lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2C907A76B43C464C82E7CF1AA278A8296949CE0A@MBX07.exg5.exghost.com>
Date: Tue, 16 Nov 2010 06:05:46 -0600
From: Amit Klein <amit.klein@...steer.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Quick update on Google Chrome's Math.random() predictability by
 Amit Klein, Trusteer

Hi list,

This is a quick update regarding Google Chrome's Math.random implementation and its vulnerability. Our original results with Google Chrome 3.0 and above don't hold as-is for Google 6.0 and above due to a change introduced in the Google Chrome Math.random implementation. However, the attack algorithm can be modified to take this change into account, so the vulnerability is still in effect. As reported earlier, it is possible to read application states across domains, thus enabling for e.g. in-session phishing. This was reported to Google's security team earlier this year, which responded by stating that there is no ETA for a fix and we're free to publish our results. 

For additional details, please read the full paper at:
http://www.trusteer.com/sites/default/files/Google_Chrome_6.0_and_7.0_Math.random_vulnerability.pdf

Thanks,
-Amit
Amit Klein, CTO, Trusteer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