Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Engineers Deny Hack Exploited Chrome

samzenpus posted more than 3 years ago | from the pics-or-it-didn't-happen dept.

Bug 244

CWmike writes "Several Google security engineers have countered claims that a French security company, Vupen, found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year. Google's official position, however, has not changed since Vupen said it had sidestepped not only the browser's built-in 'sandbox' but also by evading Windows 7's integrated anti-exploit technologies. But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's. 'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'"

cancel ×

244 comments

Sorry! There are no comments related to the filter you selected.

flash is malware/adware (3, Insightful)

Haven (34895) | more than 3 years ago | (#36107348)

Time to treat it as such.

Re:flash is malware/adware (1)

LWATCDR (28044) | more than 3 years ago | (#36107606)

A bit harsh but between chrome.angrybirds.com and HTML5 Video Flash is going to be at best a legacy technology.
Anyone know any good tutorals on javascript/HTML5/WebGL?

Re:flash is malware/adware (1)

larry bagina (561269) | more than 3 years ago | (#36107838)

chrome.angrybirds uses some flash.

Re:flash is malware/adware (0)

Anonymous Coward | more than 3 years ago | (#36108248)

oh my.. isnt that exactly what LWATCDR is implying?

Re:flash is malware/adware (0)

Anonymous Coward | more than 3 years ago | (#36108372)

Really? Care to point out where?

Re:flash is malware/adware (1)

Grishnakh (216268) | more than 3 years ago | (#36107850)

I'm pretty sure O'Reilly has a bunch of books on HTML5.

Not that I'd ever endorse a Microsoft solution, but I wonder how Silverlight/Moonlight compare to Flash in security (not to mention just plain being a total POS). Flash is a disaster, and we need to move away from it.

Flash or Chrome Frame is needed until 2014 (0)

tepples (727027) | more than 3 years ago | (#36108174)

between chrome.angrybirds.com and HTML5 Video Flash is going to be at best a legacy technology.

HTML5 audio and video are a mess. No audio and video codec works in all browsers. The pack-in browsers (IE and Safari) use only patented MPEG family codecs, while all the aftermarket browsers (Firefox, Chrome, Opera) use only Free codecs. Besides, either Adobe Flash Player or Google Chrome Frame will be needed at least until all IE installations are upgraded to IE 9 or later, which won't happen until 2014 when Windows XP reaches its end of life.

Re:Flash or Chrome Frame is needed until 2014 (1)

LWATCDR (28044) | more than 3 years ago | (#36108262)

Chrome does or did support H.264. Safari will be an issue for a while but to work around it you can include two videos and then use browser detection to serve the one that you need.
Chrome Frame and or just updating to Chrome or Firefox will do for XP users

Re:Flash or Chrome Frame is needed until 2014 (0)

tepples (727027) | more than 3 years ago | (#36108450)

Chrome does or did support H.264.

Did; no longer does. Any installed versions that did have been automatically updated to a version that no longer does.

Safari will be an issue for a while but to work around it you can include two videos

How much does MPEG-LA charge for a license to use FFmpeg on U.S. soil to encode videos for use in Safari and IE?

Chrome Frame

Which is also a plug-in, and the IT department is more likely to authorize installation of Adobe Flash Player enterprise-wide than installation of Google Chrome Frame enterprise-wide. Please see more arguments that I've collected [pineight.com] .

Re:flash is malware/adware (1)

jo42 (227475) | more than 3 years ago | (#36107914)

Anyone care to speculate just why Flash is so full of security holes?

You'd think that one of the largest and most talented software development companies based in a region of earth with some of the best, brightest and most educated software engineers with access to the best tools of the trade in the solar system could get such a minor piece of code right...

Re:flash is malware/adware (1)

m50d (797211) | more than 3 years ago | (#36108238)

Other adobe free viewers are similarly crap - pdf might have become the format of the web if it weren't for their stupidly bloated viewer, and their SVG thing was terrible the last time I tried it. So I'd look to management not putting any money into their free viewers when they've got the products they're selling for megabucks (photoshop). After all, it doesn't seem like their terrible security record has cost them many users.

Re:flash is malware/adware (1)

Aerorae (1941752) | more than 3 years ago | (#36108284)

Not that I know any better, but it wouldn't surprise me if they've never stopped building off of macromedia's shockwave code.

Re:flash is malware/adware (1)

NoSleepDemon (1521253) | more than 3 years ago | (#36108752)

You pretty much hit the nail on the head, see my comment above.

Re:flash is malware/adware (1)

tukang (1209392) | more than 3 years ago | (#36108288)

Acrobat is just as bad so I'm going to guess that their software engineers aren't as good as you think or they have serious management problems. Either way, the problem is with Adobe and not a technical one.

Re:flash is malware/adware (1)

mt1955 (698912) | more than 3 years ago | (#36108320)

You make a good point and some Adobe products are amazing (but I do wish the Studio UI team would go back to the drawing board)

re: speculation -- a lot of proprietary software designs rely on "security by obscurity" with plenty of secret stuff that no one is supposed to ever find about.

Re:flash is malware/adware (1)

king neckbeard (1801738) | more than 3 years ago | (#36108696)

[quote]You'd think that one of the largest and most talented software development companies based in a region of earth with some of the best, brightest and most educated software engineers with access to the best tools of the trade in the solar system could get such a minor piece of code right...[/quote] outside of largest, that description doesn't really apply to Adobe.

