Google Engineers Deny Hack Exploited Chrome 244
CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"
flash is malware/adware (Score:4, Insightful)
Time to treat it as such.
Re: (Score:2)
A bit harsh but between chrome.angrybirds.com and HTML5 Video Flash is going to be at best a legacy technology.
Anyone know any good tutorals on javascript/HTML5/WebGL?
Re: (Score:2)
I'm pretty sure O'Reilly has a bunch of books on HTML5.
Not that I'd ever endorse a Microsoft solution, but I wonder how Silverlight/Moonlight compare to Flash in security (not to mention just plain being a total POS). Flash is a disaster, and we need to move away from it.
Re: (Score:2)
Re: (Score:2)
Not true. I've seen Silverlight/Moonlight used on Microsoft sites, such as yesterday's Slashdot article about the MS guy who collects weird computer gadgets. The article linked to a Microsoft page that was basically a virtual museum with all his devices (weird keyboards, mice, etc.), and to view it, you could choose either HTML or Silverlight.
Of course, I can't recall seeing any non-MS sites requiring Silverlight.....
Re: (Score:2)
Doesn't Netflix require Silverlight?
Re: (Score:2)
Good call, I totally forgot about that. That's a pretty big one.
Re: (Score:2)
They require silverlight to stream movies, but the rest of the site doesn't.
Re: (Score:2)
That was what I meant... but what's there to do on Netflix other than stream movies? Then again, I don't use it, so maybe I just wouldn't know.
Re: (Score:2)
Rent movies from the regular mail-in rental service. The streaming selection can be pretty horrendous outside of TV episodes.
Re: (Score:2)
Re: (Score:2)
If CEO's knew what seasoned developers know about Microsoft, they would run away in fear.
If normal people knew what developers know about software, civilization would collapse.
Re: (Score:2)
Chrome does or did support H.264. Safari will be an issue for a while but to work around it you can include two videos and then use browser detection to serve the one that you need.
Chrome Frame and or just updating to Chrome or Firefox will do for XP users
Re: (Score:2)
Chrome does or did support H.264.
Did; no longer does. Any installed versions that did have been automatically updated to a version that no longer does.
Not quite - the build in Flash will still happily play H.264 encoded Flash-videos. Why do people always ignore that most Flash videos now use that codec?
Re: (Score:2)
Because the discussion was about the HTML5 audio/video tags, toward the goal of specifically eliminating Flash.
Re: (Score:2)
Because the discussion was about the HTML5 audio/video tags, toward the goal of specifically eliminating Flash.
If all it takes for Google to sort-of support H.264 is someone to pay for it, they could ask someone to sponsor it - like, say, Yahoo, or a bigger competitor of Yahoo maybe.
Re: (Score:2)
But Flash doesn't work at all on IOS and it is really not great on Android. Yes I am an Android users and it fails a lot and is slow even on my phone which is an Evo 4G.
Flash has no future. Adobe now has an HTML 5 authoring tool and more will come. Flash will linger for a while but HTML 5 works on IE9, Safari, Chrome, Opera, and Firefox. It works on the PC and in the Mobile space. With Google pushing more and more into the enterprise space I suspect Chrome and Chrome Frame to get a big foothold in the enter
Re: (Score:3)
Re: (Score:2)
HTML5 Ogg videos play just fine with the QuickTime Ogg Component.
The last time I checked, the QuickTime Ogg Component was not available for iOS.
No, but if Safari (I said nothing about Mobile Safari) can play any HTML5 video, why can't the "open" alternatives? Are they fundamentally broken?
Re: (Score:2)
It won't happen until long after that. There are millions of XP installations around the world that do what their users want them to do. They won't be upgrading any time soon. IE9 not being on XP is fucking annoying for those of us who will need to support two versions of IE for a long time, just as we were seeing off IE6 and 7.
Re: (Score:2)
HTML5 audio and video are a mess. No audio and video codec works in all browsers. The pack-in browsers (IE and Safari) use only patented MPEG family codecs
I don't know about Safari, but IE9 can play WebM HTML5 video - though you need to download [google.com] the codec from Google.
Re: (Score:2)
Lies! Just tried it, and it ran just fine. No complaints due to a lack of Flash.
Re: (Score:2)
needs it for sound
Re: (Score:2)
*crickets chirping*
Re: (Score:2)
Anyone care to speculate just why Flash is so full of security holes?
