to install its own plugin to use the webcam. That's just begging to be back in the hell where users are required to install "codecs" to play this video and suddenly their machine is a botnet zombie.

              At least if there's one single interface between a website and the mic/cam we can do our best to ensure tha

          • by tepples (727027)

            Render them as WebM or MP4 and deal with the size increase.

            How would one deal with the bandwidth bill that the size increase causes? And especially for users on dial-up, satellite, or low-end DSL, the order of magnitude size increase means there's an order of magnitude chance that the user will click away from your site in favor of another site that uses Flash.

            Let people download them if necessary, rather than streaming them.

            Owners of copyright in the underlying work, such as background music in a video, charge substantially more for downloads than for streams.

            Use SVG or Canvas and tell the users to upgrade to another browser that supports these.

            As I understand it, one has to be an administrator, as opposed to a li

            • by _0xd0ad (1974778)

              Owners of copyright in the underlying work, such as background music in a video, charge substantially more for downloads than for streams.

              stream === download

              They charge substantially more to people who don't know how to save a stream.

            • by Grishnakh (216268)

              Can the Google plug-in be used by other than applications hosted by entities other than Google? Or will each entity have to write its own plug-in for all six major platforms (Windows ActiveX, Windows NPAPI, Mac OS X, Linux, iOS, and Android) and get it signed with an Authenticode certificate and an iPhone Developer Program certificate?

              We're talking about webcams here. iOS and Android are for phones, and they don't have webcams. I suppose you could make it work with the built-in camera and speakers/mike on

    • by Svartalf (2997)

      Heh... If the sandboxing doesn't shield against a pwn of a bundled app or a non-bundled one, then it's not really sandboxing, now is it?

      It's a Flash AND a Chrome pwn.

  • by Anne Honime (828246) on Thursday May 12, 2011 @10:20AM (#36107396)
    If google bundles Flash with Chrome and the user's exposed to exploit, then it's pretty much google's responsibility for letting this happen in the first place. Doesn't invalidate VUPEN's claim one bit, as every chrome installation is still susceptible to direct exploitation.
    • by Jonner (189691)

      Yeah, Google claiming this isn't a Chrome bug is like saying that an IE exploit isn't a Windows bug.

  • by idontgno (624372) on Thursday May 12, 2011 @10:21AM (#36107414) Journal

    You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?

    Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.

    *BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.

    • by ais523 (1172701)
      I think I agree with you. The major conclusion of this story is not that Flash is a buggy mess (we knew that already), nor that Chrome is necessarily exploitable (technically speaking), but that even Chrome's sandbox is useless at stopping Flash making for an easy attack surface.
    • by Anonymous Coward on Thursday May 12, 2011 @11:04AM (#36108016)

      You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?

      Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.

      *BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.

      Wow man, it's a fucking browser bug. They didn't come to your house and kick your dog.

      Wait...wait...Did Facebook pay you to post this?

    • by b4dc0d3r (1268512) on Thursday May 12, 2011 @11:11AM (#36108142)

      Since you used italicized Latin and referred to the company by their stock ticker symbol, I award your opinion extra weight. That you used an asterisked footnote to avoid ordering your thoughts coherently implies you are exactly the sort of free-thinking individual the rest of us should strive to be.

      I don't suppose you have a newsletter I could subscribe to?

    • by Anonymous Coward on Thursday May 12, 2011 @11:12AM (#36108146)

      The original blog post [chromium.org] notes that the sandbox for Flash is a "first iteration" and that there is "more work to be done". NPAPI plugins are a huge pain point for browser security since they've traditionally been able to do whatever they want; just throwing them in the normal Chrome sandbox would break them. Sandboxing a plugin like Flash happens in several steps.

      Does the initial sandbox have holes? Yes. Does it reduce the attack surface though? Yes. Is it going to be improved further to close those holes? Yes.

    • The Netscape team engineered it so plugins run alongside the browser, not Google. Google has been working to REENGINEER things so that it is possible for Flash to be sandboxed.
  • Missed the point (Score:5, Interesting)

    by Zerth (26112) on Thursday May 12, 2011 @10:21AM (#36107416)

    I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.

    I guess I was mistaken.

    • Re:Missed the point (Score:5, Informative)

      by Anonymous Coward on Thursday May 12, 2011 @11:06AM (#36108062)

      They do, but the sandbox for Flash is complete yet.

      They're right in that this is a flash vulnerability; it's exploitable regardless of which browser you're actually using. Marking it as a Chrome vulnerability does everyone a disservice by making people on other browsers think they're safe.

    • by rsborg (111459)

      I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.

      I guess I was mistaken.

