Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It" 106
chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."
Certainly has a legitimate track record (Score:3, Insightful)
Re:Certainly has a legitimate track record (Score:5, Insightful)
He's doing it for fame, not for profit. By selling out a single hole, he gets a one-time check. By talking about it in the abstract, he gets attention. Perhaps a lot of attention, and people listening to him speak. Some people value attention more than money.
Clueless (Score:2, Insightful)
Maybe he's talking about this [google.com] lol. Or mybe this one [google.com]. tl;dr dude is clueless.
Re:Certainly has a legitimate track record (Score:5, Insightful)
Sorry, but this is one of the most clueless security researchers on the planet.
See https://code.google.com/p/chromium/issues/detail?id=108651
Re:Fermat's Last Exploit (Score:2, Insightful)
i don't think the repliers got the fermat's reference :)
Re:Certainly has a legitimate track record (Score:4, Insightful)
And Google staff has a great temper on that one. I would have pointed out "Programming for Dummies" to the guy straight out and I would have banned him from my bug tracker. I mean, by this bug alone you can see the guy is utterly clueless about CS in general.
Re:Certainly has a legitimate track record (Score:2, Insightful)
However, I do not believe that is the case here.