Google Revealed Details of Vulnerabilities in Chrome

Google Revealed Details of Vulnerabilities in Chrome



As early as 2015, Google decided to “raise rates” and said that it would pay $ 100,000 to a specialist who will be able to create and demonstrate a chain of exploits that ensures a steady compromise of Chromebox or Chromebook through a web page in guest mode. Let me remind you that before that, the company offered $ 50,000 for such a proof-of-concept.

Google Revealed Details of Vulnerabilities in Chrome

Last week, it became known that as early as September 2017, an IS specialist known as Gzob Qq discovered a number of vulnerabilities that allow for a persistent compromise of Chromebox or Chromebook devices while respecting the rest of the “task” conditions.

The chain of exploits of Gzob Qq included the following bugs: vulnerability in the JavaScript engine V8, associated with out-of-bounds access to memory (CVE-2017-15401); Privilege escalation in PageState (CVE-2017-15402); the ability to inject commands into the network_diag component (CVE-2017-15403); as well as the symlink traversal problem in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).

The expert demonstrated to Google engineers a working proof-of-concept exploit, which was tested on Chrome 60 and Chrome OS version 9592.94.0. As a result, at the end of October, with the release of Chrome OS 62 version 9901.54.0 / 1, the problems found by the researcher were eliminated, along with the recently discovered vulnerability of KRACK.

As it turned out, back in October, the expert was informed that he was receiving a Pwnium reward of $ 100,000. But details about the attack and individual vulnerabilities were revealed only last week, and now a detailed report of Gzob Qq is available here.

It is worth noting that this is not the first time that Gzob Qq receives such a large reward for exploits and bugs. So, a year ago, he already received the same big award from Google, having demonstrated a very similar PoC-chain of exploits for Chrome OS.

SEE ALSO  What You Have Not Known About Information Security


Now your take on this argument.

We would also like to hear what you feel about the topic we discussed today. Your feedback is very important to us. Feel free to drop your comments and recommendations. If you have a contrary opinion, you can drop that too.


You can also join our Facebook Page CRMNigeria for more updates. You can do that by clicking on the link or searching for our page on Facebook.



" This Post Was First Published On CEHNigeria "

Share This Post

Be the first to comment

Leave a Reply

Your email address will not be published.