Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Chrome Google Security Technology

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It" 106

Posted by samzenpus from the secret-security dept.
chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."
This discussion has been archived. No new comments can be posted.

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It" More

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It"

Comments Filter:

  • Re:Certainly has a legitimate track record (Score:2, Interesting)

    by Anonymous Coward on Thursday November 22, 2012 @12:16AM (#42063581)

    He's doing it for fame, not for profit. By selling out a single hole, he gets a one-time check. By talking about it in the abstract, he gets attention. Perhaps a lot of attention, and people listening to him speak. Some people value attention more than money.

    or maybe he just wants to advertise his product before setting the price

  • Re:Certainly has a legitimate track record (Score:5, Interesting)

    by trdtaylor ( 2664195 ) on Thursday November 22, 2012 @12:48AM (#42063757)

    He's advertising to sell to one of the big 0-day sellers in the world. Probably get a lot more than 60,000 for something this useful

  • Re:Certainly has a legitimate track record (Score:5, Interesting)

    by Anonymous Coward on Thursday November 22, 2012 @01:04AM (#42063813)

    No, it just means Google had an error.

    The issue in question has this source code:

    <script>
    var cxrili=new Array("1337","longrifle0x?");
    var a=0;
    while (a=1)
    {
    document.write(cxrili[a])
    a++;
    }
    </script>

    Researcher claims this crashes chrome, turns out it just crashes the tab nicely with what they call a "sad" tab.

    Researcher then says: "Hmm.. really? I tested it on two other PC and got result." because he clearly didn't understand what they said.

    They then close the "bug".

    Nice ad hominem and appeal to authority though. Jackass.

  • Re:Certainly has a legitimate track record (Score:5, Interesting)

    by LordLimecat ( 1103839 ) on Thursday November 22, 2012 @01:06AM (#42063823)

    I particularly like this part from his bug report:

    VERSION
    Chrome Version:Ubuntu 11.4 version
    Operating System: [Ubuntu 11.4]

    Man I love that version of chrome. What do you call a security researcher who cant even identify his platform in his bug reports?

Slashdot Top Deals

"God is a comedian playing to an audience too afraid to laugh." - Voltaire

Close