Re:flash is malware/adware (4, Insightful)

NoSleepDemon (1521253) | more than 3 years ago | (#36108734)

Being one of those not so rare flash developers that hates flash, I would indeed care to speculate

Our investigation begins no further than the massive kludge that is the Flash interface. The program has been designed for both developers and designers alike, and where the two meet, there are dragons... and exploits. The Flash IDE suffers from some truly awful bugs (dragging tabs, resizing tweens, replacing text in the text editor to name but a few), then there are the game breakers like font positions appearing differently on PC vs Mac. So Adobe's difficulty in creating a program that unifies two different ways of thinking is already apparent.

Putting aside sloppy interface design, a big problem with Flash is that AS3 has still not been adopted by the majority of 'developers', IAB standards in fact mandate the use of Flash Player version 8, which uses AS2 / Actionscript Virtual Machine 1. One of their reasons being that Flash 9 is too slow (rubbish, it's 10x faster). So because AS3 is not the standard, each and every time you run flash player, you're also running flash player with support for Flash all the way down to version 1 (which was shakey to begin with), and all the bugs that entails. Simply put, Flash is too much of a clusterfuck to fix, we're basically looking at AS2 being the IE6 of Flash.

This link goes in depth about exploits in Flash: http://events.ccc.de/congress/2008/Fahrplan/events/2596.en.html [events.ccc.de] There was a video to it as well, but I can't seem to find it right now. The sheer ease with which Flash can be exploited is actually quite horrifying.

Re:flash is malware/adware (0)

Anonymous Coward | more than 3 years ago | (#36108328)

Ah, you are one of those idealists I keep hearing so much about. How's that working out for you?

If it compromises a bundled runtime... (4, Insightful)

manonthemoon (537690) | more than 3 years ago | (#36107350)

its a Chrome "pwn". If you bundle it, you own it. You see Apple going the opposite direction by un-bundling Flash because it didn't want to own the security issues and battery draining properties associated with it. They recognized their brand was getting tarnished via that association and decided to make Adobe stand on their own.

It's a bug in Windows ... (1, Flamebait)

doperative (1958782) | more than 3 years ago | (#36107470)

"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn. Do Java bugs count as a Chrome pwn too, because we support NPAPI?" link [twitter.com]

Re:It's a bug in Windows ... (1)

Anonymous Coward | more than 3 years ago | (#36107764)

"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn. Do Java bugs count as a Chrome pwn too, because we support NPAPI?" link [twitter.com]

Do they bundle Java, or the Java plugin? No? Then Java bugs are not Chrome pwns.

Re:It's a bug in Windows ... (0)

Anonymous Coward | more than 3 years ago | (#36107874)

It seems kind of silly to consider this a Chrome pwn when it affects every other install of Flash.

Re:It's a bug in Windows ... (1)

Anonymous Coward | more than 3 years ago | (#36108462)

Until you realize that they force Flash upon you and they claimed to have sandboxed Flash within Chrome. Getting past that, you then realize that Chrome had to be pwned to achieve this.

Don't like it? Then don't force Flash upon us.

Re:It's a bug in Windows ... (0)

Anonymous Coward | more than 3 years ago | (#36108164)

Flash is running on 99% of desktops and comes bundled on pretty much any PC you buy--meaning this exploit affects pretty much every browser. So, it's hard to argue that Google bundling Flash would do anything significant to increase a user's risk, since they probably have it installed already.

Re:It's a bug in Windows ... (1)

peragrin (659227) | more than 3 years ago | (#36107872)

Flash is embedded into chrome by google. you can't remove it.

therefore the bug belongs to google chrome because in Chrome a flash is not just a plugin but an integrated piece.

Re:It's a bug in Windows ... (2)

gad_zuki! (70830) | more than 3 years ago | (#36107938)

Really? I just did about:plugins and clicked disable on Flash.

Or use flashblock.

Or start Chrome with -disable-plugins

Re:It's a bug in Windows ... (1)

Omega996 (106762) | more than 3 years ago | (#36108162)

there's a world of difference between disabling plugins/malware sinkholes and removing them. I agree with others that if Google's going to have their little reach-around agreement with Adobe and bundle their stuff in Chrome, then Google needs to take responsibility for the flaws/exploits/problems this causes or exposes.

Maybe someday the Google collective will realize that improvement cannot be realized if one doesn't admit to one's mistakes and act on that information. No doubt that's "just around the corner", along with the apocalypse of Macintosh malware, the death of the Windows desktop hegemony at the hands of the Linux desktop proletariat, and Christians awaiting their zombie-god's return.

Re:It's a bug in Windows ... (1)

Anonymous Coward | more than 3 years ago | (#36108300)

If they included--forced--users to download it. Then yes.

Google has some brilliant people. But they are some of the most pathetic people. It's not anyone else's fault that Google forced everyone into having Flash and then claiming that they sandboxed it as well.

Own up to it. Fix it. Fast. Don't play the semantics game, especially when it's not even semantics being played--Chrome was pwned because of how they default configure Chrome. End of story.

This has very little to do with Windows. They managed to sidestep the security features there to help make things harder to do this, that's all.

Re:If it compromises a bundled runtime... (5, Insightful)

Rogerborg (306625) | more than 3 years ago | (#36107588)

Agreed. This isn't accidental, and Google aren't the victims here. If you benefit from shovelling a steaming pile of crap, you get to eat a piece of it from time to time.

The problem here is that Flash is either a "plugin" or it isn't. If they decide that it is a plugin, then it is Chrome, and it's Google's problem. If they decide it's not a plugin, they should stop calling it one and letting it auto-run whatever content Joe Malware is serving up.

