[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF193035F19@EX2010.hammerofgod.com>
Date: Fri, 21 Oct 2011 16:22:02 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "security@...ossecurity.com" <security@...ossecurity.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"cert@...t.org" <cert@...t.org>, "si-cert@...es.si" <si-cert@...es.si>
Subject: Re: Google Chrome pkcs11.txt File Planting
For what it's worth, I found this article to be far more "matter of fact" in regard to the general concept, the existing (default) conditions in play, and the conditions which need to be in place (or manipulated) in order for this to be exploited than some of the other material your company has presented in the past. Noting "it may or may not be a vulnerability" shows some research maturity and business intelligence on your part, and was actually refreshing.
When researchers spend too much time painting dire pictures of impact based on (what is typically) non-standard or exaggerated exposure scenarios, the actual message in the research is lost. In this case, developers can very easily see how including features that support functions such as "library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib" is a really bad idea.
t
>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
>bounces@...ts.grok.org.uk] On Behalf Of ACROS Security Lists
>Sent: Friday, October 21, 2011 2:07 AM
>To: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk;
>cert@...t.org; si-cert@...es.si
>Subject: [Full-disclosure] Google Chrome pkcs11.txt File Planting
>
>
>A month ago our company notified Google about a peculiar behavior of
>Chrome browser that can be exploited for execution of remote code outside
>Chrome sandbox under specific conditions. Our new blog post describes it all.
>
>http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-
>planting.html
>
>or
>
>http://bit.ly/olK1P9
>
>Enjoy the reading!
>
>
>Mitja Kolsek
>CEO&CTO
>
>ACROS, d.o.o.
>Makedonska ulica 113
>SI - 2000 Maribor, Slovenia
>tel: +386 2 3000 280
>fax: +386 2 3000 282
>web: http://www.acrossecurity.com
>blg: http://blog.acrossecurity.com
>
>ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists