Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:



/

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Chrome pkcs11.txt File Planting
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Fri, 21 Oct 2011 16:22:02 +0000
For what it's worth, I found this article to be far more "matter of fact" in regard to the general concept, the 
existing (default) conditions in play, and the conditions which need to be in place (or manipulated) in order for this 
to be exploited than some of the other material your company has presented in the past.    Noting "it may or may not be 
a vulnerability" shows some research maturity and business intelligence on your part, and was actually refreshing. 

When researchers spend too much time painting dire pictures of impact based on (what is typically) non-standard or 
exaggerated exposure scenarios, the actual message in the research is lost.  In this case, developers can very easily 
see how including features that support functions such as 
"library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib" is a really bad idea.

t



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of ACROS Security Lists
Sent: Friday, October 21, 2011 2:07 AM
To: bugtraq () securityfocus com; full-disclosure () lists grok org uk;
cert () cert org; si-cert () arnes si
Subject: [Full-disclosure] Google Chrome pkcs11.txt File Planting


A month ago our company notified Google about a peculiar behavior of
Chrome browser that can be exploited for execution of remote code outside
Chrome sandbox under specific conditions. Our new blog post describes it all.

http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-
planting.html

or

http://bit.ly/olK1P9

Enjoy the reading!


Mitja Kolsek
CEO&CTO

ACROS, d.o.o.
Makedonska ulica 113
SI - 2000 Maribor, Slovenia
tel: +386 2 3000 280
fax: +386 2 3000 282
web: http://www.acrossecurity.com
blg: http://blog.acrossecurity.com

ACROS Security: Finding Your Digital Vulnerabilities Before Others Do


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]