But if they don't even acknowledge that there's a problem, then how on earth do they intend to solve it?

The acid test is chrome OS (1)

goombah99 (560566) | more than 3 years ago | (#36107910)

Will Chrome OS bundle flash or allow it to install?

One of the selling points of Chrome OS is the security. If someone can PWN my laptop and keylog my user level passowrd remotely then having my data on the cloud is dangerous. Right now even if someone compromises flash my computer is protected by multiple levels of user access controls and backups. with chrome OS once someone can access my account they can do it from anywhere without physcial access.

This is not a gripe about the cloud as much as it pointing out how you can go around claiming the sandbox keeps you safe if your browser lets you punch holes in the sandbox. Because chrome OS connects your filesystem cloud to your general browsing via the browser it is more incumbent to secure it.

Right now whenever IE or Firefox has some dangerous hole I can switch to a different browser. But if I use chrome OS I can't safely surf the we whatsoever until it is patched.

Re:The acid test is chrome OS (1)

Omega996 (106762) | more than 3 years ago | (#36108210)

I believe that question was anwered by some of the Google I/O stuff yesterday - Flash is going to be an integral part of ChromeOS.

I believe that ChromeOS will be secure just like I believe that 75% of businesses can do business using only ChromeOS - that is, not at all.

Re:If it compromises a bundled runtime... (2)

CraftyJack (1031736) | more than 3 years ago | (#36107604)

And if you need a car analogy: Ford and Firestone [wikipedia.org] .

Re:If it compromises a bundled runtime... (1)

geekoid (135745) | more than 3 years ago | (#36107754)

That's not reasonable at all.

They don't own the code to flash.

And unbundling(debundling?) flash doesn't help because the user will need to loaded anyways.

If Apple really cared, they would have a warning.
http://www.apple.com/downloads/macosx/internet_utilities/adobeflashplayer.html [apple.com]

All that said, yes I wish they wouldn't bundle it..in fact I wish no one would bundle it.

Re:If it compromises a bundled runtime... (1)

Grishnakh (216268) | more than 3 years ago | (#36107978)

The web browsers bundle it, or at least make it easy to load it as a plug-in, because so many sites (esp. YouTube) require it. If they didn't allow it to be loaded, users would be screaming bloody murder. Of course, with HTML5 supporting video natively, this shouldn't really be a problem any more, but you know how it takes forever for everyone to move to new standards.

Maybe if the browser makers got together and agreed to lock it out in favor of HTML5, and Google got rid of Flash on YouTube in favor of HTML5 video, then Flash could finally be killed, or at least made irrelevant. However, the hordes of IE6 users would be screaming then, but maybe this will finally get them to upgrade (or maybe force their employers to install VMs so they can have one VM of XP+IE6 just for using their crappy intranet sites).

Re:If it compromises a bundled runtime... (1)

somersault (912633) | more than 3 years ago | (#36108032)

You can already view a lot of YouTube as HTML5 vids, or use separate YouTube applications on both desktop and mobile devices.

Transcoding the long tail (1)

tepples (727027) | more than 3 years ago | (#36108220)

You can already view a lot of YouTube as HTML5 vids

Newly uploaded videos and some of the videos most popular among the general public have been transcoded to WebM, but transcoding the "long tail" will have to wait.

Re:If it compromises a bundled runtime... (1)

Anonymous Coward | more than 3 years ago | (#36107778)

Apple moved away from Adobe because Jobs is still pissed off Adobe rolled out their premium creative tools for Windows. Jobs pissed off Adobe before this by changing how the toolkit worked costing Adobe a bloody fortune while they were migrating PPC to Intel.

Re:If it compromises a bundled runtime... (1)

larry bagina (561269) | more than 3 years ago | (#36107980)

Your timeline is a little bit off. Originally, Steve Jobs declared OpenStep/Cocoa to be the future. Microsoft and Adobe (among others) complained, so they created Carbon to make recompiling legacy OS 8/9 code easier. (No doubt that was still a lot of work for adobe, given their shitty indian developers). The PPC/Intel transition (10.5) was a non-event (their shit runs fine with rosetta emulation). For 10.6 (64-bit cocoa), they announced that Carbon would not be 64-bit, so Adobe will need to rewrite in Cocoa to be 64-bit.

Re:If it compromises a bundled runtime... (1)

UnknowingFool (672806) | more than 3 years ago | (#36108260)

Also it needs to be pointed out that you can still code in Carbon as long as you don't expect the newer features of Cocoa and you don't need 64 bit. Some OS X system applications are still in Carbon. Why Steve Jobs called Adobe "lazy" was this roadmap was clear from the beginning but Adobe didn't move to Cocoa until CS5 in 2010 whereas Apple had been pushing the transition since 2007 with the release of 64 bit Leopard.

Re:If it compromises a bundled runtime... (1)

mellon (7048) | more than 3 years ago | (#36107790)

This is true, but it's actually worse than that. Chrome claims to sandbox plugins. If the exploit pwnz0red the Flash plugin, but the sandbox prevented the exploit from getting any further, that would be a success. Likewise, if the exploit is able to break out of the sandbox, that's a failure. It's a failure of Chrome, as well as a failure of Adobe's malware^H^H^H^H^H^H^Hplugin.

Re:If it compromises a bundled runtime... (2)

The13thSin (1092867) | more than 3 years ago | (#36108136)

From TFA:

"The Flash sandbox blog post went to pains to call it an initial step," said Evans [from Google]. "It protects some stuff, more to come. Flash sandbox [does not equal] Chrome sandbox."

The blog Evans referred to was published in December 2010 [chromium.org] , where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."

So yeah, but no, Google never claimed the flash plugin was inside the Chrome sandbox, it's still a work in progress apparently. Of course that doesn't negate the fact that flash is bundled with Chrome and therefor all Chrome users are vulnerable. Still, most users would've installed Flash anyway, this way Google has at least some control over the security issues (though obviously not enough).

Flash is not going away for awhile, especially as long as people keep using outdated browsers en masse and HTML5's implementation isn't (at least somewhat) unified crossbrowser... so with other words it's going take a looooooooong time before Flash is a distant memory. Your best bet is that Google finds a way to *really* sandbox Flash in, so this can't happen anymore. We'll see if they're able to.

Re:If it compromises a bundled runtime... (1)

gad_zuki! (70830) | more than 3 years ago | (#36107908)

Adobe isnt giving them the code to flash. I'm sure Google could do a better job than them if they had the code. Google, as well as all browser makers, are in the unfortunate position of dealing with this a dangerous binary blob that everyone wants as a plugin.

Google responsibly tried to sandbox it, and that sandbox has worked very well, but its no guarantee against adobes shit code. Not to mention, if they didnt auto-update it, then end users would never do it, thus more exploits. The sandbox isnt even the best feature of Chrome, its that it autoupdates that dangerous plugin for everyone. My only complaint is that it doesnt do this for Java, which is a much larger malware magnet. Or at least give me a "are you sure you want to run a java applet from this site" with signature information.

Also, I have yet to see how this exploit works when running as a limited user. A lot of flash and adobe exploits only seem to work when running as local admin. The UAC makes no difference.

Re:If it compromises a bundled runtime... (1)

Grishnakh (216268) | more than 3 years ago | (#36107918)

Sorry, I don't buy this. Apple can un-bundle Flash on their iPhones because no one cares that much about looking at Flash sites on their iPhone. People are OK with their phones being limited in capabilities compared to their main computer; after all, the screen is tiny and you can't see much on it, so you're probably not going to be surfing a lot of Flash-heavy sites. On a desktop/laptop computer, however, it's a different story. Not supporting Flash means locking people out of a LOT of websites, most notably YouTube and other video-serving sites.

With HTML5 coming in a few years (yes I know it's here now, but I don't see any sites supporting it), this will hopefully go away as HTML supports video natively, and the most popular use of Flash is video, making it much easier for users to not bother with Flash at all.

How to make Newgrounds without Flash? (1)

tepples (727027) | more than 3 years ago | (#36108316)

the most popular use of Flash is video

But even once video is converted to HTML5, several remain:

  • Vector-animated short films, such as Homestar Runner or Weebl and Bob or half of Newgrounds. These would become ten times bigger if rendered to WebM or MP4.
  • Games, such as FarmVille and the other half of Newgrounds. Should these use SVG or Canvas? Neither works on IE on XP.
  • Applications that ask the user to turn on a webcam, such as online video chat.

How do you recommend making those with HTML5 technologies?

Re:How to make Newgrounds without Flash? (1)

Grishnakh (216268) | more than 3 years ago | (#36108422)

How do you recommend making those with HTML5 technologies?

Vector-animated short films, such as Homestar Runner or Weebl and Bob or half of Newgrounds. These would become ten times bigger if rendered to WebM or MP4.

Render them as WebM or MP4 and deal with the size increase. Let people download them if necessary, rather than streaming them.

Games, such as FarmVille and the other half of Newgrounds. Should these use SVG or Canvas? Neither works on IE on XP.

Use SVG or Canvas and tell the users to upgrade to another browser that supports these.

Applications that ask the user to turn on a webcam, such as online video chat.

Skype. Or make a special browser plug-in for this, as Google does with Gmail video chat. Google's plugin doesn't seem to have all the problems Flash does.

Re:How to make Newgrounds without Flash? (1)

_0xd0ad (1974778) | more than 3 years ago | (#36108564)

Or make a special browser plug-in for this, as Google does with Gmail video chat. Google's plugin doesn't seem to have all the problems Flash does.

As much as I dislike Flash, asking everybody to invent their own wheel doesn't sound right either. Maybe Google's plugin doesn't have all the problems Flash does, but I don't want every damn website to have to install its own plugin to use the webcam. That's just begging to be back in the hell where users are required to install "codecs" to play this video and suddenly their machine is a botnet zombie.

At least if there's one single interface between a website and the mic/cam we can do our best to ensure that interface isn't exploitable. If every website has to roll their own, overall it's much less secure.

Re:How to make Newgrounds without Flash? (1)

Grishnakh (216268) | more than 3 years ago | (#36108700)

As much as I dislike Flash, asking everybody to invent their own wheel doesn't sound right either. Maybe Google's plugin doesn't have all the problems Flash does, but I don't want every damn website to have to install its own plugin to use the webcam. That's just begging to be back in the hell where users are required to install "codecs" to play this video and suddenly their machine is a botnet zombie.

At least if there's one single interface between a website and the mic/cam we can do our best to ensure that interface isn't exploitable. If every website has to roll their own, overall it's much less secure.

Maybe we could get Google to release their webcam plugin for everyone to use. They can call it the "official Google webcam plugin".

Besides, exactly how many sites use webcams anyway? I can't say I've ever run across any, besides Gmail video chat of course, but then again I'm not into online sex chats.

Games, such as FarmVille and the other half of Newgrounds. Should these use SVG or Canvas? Neither works on IE on XP.

Use SVG or Canvas and tell the users to upgrade to another browser that supports these.

I'd like to add here that if enough places did exactly this, then stupid MS would cave in and add SVG support to their browser, just like they did with PNG many years ago, which they initially refused to support simply because it wasn't a MS technology. The only reason their latest IE versions support open standards as well as they do is because people have demanded it, and have been switching to other browsers. If FarmVille is SO popular (which it indeed seems to be; I haven't heard of "Newgrounds" though so I can't comment on that), then they should be able to switch to an open standard and get their userbase to install a free alternative browser without much trouble.

Re:How to make Newgrounds without Flash? (2)

tepples (727027) | more than 3 years ago | (#36108582)

Render them as WebM or MP4 and deal with the size increase.

How would one deal with the bandwidth bill that the size increase causes? And especially for users on dial-up, satellite, or low-end DSL, the order of magnitude size increase means there's an order of magnitude chance that the user will click away from your site in favor of another site that uses Flash.

Let people download them if necessary, rather than streaming them.

Owners of copyright in the underlying work, such as background music in a video, charge substantially more for downloads than for streams.

Use SVG or Canvas and tell the users to upgrade to another browser that supports these.

As I understand it, one has to be an administrator, as opposed to a limited user, in order to install Chrome or Firefox. And instead of installing Chrome Frame, which supports these, users with Flash Player installed are more likely to click away from your site in favor of another site that uses Flash.

Skype

As I understand it, one has to be an administrator, as opposed to a limited user, in order to install Skype software.

Or make a special browser plug-in for this, as Google does with Gmail video chat.

Can the Google plug-in be used by other than applications hosted by entities other than Google? Or will each entity have to write its own plug-in for all six major platforms (Windows ActiveX, Windows NPAPI, Mac OS X, Linux, iOS, and Android) and get it signed with an Authenticode certificate and an iPhone Developer Program certificate?

Re:If it compromises a bundled runtime... (1)

Svartalf (2997) | more than 3 years ago | (#36108672)

Heh... If the sandboxing doesn't shield against a pwn of a bundled app or a non-bundled one, then it's not really sandboxing, now is it?

It's a Flash AND a Chrome pwn.

it's funny (0)

Anonymous Coward | more than 3 years ago | (#36107362)

It's funny how often flash holes get exposed.

when was the last time we got to see the source for flash?

Re:it's funny (1)

Grishnakh (216268) | more than 3 years ago | (#36108026)

What's bad is that Flash is actually an open specification (i.e., you can get the docs and read them for yourself, and implement your own flash viewer). Because of this, there's been not one, not two, but three free/open-source flash viewers: gnash, swfdec, and something else. I'm pretty sure the latter two have died out, but gnash is supposed to be the open-source replacement, yet in my experience it sucks just as much as Adobe's version: it creates tons of extra processes that never go away, and chews up CPU time like there's no tomorrow. I have to go manually kill all the gnash-player processes to keep my CPUs from being pegged.

Why would Chrome allow Flash out of the Sandbox? (0)

Anonymous Coward | more than 3 years ago | (#36107368)

It should be treated just like any other piece of potentially harmful code.

Re:Why would Chrome allow Flash out of the Sandbox (0)

Anonymous Coward | more than 3 years ago | (#36107936)

Flash probably doesn't work inside a sandbox, it probably gets up to all manner of disgusting tricks to get the shitty performance that it does.

Another day, another Flash exploit... (0)

Anonymous Coward | more than 3 years ago | (#36107380)

Seriously, at this point, it seems like Adobe is actively trying to make Flash suck.

Please hurry, webm.

Pointing fingers won't help (4, Insightful)

Anne Honime (828246) | more than 3 years ago | (#36107396)

If google bundles Flash with Chrome and the user's exposed to exploit, then it's pretty much google's responsibility for letting this happen in the first place. Doesn't invalidate VUPEN's claim one bit, as every chrome installation is still susceptible to direct exploitation.

Re:Pointing fingers won't help (1)

Astatine (179864) | more than 3 years ago | (#36108378)

Flashblock!

Re:Pointing fingers won't help (0)

Anonymous Coward | more than 3 years ago | (#36108454)

Except those on Linux? I don't think Flash is included with those is it?

Interesting perspective, Google (5, Insightful)

idontgno (624372) | more than 3 years ago | (#36107414)

You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?

Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.

*BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.

Re:Interesting perspective, Google (1)

ais523 (1172701) | more than 3 years ago | (#36107632)

I think I agree with you. The major conclusion of this story is not that Flash is a buggy mess (we knew that already), nor that Chrome is necessarily exploitable (technically speaking), but that even Chrome's sandbox is useless at stopping Flash making for an easy attack surface.

Re:Interesting perspective, Google (0)

Anonymous Coward | more than 3 years ago | (#36107650)

I guess flash needs to run outside of the sandbox to have access to hardware acceleration.

Re:Interesting perspective, Google (0)

Anonymous Coward | more than 3 years ago | (#36108294)

Correct, it uses a broker process (also the flash DLL) running outside the sandbox.

Re:Interesting perspective, Google (4, Funny)

Anonymous Coward | more than 3 years ago | (#36108016)

You're saying Flash, running "inside" Chrome, is by definition outside of Chrome's sandbox? So it's not Chrome's fault, it's Flash's?