You'd think that one of the largest and most talented software development companies based in a region of earth with some of the best, brightest and most educated software engineers with access to the best tools of the trade in the solar system could get such a minor piece of code right...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Same probs as MS Office, I'd wager. The desire to drive new sales through new corporate corner case features that no users really want, drives huge security architecture issues into the product that manifest as endless bugs like this. Smart engineers spend all their time patching b/c they are not consulted on the big design issues which create these problems. Security, as usual, is an after thought.
Re: (Score:2)
Re:flash is malware/adware (Score:5, Insightful)
Our investigation begins no further than the massive kludge that is the Flash interface. The program has been designed for both developers and designers alike, and where the two meet, there are dragons... and exploits. The Flash IDE suffers from some truly awful bugs (dragging tabs, resizing tweens, replacing text in the text editor to name but a few), then there are the game breakers like font positions appearing differently on PC vs Mac. So Adobe's difficulty in creating a program that unifies two different ways of thinking is already apparent.
Putting aside sloppy interface design, a big problem with Flash is that AS3 has still not been adopted by the majority of 'developers', IAB standards in fact mandate the use of Flash Player version 8, which uses AS2 / Actionscript Virtual Machine 1. One of their reasons being that Flash 9 is too slow (rubbish, it's 10x faster). So because AS3 is not the standard, each and every time you run flash player, you're also running flash player with support for Flash all the way down to version 1 (which was shakey to begin with), and all the bugs that entails. Simply put, Flash is too much of a clusterfuck to fix, we're basically looking at AS2 being the IE6 of Flash.
This link goes in depth about exploits in Flash: http://events.ccc.de/congress/2008/Fahrplan/events/2596.en.html [events.ccc.de] There was a video to it as well, but I can't seem to find it right now. The sheer ease with which Flash can be exploited is actually quite horrifying.
Re: (Score:2)
You'd think that one of the largest and most talented software development companies based in a region of earth with some of the best, brightest and most educated software engineers with access to the best tools of the trade in the solar system could get such a minor piece of code right...
If you'd used Adobe Premiere prior to the total rewrite they did a few years ago you wouldn't be surprised that Flash is an insecure pile of poo.
Re: (Score:2)
Re: (Score:2)
Photoshop is just as bad. Apple has supported case-sensitive boot volumes for an entire decade, and Photoshop still barfs if you try to install it on one (and beginning in CS3, the installer actively prevents you from trying it). They blame Apple for the problem, because that's what they do. This despite the fact that you can fix it by adding a few (thousand) symbolic links.
And don't get me started on the unholy hell that was FrameMaker on the Mac.
Adobe isn't about creating good code, and never has been.
If it compromises a bundled runtime... (Score:5, Insightful)
its a Chrome "pwn". If you bundle it, you own it. You see Apple going the opposite direction by un-bundling Flash because it didn't want to own the security issues and battery draining properties associated with it. They recognized their brand was getting tarnished via that association and decided to make Adobe stand on their own.
It's a bug in Windows ... (Score:2, Flamebait)
"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn. Do Java bugs count as a Chrome pwn too, because we support NPAPI?" link [twitter.com]
Re: (Score:2)
Flash is embedded into chrome by google. you can't remove it.
therefore the bug belongs to google chrome because in Chrome a flash is not just a plugin but an integrated piece.
Re: (Score:3)
Really? I just did about:plugins and clicked disable on Flash.
Or use flashblock.
Or start Chrome with -disable-plugins
Re: (Score:2)
Maybe someday the Google collective will realize that improvement cannot be realized if one doesn't admit to one's mistakes and act on that information. No doubt that's "just around the corne
Re: (Score:2)
I think Flashblock should be installed by default on all major browsers.
Re: (Score:2)
I could not agree more. One of the big supposed advantages of chrome (since I don't find the rendering speed to be that valuable) is the fact that the sand boxing of flash should prevent crashes and provide security. If it doesn't do that, then they failed.
Now fix it or get rid of flash.
Re: (Score:2)
99% of people are going to install Flash anyway. Google prevented far more attacks by bundling Flash. By manually downloading it you were receiving an unsecured (nonsandboxed) version which was also outdated and vulnerable. The remaining 1% who wouldn't ever install Flash know quite well how to disable plugins/install blocker extensions/configure plugins per-site or per-click.
