Tuesday, May 10, 2011

Chrome Falls, Maybe

VUPEN's recent announcement about a possible Chrome flaw has to make everyone say - HEY! Where's the Beef? In a video. Lame. Give us PoC code or keep your mouth shut. I understand security research and selling discoveries. I don't understand selling them and then bragging about your discovery with half-assed details and a video. Sell and shut the hell up to allow your customers to get the full value for their cash. I'd be rather miffed if I were your customer _and had intent_ to use the vulnerability. Responsible disclosure is always an option...

The claim in the advisory:
... we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP.
Good find VUPEN! Gratz on taking down Big G's Chrome! Your advisory looks like a Jedi Mindtrick though - "We have the vulnerability you're looking for". Again, I ask you "Where's the Beef, good sirs?" And while you're at it, please explain your intent behind disclosing without Proof of Concept code and lack of vendor contact.

No comments:

Post a Comment