Wrong. Flash is running inside the browser, the browser is running inside the OS, and the OS is running on the hardware. Clean encapsulation, and any leakage from one layer to the other is per definitionem the responsibility of the leaking layer.* So Flash is leaking through Chrome to the OS. Deal with it and stop lying.

*BTW, GOOG, if you engineered it so that Flash runs "alongside" the browser, and not within the sandbox... you fail it. Your sandbox is worthless, your browser is worthless, and your word is less than worthless.

Wow man, it's a fucking browser bug. They didn't come to your house and kick your dog.

Wait...wait...Did Facebook pay you to post this?

Re:Interesting perspective, Google (0)

Anonymous Coward | more than 3 years ago | (#36108144)

Google isn't perfect. Facebook isn't either. But both tend to have engineers that seem to think they are never wrong and never have errors. I think this is a clear example of an exploit circumventing the concept of a sandbox, coming from interfacing flash with chrome.

Re:Interesting perspective, Google (4, Funny)

b4dc0d3r (1268512) | more than 3 years ago | (#36108142)

Since you used italicized Latin and referred to the company by their stock ticker symbol, I award your opinion extra weight. That you used an asterisked footnote to avoid ordering your thoughts coherently implies you are exactly the sort of free-thinking individual the rest of us should strive to be.

I don't suppose you have a newsletter I could subscribe to?

Re:Interesting perspective, Google (5, Insightful)

Anonymous Coward | more than 3 years ago | (#36108146)

The original blog post [chromium.org] notes that the sandbox for Flash is a "first iteration" and that there is "more work to be done". NPAPI plugins are a huge pain point for browser security since they've traditionally been able to do whatever they want; just throwing them in the normal Chrome sandbox would break them. Sandboxing a plugin like Flash happens in several steps.

Does the initial sandbox have holes? Yes. Does it reduce the attack surface though? Yes. Is it going to be improved further to close those holes? Yes.

Re:Interesting perspective, Google (1)

Desler (1608317) | more than 3 years ago | (#36108674)

So then they should stop trying to deny that this is a Chrome issue if the Chrome sandbox for Flash failed to work.

Re:Interesting perspective, Google (0)

Anonymous Coward | more than 3 years ago | (#36108306)

This exploit was never stated to say if it worked on chrome stable or chrome dev in which flash has finally been put into it's own sandbox. This required working with adobe so it's not like google wasn't considering this and already has a solution. It's simply hasn't been push to stable yet...

Re:Interesting perspective, Google (0)

Anonymous Coward | more than 3 years ago | (#36108722)

Exactly! On top of that they claimed to have Flash within its own sandbox, which was the reason it was acceptable to force it upon Chrome users!

So, either that is a lie, or there is a bug in the sandbox that let this attack vector hit the OS and therefore it is Chrome's fault in both cases.

Re:Interesting perspective, Google (1)

Anonymous Coward | more than 3 years ago | (#36108746)

Do the know how plugins even work? They are basically their own executable with a interface to the browser. The plugin running along side the browser is the NORM up until google being the announcing that it will work with adobe to get it sandbox (when they started bundling flash). Mozilla also started working on sand-boxing around same time as google though been quicker to deploy it as google is known to be slow to implement such large changes. Currently, sadboxing flash is in only dev.

Missed the point (4, Interesting)

Zerth (26112) | more than 3 years ago | (#36107416)

I thought the main reason Google had taken to distributing flash with Chrome was so they could sandbox it better than the regular shared version of flash the other browsers use? And better keep it up to date, as well, but mainly the former.

I guess I was mistaken.

Re:Missed the point (5, Informative)

Anonymous Coward | more than 3 years ago | (#36108062)

They do, but the sandbox for Flash is complete yet.

They're right in that this is a flash vulnerability; it's exploitable regardless of which browser you're actually using. Marking it as a Chrome vulnerability does everyone a disservice by making people on other browsers think they're safe.

Re:Missed the point (1)

Desler (1608317) | more than 3 years ago | (#36108652)

Marking it as a Chrome vulnerability does everyone a disservice by making people on other browsers think they're safe.

No, because the issue is both a Flash and Chrome issue.

I find it odd (1)

cpct0 (558171) | more than 3 years ago | (#36107420)

A company takes care to actually go through code, assembly, source, any means really, figure out a hack that's specific to Chrome ... and somehow, they are the ones misunderstanding the code. Somehow that answer doesn't satisfy me :)

Also, the answer would be equivalent to having my code use Sqlite as a dll, I bundle it in my package, I install it, it's mine ... but somehow when someone hacks my application through a (very theoretical - example only! move on trolls ;) ) sqlite bug, I would have the exit door saying "oh yes, you can hack my app, it's defenseless, but it's not my fault, it's sqlite here! *points*"

Please ... Chrome ... You bundle it, you vouch by it, you got hacked, you recognized, don't start making excuses please. It's no big deal, it's only a bug, like there are countless in ALL applications throughout the world.

By that logic... (4, Interesting)

xyourfacekillerx (939258) | more than 3 years ago | (#36107432)

All the Malware/Virus problems windows has that can be attributed to 3rd party programs, this means now Microsoft is vindicated? My question is, does this Flash exploit work in other browsers? Or does it specifically take advantage of something wrong with Chrome? Cos if it's the latter, then whether it's a "Flash problem" or not, it still means Chrome is the vector.

Pointing fingers (1)

MonsterTrimble (1205334) | more than 3 years ago | (#36107466)

It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.

If the dike fails and the land gets flooded, who cares if the dike was earth or stone? The point is that the place is flooded.

And that analogy is apropos considering what's going down here. [www.cbc.ca]

Re:Pointing fingers (0)

Anonymous Coward | more than 3 years ago | (#36107762)

If the "dike" has issues, you have to find whoever is in charge of his maintenance and make sure he knows about them and fixes them. In this case Chrome developers's opinion is that this issue is Flash developers's responsibility to fix.

Lame response (0)

Anonymous Coward | more than 3 years ago | (#36107538)

According to Google then, the vulnerability *does* sidestep the sandbox.

don't bundle (4, Insightful)

fermion (181285) | more than 3 years ago | (#36107584)

Years ago Flash was actively budled with Safari on Apple. It was so bundled that when one updated Safari, Flash would be restored. It was impossible to remove Flash from an Apple computer because once Flash was on the computer, it infected all browsers. The issue, for those who love flash, was that the number of flash components on a web page often overwhelmed my computer. Of couse when Camino had flash blocking Apple autoloads of flash were not an issue.

The Google response reminds me of when MS was in the habit of using PR to quash security reports instead of writing code good. Someone would come up with an exploit and MS would say it was not a well configured updated system so the fixing the code that fell to the exploit was not the responsibility of MS. The security people would then run the exploit again with an fresh out of the box installation with all updates, and the machine would again be compromised. MS would then respond by saying that user could easily configure the machine to not fall to the exploit, so it was a user issue and not a MS issue. The thing is that is the out of the box configuration is not secure, then the machine is not secure. If an Android phone comes with flash out of the box, and Flash is not secure, then the machine is not secure. It does not matter how fancy and pretty and secure the rest of the code may be.

Bugs! (0)

Anonymous Coward | more than 3 years ago | (#36107694)

Assuming that's it's just a flash bug, and not a sandbox escape as well (even the limited flash sandbox) then really it's up to adobe to fix. That being said chrome because it bundles flash has had a history of patching flash bugs before adobe does. But considering that very little details are out from Vupen on the exact nature of the exploit, it's really just speculation.

I think the general impression I got from reading about chrome was that they did indeed sandbox flash, so it might be a good idea for them to clarify with a blogpost, since it seems that the general conclusion is that most people thought the same (as opposed to only a limited sandbox which is rolling out in phases).

I don't think this is going to change my choice of browser either way, and I think it's quite impressive if this is indeed an exploit, and just how long chrome held out.

The real issue is companies like Adobe and MS... (-1)

Anonymous Coward | more than 3 years ago | (#36107788)

Adobe and MS are two companies that will [b]always[/b] be plagued by security issues because they do not know better. The programmers at these companies are totally [b]clueless[/b] when it comes to security.

Chrome escaped several "pwn2own" contests as the only non-pwned broswer.

Quite a feat.

The way I see is simple: Adobe produced such the pathetic POS that Flash is that even the current Chrome sandboxing technology, which is already very good, cannot contain the Flash exploit.

In a future version I'm sure we'll see Google fixing Adobe's mess.

But, yup, time to treat Flash as malware and Adobe as a company producing malware, just as Microsoft is.

Now let's roll in the paid M$ astroturing fanbois and their "I'm-a-programmer-because-I-can-program-in-Flash-or-in-Adobe-AIR" friends ;)

Re:The real issue is companies like Adobe and MS.. (0)

Anonymous Coward | more than 3 years ago | (#36107878)

Visual Basic FTW!

Re:The real issue is companies like Adobe and MS.. (0)

Anonymous Coward | more than 3 years ago | (#36107920)

The way I see is simple: Adobe produced such the pathetic POS that Flash is that even the current Chrome sandboxing technology, which is already very good, cannot contain the Flash exploit.

Can't decide if you are serious or a good troll, but to defend that it is ok that Google's sandbox is compromised because the code doing it was so bad?? Which would be by definition any code compromising a sandbox (which it in this case doesn't btw. Flash isn't sandboxed in Chrome, which is not immidiately apparent when Google toot their sandboxing and Flash integration)

Re:The real issue is companies like Adobe and MS.. (1)

Grishnakh (216268) | more than 3 years ago | (#36108100)

The programmers at these companies are totally [b]clueless[/b] when it comes to security.

You don't know that. Programmers just implement what they're told to implement. The people to blame are the software architects, and probably also the executives. If the executives wanted security to be a priority, they'd direct their architects to make it happen.

Re:The real issue is companies like Adobe and MS.. (0)

Anonymous Coward | more than 3 years ago | (#36108624)

If the sandbox was so good it would have contained the flash exploit since that's its entire point. A sandbox is basically useless if it can be sidestepped regardless of what was exploited.

Anonymous coward 2 cents here (1)

Anonymous Coward | more than 3 years ago | (#36107822)

As an uninterested third party (I didn't really read the article, just the thread) who writes code for a living, the person responsible for the bug is the one who wrote the code, and the person you complain about the bug to is the one who makes the change to the code to fix it.

So who employs the person who hopefully fixes this bug at some point?

"pwn"? Really? (0)

Anonymous Coward | more than 3 years ago | (#36107828)

Are these so-called professionals all 13 or something?

Hint: There is no Sandbox. (2)

VortexCortex (1117377) | more than 3 years ago | (#36107834)

Anything short of running in a VM (hardware supported or purely in software), is not a "sandbox" in my book.

It is a Chrome flaw introduced by Google's use of the word "sandboxed" that really doesn't imply a sandbox at all.

