News
Unplugged: Google Blames Chrome Breach on Adobe Flash
French security group Vupen announced that vulnerabilities in the Google Chrome browser running on Windows allowed its researchers to bypass all security features, including the browser's sandbox mode.
Google engineers are defending the security of the company's browser code after Vupen researchers reported finding a zero-day exploit in Chrome running on Windows. Chrome engineers used social media to claim that the security issues are associated with a recently discovered vulnerability found in Adobe's Flash plugin, which is bundled with the browser.
On Monday, French security group Vupen announced that vulnerabilities in the browser allowed its researchers to bypass all security features, including the browser's sandbox mode. Vupen has not provided any information to Google about the exploits.
In response, members of Google's Chrome engineering team took to Twitter, LinkedIn and other social media outlets to place the blame on Adobe.
"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn," wrote Chris Evans, Google's information security engineer and tech lead, in a Tweet this morning. "Do Java bugs count as a Chrome pwn too, because we support NPAPI?"
Also joining in on the Google Twitter defense was Tavis Ormandy, an engineer at Google: "As usual, security journalists don't bother to fact check. VUPEN misunderstood how sandboxing worked in Chrome, and only had a flash bug." Ormandy was the security researcher that publicly disclosed a Windows XP help flaw in July, eliciting reaction from Microsoft.
Ironically, Vupen's claims about the Google Chrome security vulnerabilities could not be broadly verified because the security firm stated it would not release the specifics of the zero-day hack to the public.
Chaouki Bekrar, Vupen's founder and head researcher, defended the company's confirmation of the exploit. Bekrar jumped into the Twitter war of words by assuring that the hack is, in fact, legitimate. Responding directly to Chris Evans' Tweet, Bekrar wrote, "Flash bugs are equivalent to Chrome sandbox escapes from an attacker's perspective. You're thinking like developers."
Bekrar also noted on his Twitter feed today that the hack had been verified to work on both Chrome versions 11 and 12, running on a Windows machine.