Hooray for Google! Too bad that their fully up-to-date Flash plug-in was vulnerable, and their sandboxing didn't work.
Re: (Score:2)
It seems kind of silly to consider this a Chrome pwn when it affects every other install of Flash.
It seems kind of silly to not call it a Chrome pwn, when Google claims that their sandbox will prevent Flash from pwning the system. This isn't about Flash directly, it's about the sandbox that failed to work. Chromium's sandbox. Chrome pwn.
Re: (Score:2)
Re:If it compromises a bundled runtime... (Score:5, Insightful)
Agreed. This isn't accidental, and Google aren't the victims here. If you benefit from shovelling a steaming pile of crap, you get to eat a piece of it from time to time.
The problem here is that Flash is either a "plugin" or it isn't. If they decide that it is a plugin, then it is Chrome, and it's Google's problem. If they decide it's not a plugin, they should stop calling it one and letting it auto-run whatever content Joe Malware is serving up.
But if they don't even acknowledge that there's a problem, then how on earth do they intend to solve it?
The acid test is chrome OS (Score:2)
Will Chrome OS bundle flash or allow it to install?
One of the selling points of Chrome OS is the security. If someone can PWN my laptop and keylog my user level passowrd remotely then having my data on the cloud is dangerous. Right now even if someone compromises flash my computer is protected by multiple levels of user access controls and backups. with chrome OS once someone can access my account they can do it from anywhere without physcial access.
This is not a gripe about the cloud as much as it poin
Re: (Score:2)
I believe that ChromeOS will be secure just like I believe that 75% of businesses can do business using only ChromeOS - that is, not at all.
Re: (Score:3)
Re: (Score:2)
That's not reasonable at all.
They don't own the code to flash.
And unbundling(debundling?) flash doesn't help because the user will need to loaded anyways.
If Apple really cared, they would have a warning.
http://www.apple.com/downloads/macosx/internet_utilities/adobeflashplayer.html [apple.com]
All that said, yes I wish they wouldn't bundle it..in fact I wish no one would bundle it.
Re: (Score:2)
The web browsers bundle it, or at least make it easy to load it as a plug-in, because so many sites (esp. YouTube) require it. If they didn't allow it to be loaded, users would be screaming bloody murder. Of course, with HTML5 supporting video natively, this shouldn't really be a problem any more, but you know how it takes forever for everyone to move to new standards.
Maybe if the browser makers got together and agreed to lock it out in favor of HTML5, and Google got rid of Flash on YouTube in favor of HT
Re: (Score:2)
You can already view a lot of YouTube as HTML5 vids, or use separate YouTube applications on both desktop and mobile devices.
Transcoding the long tail (Score:2)
You can already view a lot of YouTube as HTML5 vids
Newly uploaded videos and some of the videos most popular among the general public have been transcoded to WebM, but transcoding the "long tail" will have to wait.
Re: (Score:2)
Have multiple browsers then - the long tail is still served up as h.264 since the flash based player does h.264 for the higher qualities.
Though you raised an interesting question about that - since the majority of YouTube videos are still in h.264 format, and Chrome can't play them now since it dropped h.264 in favor of WebM...
Re: (Score:2)
This is true, but it's actually worse than that. Chrome claims to sandbox plugins. If the exploit pwnz0red the Flash plugin, but the sandbox prevented the exploit from getting any further, that would be a success. Likewise, if the exploit is able to break out of the sandbox, that's a failure. It's a failure of Chrome, as well as a failure of Adobe's malware^H^H^H^H^H^H^Hplugin.
Re: (Score:3)
From TFA:
"The Flash sandbox blog post went to pains to call it an initial step," said Evans [from Google]. "It protects some stuff, more to come. Flash sandbox [does not equal] Chrome sandbox."
The blog Evans referred to was published in December 2010 [chromium.org], where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."
So yeah, but no, Google never claimed the flash plugin was inside the Chrome sandbox, it's still a work in progress apparently. Of course that doesn't negate the fact that flash is bundled with Chrome and therefor all Chrome users are vulnerable. Still, most users would've installed Flash anyway, this way Google has at least some control over the security issues (though obviously not enough).