      There are other reasons. Flash only exists because of the advertising business. Google wanted the keys to the advertising country-club but had to marry into it (Flash). Then they bought and fashioned WebM but decided in a bout of "purism" to ignore the existing standard H.264 in favor of WebM. Which bolstered the position of Flash since you still can't do video on all major browsers without it. Google probably also benefited in that hurting the "non-free" H.264 would also put their competitor Apple in a

  • A company takes care to actually go through code, assembly, source, any means really, figure out a hack that's specific to Chrome ... and somehow, they are the ones misunderstanding the code. Somehow that answer doesn't satisfy me :)

    Also, the answer would be equivalent to having my code use Sqlite as a dll, I bundle it in my package, I install it, it's mine ... but somehow when someone hacks my application through a (very theoretical - example only! move on trolls ;) ) sqlite bug, I would have the exit door

    • by Teppe (1839628)
      If the bug is in SQLite's code it isn't really your bug now, is it?

      When a bug is in a library you link with, you should warn your users of it and file a bug report if it's a bug that hasn't been fixed yet. If a new version has been released that fixes said bug, you update your program to use the new version. A developer can't be expected to be responsible for each and every bug in every library he uses in his program, but he should be held responsible for warning his users and updating his program to the
      • by cpct0 (558171)

        You see, that's exactly the kind of things people should never have to hear about a product. If I get a product, whether at $0 or $10,000, it should always be responsible for its own integrated tools.

        Let say I buy an integrated specialized medical database using Oracle as backend. First, I shouldn't really have to care it uses Oracle. Is the product working or not? Yes or no. The reason why a specific request would fail "because its an Oracle bug" is moot, the vendor decided to use Oracle, it should vouch b

  • By that logic... (Score:4, Interesting)

    by xyourfacekillerx (939258) on Thursday May 12, 2011 @10:22AM (#36107432)
    All the Malware/Virus problems windows has that can be attributed to 3rd party programs, this means now Microsoft is vindicated? My question is, does this Flash exploit work in other browsers? Or does it specifically take advantage of something wrong with Chrome? Cos if it's the latter, then whether it's a "Flash problem" or not, it still means Chrome is the vector.
  • It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.

    If the dike fails and the land gets flooded, who cares if the dike was earth or stone? The point is that the place is flooded.

    And that analogy is apropos considering what's going down here. [www.cbc.ca]

    • by hedwards (940851)

      As somebody that doesn't use Chrome, it makes a big difference to me. If it were a Chrome specific pwn, then I wouldn't have to worry about it. As it is, I have to worry because it's a Flash specific.. Er, never mind, it's not like I trusted Flash previously.

  • don't bundle (Score:5, Insightful)

    by fermion (181285) on Thursday May 12, 2011 @10:31AM (#36107584) Homepage Journal
    Years ago Flash was actively budled with Safari on Apple. It was so bundled that when one updated Safari, Flash would be restored. It was impossible to remove Flash from an Apple computer because once Flash was on the computer, it infected all browsers. The issue, for those who love flash, was that the number of flash components on a web page often overwhelmed my computer. Of couse when Camino had flash blocking Apple autoloads of flash were not an issue.

    The Google response reminds me of when MS was in the habit of using PR to quash security reports instead of writing code good. Someone would come up with an exploit and MS would say it was not a well configured updated system so the fixing the code that fell to the exploit was not the responsibility of MS. The security people would then run the exploit again with an fresh out of the box installation with all updates, and the machine would again be compromised. MS would then respond by saying that user could easily configure the machine to not fall to the exploit, so it was a user issue and not a MS issue. The thing is that is the out of the box configuration is not secure, then the machine is not secure. If an Android phone comes with flash out of the box, and Flash is not secure, then the machine is not secure. It does not matter how fancy and pretty and secure the rest of the code may be.

  • Anything short of running in a VM (hardware supported or purely in software), is not a "sandbox" in my book.

    It is a Chrome flaw introduced by Google's use of the word "sandboxed" that really doesn't imply a sandbox at all.

    Additionally, compiling JS to machine code and having Chrome execute that data is not "sandboxing" either.

    A flaw in my VM's interpretor that allows code to escape the sandbox is one thing, running non-virtualized machine code that itself can be exploited is quite another.

    At some point, you must stop, wipe your brow, and consider your trek through the desert -- Is there really an edge to this sandbox? Did I miss the line drawn in the wind-swept sand or have I been lied to yet again?

    • by hedwards (940851)

      I've taken to doing my banking in a virtual box session just to make it that much easier to keep things secured. It's not perfect, but if I'm not actually using it, the VM is not loaded and when it is, it's less likely that something which gets installed on my main computer will affect the virtual session.

  • by OrugTor (1114089)
    Does anyone else find "pwn" to be fucking annoying?
  • then it is google/chrome's fault, and google should quit bundling flash and let Adobe maintain their plugins...
  • If it shipped in Chrome, it's code Google distributed. Google-pwn.

  • No matter how much you want it to be gone, Flash is like ActiveX and IE. A necessary piece of software for many production applications in use today. To take those pieces away means costing corporation several thousands if not millions in re-inventing their wheels. Corporations don't like to that, and many IT budgets aren't fat enough to do it. No matter how much Steve Jobs bitches about it his argument is irrelevant - at least at this point in time.

    It will take the industry a good many years to shift aw

  • by topham (32406)

    You integrated Flash into the god-damn browser, that makes it a browser vulnerability.

Parkinson's Law: Work expands to fill the time alloted it.

Working...