Chrome "0-day PoC" presented at Malcon 2012.

Discussion in 'other security issues & news' started by Baserk, Nov 26, 2012.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Came across a news article about the Georgian researcher Ucha Gobejishvili who presented a Chrome 0-day PoC at Indian Malcon 2012, who claim to have the "Highest quality of research papers".

    "The vulnerability is in a DLL (dynamic link library) that is part of the browser and could potentially work on other platforms, though he will demonstrate it on a Windows system.
    The hole, if exploited, could allow a remote attacker to place and run a malicious executable file on the vulnerable system, he said. Beyond that, Gobejishvili said that the exploit will work even on the latest version of Chrome.
    "

    The guy refuses to help out Google/take $60000 (Vupen will probably offer more, that I could understand).
    But it's all rather vague, here's a short (imao not so convincing) presentation on youtube: --https://www.youtube.com/watch?feature=player_embedded&v=AvkbhFmJcn4--
    So far he has reported the following 'reports' to the Chromium project...
    There's really little information to go on, anyone know of more info on this presentation?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Having seen his previous reports I will be very surprised if he's got something legitimate.
     
  3. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    'The saga of the latest zero-day vulnerability and exploit for the Google Chrome browser took another mysterious turn over the weekend.
    The 19-year-old Georgian security researcher who found the vulnerability in the browser was called up for compulsory military duty in his country and was unable to deliver his presentation Saturday at the Malcon security conference in India.
    Conference organizer Rajshekhar Murthy told Threatpost in an email that Ucha Gobejishvili was called in last minute and was not able to travel to New Delhi.
    ' link

    'As for Mr. Gobejishvili, he first made this 0day claim a few months ago, but has yet to provide any details. So, all we have is a handful of other "security bugs" he's reported to the Chromium project in the past; all of which are publicly listed here: http://goo.gl/Geh42
    These past reports might provide some basis for judging the credibility of Mr. Gobejishvili's claim, since he won't be including any verifiable details in the presentation itself. And to be clear, I don't want to imply that there may not be people out there with legitimate Chrome 0days. To the contrary, Chrome is a complex project with a lot of attack surface and the target of many very talented researchers. I'm just dubious of such claims from someone unfamiliar with very basic security concepts (like the difference between OOM and memory corruption).
    ', according to Google engineer Justin Schuh link
    Some vetting at Malcon there. I'd assume he would have to have some reputation to get invited, if not a high quality research paper. Perhaps all just an elaborate way to get a paid-for holiday in India, (jk).
     
Loading...
Thread Status:
Not open for further replies.