Whitehats Hack Chrome Browser

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Security researchers have "officially pwned Google Chrome" using a 0-day exploit. Then again, we cares...I got free Angry Birds. Here's a video of the exploit in action.
 
How is this useful? I didn't watch it with audio but it seems like he just launched calculator. What could he execute that would actually do something worthwhile?
 
calculator was used as an example. It was there to show that any program could be launched through the exploit.
 
It's sad that Computer World calls these researchers "whitehats"

This VUPEN organization won't even release the details of the vulnerability to Google so they can fix it.
 
How is this useful? I didn't watch it with audio but it seems like he just launched calculator. What could he execute that would actually do something worthwhile?

There wasn't any audio. i'm not sure what exactly there were trying to show. did they just make the calculator pogram start up or where they actually controlling the mouse also with that flaw.
 
according to their site, they didn't launch calculator, they downloaded the calculator from a remote site and then ran the calculator.
 
I saw it yesterday. That scared me enough to install NotScripts.
 
It's sad that Computer World calls these researchers "whitehats"

This VUPEN organization won't even release the details of the vulnerability to Google so they can fix it.

Agreed.

VUPEN are the rented thugs of the computer security world, continually finding new security holes so they can sell them to the highest bidder (like governments that want to suppress dissidents)
 
It's sad that Computer World calls these researchers "whitehats"

This VUPEN organization won't even release the details of the vulnerability to Google so they can fix it.

Not to mention anyone that says "PWND" should not be taken seriously. These kiddies are a bunch of trolls.
 
according to their site, they didn't launch calculator, they downloaded the calculator from a remote site and then ran the calculator.

Thanks, i didn't look at the link that was posted and assumed it was just a link to the youtube video. didn't realize there was an article that explained the video.
 
Release to google for a couple bucks reward..

Sell to highest bidder...

Ya'll might think they are scum for it, but I know which option i'd take :|
 
If this were an IE bug I doubt people would be attacking the discoverers as much.

I think it goes both ways. Just look at MACs having malware now :D. Those fanboys are the ones that keeps attacking the other platforms. The way I see it is, there are different ways to program something. If there's a problem with one, you either live with it, fix it, or switch to another program that's going to give you the same features. But understand that there are problems and accept it.
 
Zarathustra[H];1037239916 said:
Agreed.

VUPEN are the rented thugs of the computer security world, continually finding new security holes so they can sell them to the highest bidder (like governments that want to suppress dissidents)

The hole was created (albeit unintentionally) by Google. Why does anyone have obligation to solve Google's problems for them without recompense? If Google is so awesome, they would be able to find and fix this before these "thugs."

Magical white-hat hackers don't come and fix bugs in my company's software, my co-workers and have to do it. What wonderful magical lovey-dovey world do you live in?
 
The hole was created (albeit unintentionally) by Google. Why does anyone have obligation to solve Google's problems for them without recompense? If Google is so awesome, they would be able to find and fix this before these "thugs."

Magical white-hat hackers don't come and fix bugs in my company's software, my co-workers and have to do it. What wonderful magical lovey-dovey world do you live in?

They are not obligated to do shit except not be called white-hats because they aren't white hats.
 
Why does anyone have obligation to solve Google's problems for them without recompense?

Actually it wouldn't be without recompense, as google pays bounties to anyone who submits bugs to them. However the bounty is no where near as large as what they'll make selling off the info.
 
they seem to have UAC off in the video? so this would probably only effect the dumbshits that turn that off?
 
if it can bypass UAC then microsoft and the nsa would be all over this???
 
Oh cool. I use SRWare Iron 11 and it strips out the built in Flash player and PDF viewer. On /. the theory was js.
 
what I see that it just proves that google's "submit a bug" way of doing things, works, if people go along with it, otherwise chrome is just like any other browser, as proven by this group who didn't submit the expoit but choose to let it loose on a video, for what reason, I don't care, point taken other companies should be doing though what google is doing to help keep chrome secure :) (on their software of course)
 
Most programs will have vulnerabilities eventually. Especially after major patches. This is common place.
Also the WhiteHats like to seperate themselves from the BlackHats. I assume you all know who the BlackHats are. They went off on Cisco a few years back when cisco took a shot at them during their own conference. :D Just hope those "greedy" whitehats find your holes before the BlackHats do. The BlackHats do not publish that shit. They use it.
 
What if there is no exploit and there is an application running the background with a keyboard hook that launches calculator or whatever binary you wish?

Just saying.
 
Wait, who are their customers
Are they selling those exploits to other hackers? :eek:
Governments, hackers, whoever. Page 2 has more details about the exploit, where VUPEN admits it's a flaw with the version of Flash player bundled with Chrome 11/12. The Chrome project site states that Flash is only partially sandboxed in Chrome. The feat of breaking the browser is a lot less impressive with that info.

I use SRWare Iron (Chrome), which doesn't include that Flash player or the PDF viewer. Win. :p
 
Easily faked.

1) bind calc.exe to keyboard shortcut
2) open "odd URL"
3) press keyboard shortcut

I doubt it to be true.
 
Governments, hackers, whoever. Page 2 has more details about the exploit, where VUPEN admits it's a flaw with the version of Flash player bundled with Chrome 11/12. The Chrome project site states that Flash is only partially sandboxed in Chrome. The feat of breaking the browser is a lot less impressive with that info.

I use SRWare Iron (Chrome), which doesn't include that Flash player or the PDF viewer. Win. :p
Agreed. It's an Adobe flaw (nothing new there), so it's not very impressive at all.

If this were an IE bug I doubt people would be attacking the discoverers as much.
Well, you know Microsoft gets that special treatment from the public...
 
Easily faked.

1) bind calc.exe to keyboard shortcut
2) open "odd URL"
3) press keyboard shortcut

I doubt it to be true.

this is how most exploits are shown (download calc and open it) so your talking crap your self
 
As soon as they sell it to someone else, they are no longer white hats; they have become servants of the dark side.
 
they just did a chrome stable update and it now has flash 10.3 maybe they fixed it?
 
Grayhats maybe? Bounty hunters weren't exactly nice guys but the tendency was to hunt down the bad ones.
 
Back
Top