Flash is not going away for awhile, especially as long as people keep using outdated browsers en masse and H
Re: (Score:2)
Adobe isnt giving them the code to flash. I'm sure Google could do a better job than them if they had the code. Google, as well as all browser makers, are in the unfortunate position of dealing with this a dangerous binary blob that everyone wants as a plugin.
Google responsibly tried to sandbox it, and that sandbox has worked very well, but its no guarantee against adobes shit code. Not to mention, if they didnt auto-update it, then end users would never do it, thus more exploits. The sandbox isnt even the
Re: (Score:3)
Re: (Score:2)
You clearly haven't worked on a badly hacked 20 year old project. I shudder to think about what an awful mess Flash is internally.
Re: (Score:2)
Adobe isnt giving them the code to flash. I'm sure Google could do a better job than them if they had the code. Google, as well as all browser makers, are in the unfortunate position of dealing with this a dangerous binary blob that everyone wants as a plugin.
That's the nonsensical part, apparently *someone* wants it as a plugin... either that's the users (blame the user!) or it's Google (thanks to DoubleClick acquisition)
I contend that Google began their path to the dark side the moment they put their hands upon Doubleclick... they were corrupted by the evil that is inherent in pure advertising (advertising being basically social engineering).
Re: (Score:2)
Sorry, I don't buy this. Apple can un-bundle Flash on their iPhones because no one cares that much about looking at Flash sites on their iPhone. People are OK with their phones being limited in capabilities compared to their main computer; after all, the screen is tiny and you can't see much on it, so you're probably not going to be surfing a lot of Flash-heavy sites. On a desktop/laptop computer, however, it's a different story. Not supporting Flash means locking people out of a LOT of websites, most n
How to make Newgrounds without Flash? (Score:2)
the most popular use of Flash is video
But even once video is converted to HTML5, several remain:
How do you recommend making those with HTML5 technologies?
Re: (Score:2)
How do you recommend making those with HTML5 technologies?
Vector-animated short films, such as Homestar Runner or Weebl and Bob or half of Newgrounds. These would become ten times bigger if rendered to WebM or MP4.
Render them as WebM or MP4 and deal with the size increase. Let people download them if necessary, rather than streaming them.
Games, such as FarmVille and the other half of Newgrounds. Should these use SVG or Canvas? Neither works on IE on XP.
Use SVG or Canvas and tell the users to upgrade to ano
Re: (Score:2)
Or make a special browser plug-in for this, as Google does with Gmail video chat. Google's plugin doesn't seem to have all the problems Flash does.
As much as I dislike Flash, asking everybody to invent their own wheel doesn't sound right either. Maybe Google's plugin doesn't have all the problems Flash does, but I don't want every damn website to have to install its own plugin to use the webcam. That's just begging to be back in the hell where users are required to install "codecs" to play this video and suddenly their machine is a botnet zombie.
At least if there's one single interface between a website and the mic/cam we can do our best to ensure tha
Re: (Score:2)
As much as I dislike Flash, asking everybody to invent their own wheel doesn't sound right either. Maybe Google's plugin doesn't have all the problems Flash does, but I don't want every damn website to have to install its own plugin to use the webcam. That's just begging to be back in the hell where users are required to install "codecs" to play this video and suddenly their machine is a botnet zombie.
At least if there's one single interface between a website and the mic/cam we can do our best to ensure tha
Re: (Score:3)
Render them as WebM or MP4 and deal with the size increase.
How would one deal with the bandwidth bill that the size increase causes? And especially for users on dial-up, satellite, or low-end DSL, the order of magnitude size increase means there's an order of magnitude chance that the user will click away from your site in favor of another site that uses Flash.
Let people download them if necessary, rather than streaming them.
Owners of copyright in the underlying work, such as background music in a video, charge substantially more for downloads than for streams.
Use SVG or Canvas and tell the users to upgrade to another browser that supports these.
As I understand it, one has to be an administrator, as opposed to a li
Re: (Score:2)
Owners of copyright in the underlying work, such as background music in a video, charge substantially more for downloads than for streams.
stream === download
They charge substantially more to people who don't know how to save a stream.
Re: (Score:2)
Can the Google plug-in be used by other than applications hosted by entities other than Google? Or will each entity have to write its own plug-in for all six major platforms (Windows ActiveX, Windows NPAPI, Mac OS X, Linux, iOS, and Android) and get it signed with an Authenticode certificate and an iPhone Developer Program certificate?
