"To date, most successful attacks against Chrome exploit Adobe Flash, which is protected by a significantly more porous sandbox."
I notice that pretty much every time I read articles about Pwn2Own and similar. It's high time that Flash was abandoned as a ubiquitous part of the web. It is to web development as Outlook Express was to desktop software in the 90s - sure it's everywhere, but it's not doing much good by being so.
If anybody else is looking, this can be done (without addons) under:
[Wrench] > Settings > "Under the Bonnet" Advanced Settings > "Privacy" Content Settings > Scroll down to "Plugins" and select "Click to Play". Manage exceptions as required.
The cases I've read about were of the form "app A asks app B to do something it can't via the Intent system". That sounds scary until you realize that a standard example of this is an app that can't access the network sharing something via email. In other words, app A has transferred control to app B and what the user does (or doesn't) decide to do with app B is their choice, not app A's.
Indeed. Delegation via intents makes things more secure as broken code can be patched in one place rather than in many. And, you get tighter control over what apps can do: if you never want an app to share something via Facebook, simply uninstall the app that provides the "share via Facebook" intent.
Interesting point. Sometimes I find myself wanting to keep the app, but drop the intent. Usually that is to shorten a list, but not always. I'd love to see low-level intent-blocking (as well as low-level, fine-grained permissions blocking, but that's a whole other story).
With exploits like that, it seems like sandboxing is becoming increasingly irrelevant.
I don't think it's a good argument - what about defense in depth? Don't antivirus packages have heuristic protections? Or are those, in general, useless?
The commits are all there, the fixes just might not look completely obvious. We (chromium) commit all fixes to the chromium repository before pushing them to users, always.
That's only the Pwnium hack, though. The Pwn2Own vulnerability remains undisclosed and unfixed.
Which leads me to the question: why aren't companies like Google customers of companies like Vupen? Too many of them to make it cost-effective? Or does Vupen (for example) prefer if those holes are not fixed? You can sell a vulnerability many times, after all.
25 comments
[ 4.7 ms ] story [ 66.0 ms ] threadI notice that pretty much every time I read articles about Pwn2Own and similar. It's high time that Flash was abandoned as a ubiquitous part of the web. It is to web development as Outlook Express was to desktop software in the 90s - sure it's everywhere, but it's not doing much good by being so.
If anybody else is looking, this can be done (without addons) under:
[Wrench] > Settings > "Under the Bonnet" Advanced Settings > "Privacy" Content Settings > Scroll down to "Plugins" and select "Click to Play". Manage exceptions as required.
I used to use Flashblock with Chrome but this works just as well, not to mention being built in. I use this setting on my CR-48 (Chromebook).
The cases I've read about were of the form "app A asks app B to do something it can't via the Intent system". That sounds scary until you realize that a standard example of this is an app that can't access the network sharing something via email. In other words, app A has transferred control to app B and what the user does (or doesn't) decide to do with app B is their choice, not app A's.
I don't think it's a good argument - what about defense in depth? Don't antivirus packages have heuristic protections? Or are those, in general, useless?
And that the SVN commit history is available: http://build.chromium.org/f/chromium/perf/dashboard/ui/chang...
But I don't see any commit that look even remotely related to this exploit. What's up?
By committing the fix, they would effectively be releasing a step-by-step guide on how to exploit the vulnerability.
Certainly if you build Chromium from git/SVN now, the bug is fixed.
I just find it a little strange that their changelog / list of commits in each version is not true.
-- a change to kUnreachableWebDataURL
Which leads me to the question: why aren't companies like Google customers of companies like Vupen? Too many of them to make it cost-effective? Or does Vupen (for example) prefer if those holes are not fixed? You can sell a vulnerability many times, after all.
A patched vulnerability would not be worth nearly as much to them and their customers.
P.S. Vupen sells to ASEAN. ASEAN includes Burma (Myanmar). Burma is not a happy place.