Unless you live under a rock or you don’t give a damn about what happens in the sec world, you have probably heard that the guys at French vendor VUPEN have managed to pwn Google’s Chrome browser and managed to execute arbitrary code by breaking out of the browser’s sandbox. Shortly put, they pwn3d the browser that is widely touted as the most secure of its kind on the market.
As a demonstration, they pushed a video of the attack against the Chrome browser, but did not disclose the proof-of-concept to Google. Instead, they chose to share it exclusively with its government customers. This take is somewhat different from what we’re usually doing in the security industry following the discovery of a 0-day exploit: keep mum on it to the public and quickly alert the vendor to issue a fix.
I’m not sure how VUPEN is going to play this out, but I’m pretty sure that this is not the right way to do it. After all, the thing goes like that: we show you that the product you’re using is buggy and you may get owned, but if you want to keep on using it while staying safe, you should buy us. What exactly happens to non-customers, not to mention the non-corporate Chrome users? Should they be left vulnerable until Google finally figures out what went wrong?
For years, the computer industry has been striving to offer a minimum degree of protection for free. I mean, most free antiviruses have the bare essentials for malware detection and removal at the cost of ease of use. For instance, most of these AVs have to be scheduled to start or have user scan their own file before opening it.
At the same time, the same vendors provide completely free removal tools to rid users of infections. It’s some sort of basic healthcare plan that not only minimizes the impact of malware on the affected users, but, at the same time, keeps the unaffected users safe from the potential attacks coming from the compromised systems.
VUPEN’s announcement has surely raised some spirits somewhere in the remote locations of the world where not-so-friendly techies are currently scavenging through Chrome to get the vulnerability. I’m not sure that it hasn’t been discovered yet, but, if it exists, it will emerge sooner or later. And when it does, I hope that Google would have fixed it in the meantime, because a lot of Chrome users will be caught off-guard by a sandbox-piercing 0-day that – quite conveniently – can bypass ASLR and DEP. And that is not funny at all.