We're talking about webcams here. iOS and Android are for phones, and they don't have webcams. I suppose you could make it work with the built-in camera and speakers/mike on
Re: (Score:2)
Heh... If the sandboxing doesn't shield against a pwn of a bundled app or a non-bundled one, then it's not really sandboxing, now is it?
It's a Flash AND a Chrome pwn.
Re: (Score:2)
Pointing fingers won't help (Score:5, Insightful)
Re: (Score:3)
Yeah, Google claiming this isn't a Chrome bug is like saying that an IE exploit isn't a Windows bug.
Interesting perspective, Google (Score:5, Insightful)
You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?
Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.
*BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.
Re: (Score:2)
Re:Interesting perspective, Google (Score:4, Funny)
You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?
Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.
*BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.
Wow man, it's a fucking browser bug. They didn't come to your house and kick your dog.
Wait...wait...Did Facebook pay you to post this?
Re:Interesting perspective, Google (Score:5, Funny)
Since you used italicized Latin and referred to the company by their stock ticker symbol, I award your opinion extra weight. That you used an asterisked footnote to avoid ordering your thoughts coherently implies you are exactly the sort of free-thinking individual the rest of us should strive to be.
I don't suppose you have a newsletter I could subscribe to?
Re:Interesting perspective, Google (Score:5, Insightful)
The original blog post [chromium.org] notes that the sandbox for Flash is a "first iteration" and that there is "more work to be done". NPAPI plugins are a huge pain point for browser security since they've traditionally been able to do whatever they want; just throwing them in the normal Chrome sandbox would break them. Sandboxing a plugin like Flash happens in several steps.
Does the initial sandbox have holes? Yes. Does it reduce the attack surface though? Yes. Is it going to be improved further to close those holes? Yes.
Re: (Score:2)
Missed the point (Score:5, Interesting)
I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.
I guess I was mistaken.
Re:Missed the point (Score:5, Informative)
They do, but the sandbox for Flash is complete yet.
They're right in that this is a flash vulnerability; it's exploitable regardless of which browser you're actually using. Marking it as a Chrome vulnerability does everyone a disservice by making people on other browsers think they're safe.
Re: (Score:2)
I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.
I guess I was mistaken.
There are other reasons. Flash only exists because of the advertising business. Google wanted the keys to the advertising country-club but had to marry into it (Flash). Then they bought and fashioned WebM but decided in a bout of "purism" to ignore the existing standard H.264 in favor of WebM. Which bolstered the position of Flash since you still can't do video on all major browsers without it. Google probably also benefited in that hurting the "non-free" H.264 would also put their competitor Apple in a
Re: (Score:2)
I find it odd (Score:2)
A company takes care to actually go through code, assembly, source, any means really, figure out a hack that's specific to Chrome ... and somehow, they are the ones misunderstanding the code. Somehow that answer doesn't satisfy me :)
Also, the answer would be equivalent to having my code use Sqlite as a dll, I bundle it in my package, I install it, it's mine ... but somehow when someone hacks my application through a (very theoretical - example only! move on trolls ;) ) sqlite bug, I would have the exit door
Re: (Score:2)
When a bug is in a library you link with, you should warn your users of it and file a bug report if it's a bug that hasn't been fixed yet. If a new version has been released that fixes said bug, you update your program to use the new version. A developer can't be expected to be responsible for each and every bug in every library he uses in his program, but he should be held responsible for warning his users and updating his program to the
Re: (Score:3)
You see, that's exactly the kind of things people should never have to hear about a product. If I get a product, whether at $0 or $10,000, it should always be responsible for its own integrated tools.
Let say I buy an integrated specialized medical database using Oracle as backend. First, I shouldn't really have to care it uses Oracle. Is the product working or not? Yes or no. The reason why a specific request would fail "because its an Oracle bug" is moot, the vendor decided to use Oracle, it should vouch b
By that logic... (Score:4, Interesting)
Pointing fingers (Score:2)
It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.
If the dike fails and the land gets flooded, who cares if the dike was earth or stone? The point is that the place is flooded.
