Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Google Security Technology

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It" 106

chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."
This discussion has been archived. No new comments can be posted.

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It"

Comments Filter:
  • by Tontoman ( 737489 ) * on Wednesday November 21, 2012 @10:55PM (#42063487)
    He certainly has a history of uncovering exploits. Here are his youtube videos: http://www.youtube.com/user/longrifle0x [youtube.com]
    • by Anonymous Coward on Wednesday November 21, 2012 @11:04PM (#42063521)

      He's doing it for fame, not for profit. By selling out a single hole, he gets a one-time check. By talking about it in the abstract, he gets attention. Perhaps a lot of attention, and people listening to him speak. Some people value attention more than money.

    • by Anonymous Coward on Wednesday November 21, 2012 @11:05PM (#42063529)

      Sorry, but this is one of the most clueless security researchers on the planet.

      See https://code.google.com/p/chromium/issues/detail?id=108651

      • by LordLimecat ( 1103839 ) on Thursday November 22, 2012 @12:06AM (#42063823)

        I particularly like this part from his bug report:

        VERSION
        Chrome Version:Ubuntu 11.4 version
        Operating System: [Ubuntu 11.4]

        Man I love that version of chrome. What do you call a security researcher who cant even identify his platform in his bug reports?

        • Re: (Score:2, Insightful)

          by WindBourne ( 631190 )
          I would suggest keep in mind that some ppl are not native english speakers, and therefore make more mistakes.
          However, I do not believe that is the case here.
          • When you go to the Chrome "about" screen, I dont believe the words "ubuntu 11.4 version" ever pop up. I believe the version is an all numeric string that is the same regardless of what language you speak, like "23.0.1271.64 m"

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Thursday November 22, 2012 @12:50AM (#42063993)
      Comment removed based on user account deletion
    • by Anonymous Coward

      He has a video of the Google Chrome exploit that he discovered up already:

      http://youtu.be/AvkbhFmJcn4

      He can get your browser to launch an arbitrary application on your PC when you open a webpage.

      • Nope. That did not show that. Just the opposite. He had a browser up, clicks on what appears to be a .doc, which simply creates a tab. However, I did not see the browser exec an app.
        • So putty opened all by itself, right?

          • by seann ( 307009 )

            The word document, which was already on his local system, which is already preset to trusted which can execute macros, executed putty.

            • I thought so as well, but just ran the video again. Just dawned on me that he restarts the web page and putty comes up.
              Well, this guy MAY actually have something.
              • Well, this guy MAY actually have something.

                Or maybe the page has a hidden image loaded from a webserver running on localhost. The webserver is configured to start putty when someone connects...

                I did something like that 15+ years ago, so it's nothing new at all.

                • Correct. That is possible. However, why do that for the publicity? That is SUCH negative publicity that he would never work in software again.
    • by ameen.ross ( 2498000 ) on Thursday November 22, 2012 @06:05AM (#42064991)

      LMAO

      The very first video where he purportedly shows an Office 2010 0-day vulnerability ("it has silent and automatically download function"), I noticed he right clicked the desktop and clicked pressed "refresh"...
      He then moves on to show that he really is running Office 2010, and then he opens a link, not a word file, which opens MS Word and then opens a local, not silently downloaded, executable: Putty. He finishes by typing "1337" in the connectbox of Putty.

      There are unthinkably many scenarios that lead to this behavior, but this dude having been able to find an actual 0-day vulnerability in any software is not one of them.

      • and then he opens a link, not a word file

        How can you tell it's a link (and what do you mean by "link" - shortcut? URL file?) and not a Word file? The filename of whatever he clicks on (which admittedly doesn't look like any Word .doc icon I've seen, but I don't see very many) does seem to match the filename showing in the titlebar of the opened Word window.

        Not that I don't believe this guy really is clueless.

        • If you look closely sometimes you see the little icon that designates a shortcut. I don't know why it isn't visible all the time, may have something to do with the recorder he used. Also look at some of his other video's, he basically does the exact same thing everytime.

          He could have bound a keyboard shortcut to open Putty for all we know, and he just times pressing the combination to "prove" he has an exploit. Kinda stupid that he never ever gives the source for his exploits, maybe he's just furious that h

          • If you look closely sometimes you see the little icon that designates a shortcut.

            Oh, I see what you mean now - I think you've mistaken the optional Windows item selection checkbox for a shortcut indicator.

            http://www.sevenforums.com/tutorials/10111-select-items-check-boxes.html

            But yes, you're right, that video is proof of nothing.

            • Oh right, anyway it would still be anything, like a batch script of which he changed the icon or whatever.

    • by ark1 ( 873448 )

      He certainly has a history of uncovering exploits. Here are his youtube videos: http://www.youtube.com/user/longrifle0x [youtube.com]

      Notice the comment section was disabled on all his video. He certainly does not like having his crap exposed publicly.

    • Never trust a guy with 7+ vowels in his name...
      • Never trust a guy with 7+ vowels in his name...

        Do you know how easy it'd be for someone with a middle name to trip that heuristic? By that measure, you'd trust only one of the last five U.S. Presidents.

        • Ronald Wilson Reagan: oaioeaa (7)
        • George Herbert Walker Bush: eoeeeaeu (8)
        • William Jefferson Clinton: iiaeeoio (8)
        • George Walker Bush: eoeaeu (6)
        • Barack Hussein Obama: aaueioaa (8)
        • Never trust a guy with 7+ vowels in his name...

          Do you know how easy it'd be for someone with a middle name to trip that heuristic? By that measure, you'd trust only one of the last five U.S. Presidents.

