

About the Critical Security Issue in the Aviator Browser - samuirai
https://github.com/WhiteHatSecurity/Aviator/issues/24#issuecomment-69456316

======
tptacek
Backstory:

You probably don't care about this much if you don't pay attention the market
for security services.

WhiteHat is a well-known VC-funded enterprise appsec company. They sell a SAAS
web security scanner. Their founder and now CEO is Jeremiah Grossman, a pretty
well-known web security guy.

A year or so ago? WhiteHat released "Aviator", a "secure browser". Aviator, as
it turns out, is rebranded Chromium. Chromium is an open-source project, of
course. Aviator is (at the time) not.

Fast forward a year. The Aviator browser product has fizzled, like most new
products do. WhiteHat executes the "open source the project and make like
that's an outcome we are happy about" play, using language which ---
corroborated a bit by this post --- signals that the project has been
abandoned.

Several hours later, Google star vulnerability researcher Tavis Ormandy
tweets(!) an embarrassing drive-by RCE in Aviator.

Hours after that, Justin Schuh from the Chromium security team posts what can
best be described as thermonuclear schadenfreude† to his Google+ feed (if
you're not a vulnerability researcher, you should know that there are major
points for style awarded to a meaningful critique of the _branding code_ in a
target).

In response to all this, Robert Hanson (a very well-known web security guy
employed by WhiteHat) writes what I would call an ill-advised and
transparently prickly response on WhiteHat's blog††, suggesting that WhiteHat
has been victimized by their underdog status.

I like some of the people involved with WhiteHat, Hanson among them, but I
think Aviator was a very bad idea and I am --- if I am honest, and it's a bit
painful to admit this --- kind of happy it failed in the market. For full
disclosure purposes I also have to admit thinking very highly of Justin Schuh
and being basically in cortisol-redlining mortal terror of Tavis Ormandy.

†
_[https://plus.google.com/u/0/+JustinSchuh/posts/69qw9wZVH8z](https://plus.google.com/u/0/+JustinSchuh/posts/69qw9wZVH8z)
_

†† _[https://blog.whitehatsec.com/aviator-open-source-
day-1/](https://blog.whitehatsec.com/aviator-open-source-day-1/) _

~~~
samuirai
> Several hours later, Google star vulnerability researcher Tavis Ormandy
> tweets(!) an embarrassing drive-by RCE in Aviator.

This bug was reported many months ago (though at that point it wasn't clear
that it was actually a RCE). see:

> In early 2014, the "Error138" is reported and disclosed first time.

------
walterbell
Is there anything Google (or the Chromium team) could do to simplify an out-
of-the-box "maximum privacy" mode based on the docs linked from the post?

[https://www.google.com/chrome/browser/privacy/whitepaper.htm...](https://www.google.com/chrome/browser/privacy/whitepaper.html)

[https://noncombatant.org/2014/03/11/privacy-and-security-
set...](https://noncombatant.org/2014/03/11/privacy-and-security-settings-in-
chrome/)