And that analogy is apropos considering what's going down here. [www.cbc.ca]
Re: (Score:2)
As somebody that doesn't use Chrome, it makes a big difference to me. If it were a Chrome specific pwn, then I wouldn't have to worry about it. As it is, I have to worry because it's a Flash specific.. Er, never mind, it's not like I trusted Flash previously.
don't bundle (Score:5, Insightful)
The Google response reminds me of when MS was in the habit of using PR to quash security reports instead of writing code good. Someone would come up with an exploit and MS would say it was not a well configured updated system so the fixing the code that fell to the exploit was not the responsibility of MS. The security people would then run the exploit again with an fresh out of the box installation with all updates, and the machine would again be compromised. MS would then respond by saying that user could easily configure the machine to not fall to the exploit, so it was a user issue and not a MS issue. The thing is that is the out of the box configuration is not secure, then the machine is not secure. If an Android phone comes with flash out of the box, and Flash is not secure, then the machine is not secure. It does not matter how fancy and pretty and secure the rest of the code may be.
Hint: There is no Sandbox. (Score:3)
Anything short of running in a VM (hardware supported or purely in software), is not a "sandbox" in my book.
It is a Chrome flaw introduced by Google's use of the word "sandboxed" that really doesn't imply a sandbox at all.
Additionally, compiling JS to machine code and having Chrome execute that data is not "sandboxing" either.
A flaw in my VM's interpretor that allows code to escape the sandbox is one thing, running non-virtualized machine code that itself can be exploited is quite another.
At some point, you must stop, wipe your brow, and consider your trek through the desert -- Is there really an edge to this sandbox? Did I miss the line drawn in the wind-swept sand or have I been lied to yet again?
Re: (Score:2)
I've taken to doing my banking in a virtual box session just to make it that much easier to keep things secured. It's not perfect, but if I'm not actually using it, the VM is not loaded and when it is, it's less likely that something which gets installed on my main computer will affect the virtual session.
Re: (Score:2)
AFAIK the chrome sandbox uses windows NT tokens and function interception to severely restrict process access to the system. The standard sandbox unfortunately would probably also cause the flash plugin not to work.
This appears to entail running a second instance of the flash plugin outside the sandbox, working as a broker.
Since this is the case, it may be possible to exploit both layers. The general sandboxing done for JS and HTML rendering is much simpler, and would likely not be as easy to exploit
So... What you're saying is that the lines have been firmly drawn in the sand. No amount of kicking at the sand (buffer overflow) will obscure the boundary?
Contrast the methods employed with hardware visualized sandboxing under which the answer to my statements would actually be "yes".
Re: (Score:2)
1) there is a huge, gaping bug in the OS
Its really a problem of API surface and complexity. Security is easy if you have 10 system calls to check for interactions. When you have 10k its an entirely different problem. Even so, it doesn't mean it can't happen, I'm reminded of the linux brk problem that existed for years (random google link http://www.isec.pl/papers/linux_kernel_do_brk.pdf [www.isec.pl]). All it takes is one minor mistake, and group blindness and it can exist for years. There have been virtual machine explo
pwn (Score:2)
Headline compression (Score:2)
but if it is in the flash "bundled" in chrome (Score:2)
Does it matter? (Score:2)
If it shipped in Chrome, it's code Google distributed. Google-pwn.
Flash is never going away. Accept it. (Score:2)
No matter how much you want it to be gone, Flash is like ActiveX and IE. A necessary piece of software for many production applications in use today. To take those pieces away means costing corporation several thousands if not millions in re-inventing their wheels. Corporations don't like to that, and many IT budgets aren't fat enough to do it. No matter how much Steve Jobs bitches about it his argument is irrelevant - at least at this point in time.
It will take the industry a good many years to shift aw
Fools (Score:2)
You integrated Flash into the god-damn browser, that makes it a browser vulnerability.
Re: (Score:2)
What's bad is that Flash is actually an open specification (i.e., you can get the docs and read them for yourself, and implement your own flash viewer). Because of this, there's been not one, not two, but three free/open-source flash viewers: gnash, swfdec, and something else. I'm pretty sure the latter two have died out, but gnash is supposed to be the open-source replacement, yet in my experience it sucks just as much as Adobe's version: it creates tons of extra processes that never go away, and chews u
Re: (Score:2)
The programmers at these companies are totally [b]clueless[/b] when it comes to security.
You don't know that. Programmers just implement what they're told to implement. The people to blame are the software architects, and probably also the executives. If the executives wanted security to be a priority, they'd direct their architects to make it happen.