ID: IRCNE2011051111
Date: 2011-05-12
According to "Computerworld", Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year.
"As usual, security journalists don't bother to fact check," said a Google security engineer, in a tweet earlier today. "Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug."
But a Google spokesman said today that the investigation is ongoing because Vupen is not sharing any details with Google.
When asked to confirm the source of the vulnerabilities it exploited, Vupen was blunt in its refusal to share any information.
"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us."
While the Google engineers seemed to acknowledge that a bug in Flash was involved in Vupen's exploit, they also defended the sandbox technology -- meant to isolate Flash from the rest of the computer -- even as it apparently failed to prevent an attack.
Related Links:
Demo Attack on Chrome
- 2