Re: Google Chrome pkcs11.txt File Planting

[Chris Evans <scarybeasts () gmail com>]

On Fri, Oct 21, 2011 at 2:06 AM, ACROS Security Lists <lists () acros si> wrote:
> A month ago our company notified Google about a peculiar behavior of Chrome browser
> that can be exploited for execution of remote code outside Chrome sandbox under
> specific conditions. Our new blog post describes it all.
>
> http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-planting.html

Interesting. Clear write-up.
I'm not a Windows guy but the article led me to research this:

http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=windows+file+dialog+changes+cwd

Isn't that the most significant contributor? An application carefully
puts its CWD somewhere sane and then the underlying operating system
flips it around later? Might that also cause non-determinism for
multi-threaded apps? Does the problem affect Mac, Linux users?


Cheers
Chris

> or
>
> http://bit.ly/olK1P9
>
> Enjoy the reading!
>
>
> Mitja Kolsek
> CEO&CTO
>
> ACROS, d.o.o.
> Makedonska ulica 113
> SI - 2000 Maribor, Slovenia
> tel: +386 2 3000 280
> fax: +386 2 3000 282
> web: http://www.acrossecurity.com
> blg: http://blog.acrossecurity.com
>
> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/