          • Ronald Wilson Reagan: oaioeaa (7)
          • George Herbert Walker Bush: eoeeeaeu (8)
          • William Jefferson Clinton: iiaeeoio (8)
          • George Walker Bush: eoeaeu (6)
          • Barack Hussein Obama: aaueioaa (8)

          Your point being?

          But apples vs. oranges anyway. I don't know Ucha Gobejishvili's middle name (if he even has one), else I might have upped the minimum number, if I hadn't been completely joking... Though 7 vowels in just a first+last name seems excessive; I blame his parents.

          • if I hadn't been completely joking

            For me, it was just a fun thought exercise to see how your heuristic held up against real-world American names or otherwise plausible anglophone names like Stephanie Peterson: eaieeeo (7).

            Though 7 vowels in just a first+last name seems excessive; I blame his parents.

            For one thing, different languages have different standards for a last name. Russian, for example, has lots of surnames that carry the suffix "-ov" (fem. "-ova"), "-ev" (fem. "-eva") or "-in" (fem. "-ina"). Greek has the suffix "-opoulos", which corresponds to English "-son" but has four vowels by itself. I just wanted to

            • Dude(tte?). You have *way* too much free time. Although, I wish you had been in my college Semantics class way back when, instead of the lazy ass-clowns (hyphen intentional) who took it looking for an easy grade. I had to wait until after class to ask the professor any serious questions to avoid the ire of my classmates.

              Racism? Vowels don't see race, color, gender, etc ... - or orientation, though that (sometimes) "Y" is a little sketchy. Sure, maybe after a little wine... :-)

              BTW. Your example, "Steph

            • Georgian names aren't entirely dissimilar: "-shvili" is like "child of" (sort of like the Icelandic "-sson" or "-sonur"), and I wouldn't be surprised if "Gobeji" was the name of a village or something.

    • Maybe not so legitimate, but he is certainly an active hacker. For example : http://laetitia-schlumberger.com/index0.php [laetitia-s...berger.com] and http://horeblawski.eu/euricms/ [horeblawski.eu]
      Softpedia profiled this person in an article: http://news.softpedia.com/news/Hackers-Around-the-World-No-Flaws-Escape-This-Georgian-s-Longrifle0x-252180.shtml [softpedia.com]
      However, a subsequent comment by the author says:
      "When this article was published the researcher was a respected member of an important security research team. In the meantime, his work became
  • by Anonymous Coward

    Google Says "Prove It"
    World yawns

  • Clueless (Score:2, Insightful)

    by Anonymous Coward

    Maybe he's talking about this [google.com] lol. Or mybe this one [google.com]. tl;dr dude is clueless.

    • by Anonymous Coward

      oop link is https://code.google.com/p/chromium/issues/detail?id=108651

  • by Anonymous Coward on Wednesday November 21, 2012 @11:12PM (#42063569)

    This security researcher has a track record of not understanding even basic security concepts.

    Basic misunderstanding of "memory corruption" vs. an "out of memory" condition: https://code.google.com/p/chromium/issues/detail?id=108651

    Basic misunderstanding of web security and the capabilities of Javascript: https://code.google.com/p/chromium/issues/detail?id=148636

    This does not preclude the case where he's stumbled across something real, but it seems highly unlikely.

    • by Anonymous Coward

      Oh dear God, check this one:

      https://code.google.com/p/chromium/issues/detail?id=142864

  • by Anonymous Coward on Thursday November 22, 2012 @12:42AM (#42063961)

    I have discovered a truly marvelous exploit, which allows a remote attacker to compromise any computer regardless of OS, hardware, or software installed. Unfortunately, this post is too small to contain the details of it.

    • by micheas ( 231635 )
      There are many marvelous exploits that attack the problem existing between keyboard and chair.
    • by crutchy ( 1949900 ) on Thursday November 22, 2012 @02:26AM (#42064325)
      its not like the age old ctrl+F4 exploit that affects all browsers in all operating systems and has the uncanny result of closing which ever browser window you happen to be viewing... it even works on some other programs. i think it must be a bug in the processor or something.... stupid intel
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      i don't think the repliers got the fermat's reference :)

    • I have discovered a truly marvelous exploit, which allows a remote attacker to compromise any computer regardless of OS, hardware, or software installed. Unfortunately, this post is too small to contain the details of it.

      The user?

      Looks like it fits well enough in this post...

    • by tlhIngan ( 30335 )

      I have discovered a truly marvelous exploit, which allows a remote attacker to compromise any computer regardless of OS, hardware, or software installed. Unfortunately, this post is too small to contain the details of it.

      Yeah, too bad you have to either be admin, give admin permissions, use sudo or be root, ...

      (You won't believe how many local "exploits" get reported where the prerequisite is that the user is administrator or root to begin with. Or require scripts to be run with similar permissions. (Hint:

  • If he gives this lecture and somebody watching figures out how it works, then that somebody else could claim the bounty.
    • If he gives this lecture and somebody watching figures out how it works, then that somebody else could claim the bounty.

      I just wish I was going to the conference. The lecture is sure to be fun.

  • by Anonymous Coward

    "it works on all Windows systems,"

    Stopped reading after that

  • I did some analysis (too advanced and secret for me to disclose) and came up with this [rodneyolsen.net]. Needless to say it's almost an exact match for his photo in the article. No wonder he's not disclosing his 0-day.

  • by PPH ( 736903 ) on Thursday November 22, 2012 @12:05PM (#42066841)

    I'm sure this will attract more attention to the MalCon tent.

  • I can't believe MalCon is letting this guy present based on the other examples posted in this story of how clueless this guy is. If I was running MalCon I would DEMAND evidence of an actual exploit before agreeing that he be allowed to present anything this stupid and discredit the whole conference.

After all is said and done, a hell of a lot more is said than done.

Working...