Full Disclosure mailing list archives
Re: Google Chrome pkcs11.txt File Planting
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Fri, 21 Oct 2011 16:22:02 +0000
For what it's worth, I found this article to be far more "matter of fact" in regard to the general concept, the existing (default) conditions in play, and the conditions which need to be in place (or manipulated) in order for this to be exploited than some of the other material your company has presented in the past. Noting "it may or may not be a vulnerability" shows some research maturity and business intelligence on your part, and was actually refreshing. When researchers spend too much time painting dire pictures of impact based on (what is typically) non-standard or exaggerated exposure scenarios, the actual message in the research is lost. In this case, developers can very easily see how including features that support functions such as "library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib" is a really bad idea. t
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of ACROS Security Lists Sent: Friday, October 21, 2011 2:07 AM To: bugtraq () securityfocus com; full-disclosure () lists grok org uk; cert () cert org; si-cert () arnes si Subject: [Full-disclosure] Google Chrome pkcs11.txt File Planting A month ago our company notified Google about a peculiar behavior of Chrome browser that can be exploited for execution of remote code outside Chrome sandbox under specific conditions. Our new blog post describes it all. http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file- planting.html or http://bit.ly/olK1P9 Enjoy the reading! Mitja Kolsek CEO&CTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com blg: http://blog.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Chrome pkcs11.txt File Planting ACROS Security Lists (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Thor (Hammer of God) (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Chris Evans (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Mitja Kolsek (Oct 22)