
Critical Google Chrome hole plugged in 24 hours - dbh937
http://arstechnica.com/business/news/2012/03/after-the-pwnage-critical-google-chrome-hole-plugged-in-24-hours.ars
======
sedev
"To date, most successful attacks against Chrome exploit Adobe Flash, which is
protected by a significantly more porous sandbox."

I notice that pretty much every time I read articles about Pwn2Own and
similar. It's high time that Flash was abandoned as a ubiquitous part of the
web. It is to web development as Outlook Express was to desktop software in
the 90s - sure it's everywhere, but it's not doing much good by being so.

~~~
ja27
I keep it disabled in Chrome and selectively enable it for sites I trust or
as-needed. I'm glad to see that it's less necessary over time.

~~~
shrikant
A thousand upvotes to you for this information.

If anybody else is looking, this can be done (without addons) under:

[Wrench] > Settings > "Under the Bonnet" Advanced Settings > "Privacy" Content
Settings > Scroll down to "Plugins" and select "Click to Play". Manage
exceptions as required.

~~~
RexRollman
This.

I used to use Flashblock with Chrome but this works just as well, not to
mention being built in. I use this setting on my CR-48 (Chromebook).

------
semenko
The Chrome Release blog says it's fixed:
[http://googlechromereleases.blogspot.com/2012/03/chrome-
stab...](http://googlechromereleases.blogspot.com/2012/03/chrome-stable-
channel-update.html)

And that the SVN commit history is available:
[http://build.chromium.org/f/chromium/perf/dashboard/ui/chang...](http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog.html?url=/branches/963/src&range=125577:124982&mode=html)

But I don't see any commit that look even remotely related to this exploit.
What's up?

~~~
jamesr
The commits are all there, the fixes just might not look completely obvious.
We (chromium) commit all fixes to the chromium repository before pushing them
to users, always.

~~~
vinhboy
Do you guys ever do write-ups about the bugs? I would be interested in reading
that.

~~~
jamesr
I don't think we do that as a general habit, but that may happen in this case.

------
kevs
With a response time like that it seems like antivirus software is becoming
increasingly irrelevant.

~~~
beatle
Meanwhile, critical Android security holes remain unpatched for more than 2
yrs.

~~~
jrockway
A real security hole, or one like "if someone watches you type your PIN code,
they'll know your PIN code"?

~~~
Scaevolus
Security holes that render the permissions system completely useless, since
even a no-permissions app can end up doing anything.

~~~
fpgeek
Do you have an example?

The cases I've read about were of the form "app A asks app B to do something
it can't via the Intent system". That sounds scary until you realize that a
standard example of this is an app that can't access the network sharing
something via email. In other words, app A has transferred control to app B
and what the user does (or doesn't) decide to do with app B is their choice,
not app A's.

~~~
jrockway
Indeed. Delegation via intents makes things _more secure_ as broken code can
be patched in one place rather than in many. And, you get tighter control over
what apps can do: if you never want an app to share something via Facebook,
simply uninstall the app that provides the "share via Facebook" intent.

~~~
fpgeek
Interesting point. Sometimes I find myself wanting to keep the app, but drop
the intent. Usually that is to shorten a list, but not always. I'd love to see
low-level intent-blocking (as well as low-level, fine-grained permissions
blocking, but that's a whole other story).

------
gcp
That's only the Pwnium hack, though. The Pwn2Own vulnerability remains
undisclosed and unfixed.

Which leads me to the question: why aren't companies like Google customers of
companies like Vupen? Too many of them to make it cost-effective? Or does
Vupen (for example) prefer if those holes are _not_ fixed? You can sell a
vulnerability many times, after all.

~~~
throwaway3823
Vupen sells 0day exploits so that they can be used to attack people:
<http://www.vupen.com/english/services/lea-index.php>

A patched vulnerability would not be worth nearly as much to them and their
customers.

P.S. Vupen sells to ASEAN. ASEAN includes Burma (Myanmar). Burma is not a
happy place.

~~~
dhbanes
How hard would it be for Google to be a customer of Vupen without representing
themselves as Google?