Additionally, compiling JS to machine code and having Chrome execute that data is not "sandboxing" either.

A flaw in my VM's interpretor that allows code to escape the sandbox is one thing, running non-virtualized machine code that itself can be exploited is quite another.

At some point, you must stop, wipe your brow, and consider your trek through the desert -- Is there really an edge to this sandbox? Did I miss the line drawn in the wind-swept sand or have I been lied to yet again?

Re:Hint: There is no Sandbox. (0)

Anonymous Coward | more than 3 years ago | (#36108044)

AFAIK the chrome sandbox uses windows NT tokens and function interception to severely restrict process access to the system. The standard sandbox unfortunately would probably also cause the flash plugin not to work.

This appears to entail running a second instance of the flash plugin outside the sandbox, working as a broker.

Since this is the case, it may be possible to exploit both layers. The general sandboxing done for JS and HTML rendering is much simpler, and would likely not be as easy to exploit

Re:Hint: There is no Sandbox. (1)

VortexCortex (1117377) | more than 3 years ago | (#36108266)

AFAIK the chrome sandbox uses windows NT tokens and function interception to severely restrict process access to the system. The standard sandbox unfortunately would probably also cause the flash plugin not to work.

This appears to entail running a second instance of the flash plugin outside the sandbox, working as a broker.

Since this is the case, it may be possible to exploit both layers. The general sandboxing done for JS and HTML rendering is much simpler, and would likely not be as easy to exploit

So... What you're saying is that the lines have been firmly drawn in the sand. No amount of kicking at the sand (buffer overflow) will obscure the boundary?

Contrast the methods employed with hardware visualized sandboxing under which the answer to my statements would actually be "yes".

Re:Hint: There is no Sandbox. (0)

Anonymous Coward | more than 3 years ago | (#36108456)

The problem in this case is that you want minimal, simple, well tested trusted code as your broker, communicating through a simple, verifiable IPC interface. The flash plugin obviously doesn't strictly adhere to this definition.

Aww, poor Tavis (0)

Anonymous Coward | more than 3 years ago | (#36107964)

Mod me flamebait or troll, I don't care, but anything that makes Tavis Ormandy whine with butthurt makes my day.

Was he upset the issue wasnt responsibly disclosed, and they went right to the media? Oh the horror! Who would DO that!?

pwn (2)

OrugTor (1114089) | more than 3 years ago | (#36108090)

Does anyone else find "pwn" to be fucking annoying?

Headline compression (1)

tepples (727027) | more than 3 years ago | (#36108356)

Headline length is limited, and "pwn" saves four characters vs. "exploit".

Re:pwn (1)

Eponymous Hero (2090636) | more than 3 years ago | (#36108648)

no. stfu.

but if it is in the flash "bundled" in chrome (1)

FudRucker (866063) | more than 3 years ago | (#36108254)

then it is google/chrome's fault, and google should quit bundling flash and let Adobe maintain their plugins...

VUPEN is the one at fault here (1)

lingon (559576) | more than 3 years ago | (#36108498)

Google admits this seems to be a real attack but it seems to be a Flash exploit. Since Flash seems to be an utter piece of sh^H^H not-so-good program, they've sandboxed it somewhat to get rid of a lot of attack vectors. However, in TFA they're publicly stating that their sandbox isn't perfect and that it won't stop all attacks. Google's Flash sandbox is better than nothing but it ain't perfect.

What I really think is the issue here is this french security firm that admittedly has a new zero-day against Flash and a way of compromising the Google Flash sandbox and they refuse to let Google or Adobe fix it. Instead, they've decided to profit from it selling the info to who knows what kind of organizations. That's immoral and should be downright illegal. Why isn't that the headline?

Oops (0)

Anonymous Coward | more than 3 years ago | (#36108522)

Since Flash comes bundled with Chrome any Flash exploit becomes a Chrome exploit. Google should stop blaming the media for not fact checking and start fixing their mess.

Flash sandboxed in only DEV version (0, Insightful)

Anonymous Coward | more than 3 years ago | (#36108548)

This exploit was never stated whether it work for chrome dev or stable. In dev, flash has been sandboxed finally.

If it manages to bypass the sandbox in DEV, then yeah it's a bug in chrome.

Otherwise, if it only works for stable, then it's simply a matter of time before dev is pushed to stable. It's well known that flash has a variety of security issues so it's not much of a surprise. Google reason for bundling flash remains valid. Remember, this site does not represent the norm where flash exists in over 95% of all users whether google bundles it or not. Google main reason was to make it easier to keep flash up to date. Not much google can do with 0-day exploits for flash other then get the update to users as fast as possible when ADOBE fixes it.

Does it matter? (1)

pegr (46683) | more than 3 years ago | (#36108552)

If it shipped in Chrome, it's code Google distributed. Google-pwn.

Flash is never going away. Accept it. (1)

bl8n8r (649187) | more than 3 years ago | (#36108658)

No matter how much you want it to be gone, Flash is like ActiveX and IE. A necessary piece of software for many production applications in use today. To take those pieces away means costing corporation several thousands if not millions in re-inventing their wheels. Corporations don't like to that, and many IT budgets aren't fat enough to do it. No matter how much Steve Jobs bitches about it his argument is irrelevant - at least at this point in time.

It will take the industry a good many years to shift away from their crappy software suite dependencies (IE, Flash, Active-X, etc, etc) but until that happens, we are stuck with Flash so let's just stop with all the whining.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>