Google says that it will wait to see what transpires at a New Delhi hacking conference this week before responding to a researcher’s claim that he has discovered a remotely exploitable vulnerability in its Chrome web browser.

Speaking with Security Ledger, Google spokeswoman Jessica Kositz said that the company was aware of claims by Georgian researcher Ucha Gobejishvili that he has discovered a previously unknown (zero day) security hole in Chrome and will demonstrate it at this week’s MalCon hacking conference.
Gobejishvili described the security hole in Chrome as a “critical vulnerability.” “It has silent and automatically (sp) download function…and it works on all Windows systems” he told Security Ledger in an online chat session.
While the Tbilisi-based researcher won’t say much about the hole, he told Security Ledger that he discovered it in July. The vulnerability is in a DLL (dynamic link library) that is part of the browser and could potentially work on other platforms, though he will demonstrate it on a Windows system. The hole, if exploited, could allow a remote attacker to place and run a malicious executable file on the vulnerable system, he said. Beyond that, Gobejishvili said that the exploit will work even on the latest version of Chrome.
However, more than a few questions hang over Gobejishvili’s talk. The researcher said he will demonstrate the exploit at MalCon, and have a “general discussion” about it, but won’t release source code for it. “I know this is a very dangerous issue…that’s why I am not publishing more details about this vulnerability,” he wrote.
But Gobejishvili also said he has not made any attempt to inform Google about the vulnerability and will not publish any details of the zero day hole even after his presentation.
“Google knows that they have issue in chrome product,” he wrote.
But that wasn’t the line from Mountain View, where Google’s spokeswoman said the company knew of Gobejishvili from past interactions, but that it had not heard from the researcher regarding the Chrome issue.
“We still haven’t seen anything about what he’ll say next week,” said Kositz. As a result, Google will wait and see what Gobejishvili presents at MalCon, which is scheduled for Saturday, November 24.
The researcher’s behavior is unusual, to say the least. Google offers monetary rewards for vulnerabilities, and pays top dollar for remotely exploitable holes. In October, the company pledged $2 million in prizes to the winners of the Pwnium 2, an annual hacking contest that takes place at the Hack in the Box security conference in Malaysia. The company paid a top prize of $60,000 to the hacker who goes by the handle “Pinkie Pie” for a hack that exploited two native Chrome vulnerabilities to enable an attacker to circumvent the Chrome application sandbox. Google them issued a patch for the hole within 24 hours.
Rajshekhar Murthy, Conference Chair for the show, said that, given the value of Chrome zero days, Gobejishvili’s reticence is a mystery.
“It is surprising that he is not selling it to Google (who can pay millions of dollars – even through pwnie contests).. and not even selling it to any intelligence agencies from various places who have offered it to buy it at an amazing price.. even I’m stumped,” he wrote.
looooooooool. This guy is clueless, I’m impressed he knows what a DLL is.
To call this guy a security researcher is like calling Kermit a professor of accountancy.
He likes to find “security flaws” which he emails the site about. When they ignore his email (since it’s usually based on a complete misunderstanding of security or browsers), he then publishes it to Softpedia, where it seems editorial standards must be as lax as his security abilities.
Every single report he’s made against Chrome has been rejected so far for not being valid; he shows a misunderstanding of the most basic fundamentals:
https://code.google.com/p/chromium/issues/list?can=1&q=reporter%3Alongrifle0x
You forgot to mention this:
http://www.google.com/about/company/halloffame.html
http://technet.microsoft.com/en-us/security/cc308575.aspx
http://support.apple.com/kb/HT1318
https://www.facebook.com/whitehat
https://twitter.com/about/security
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
Some of those pages don’t exist and some don’t mention him. Only one indicates how he helped them, which was to find a Cross Site Scripting flaw. Not rocket science, and I suspect that’s how he helped the others too.
There is a world of difference between a script kiddie finding an XSS flaw and reporting it, and a “security researcher”, or apparently in finding a 0 day. Surprise, surprise he didn’t turn up to present at MalCon.
His complete lack of understanding of simple browser security models evidenced in his chrome defect reports points to someone who is blowing their own horn when calling themselves a security researcher.
All the pages exists, check it on Google:
site:ebay.com ResearchersAcknowledgement.html
site:adobe.com securityacknowledgments.html
Twitter do not mention him because he cancelled his account.
Just to be clear, I am not disputing his ability to call himself a “white hat”. He finds site vulnerabilities, and discloses them to the site owner. All power to him for that.
The problem is that his understanding of security issues seems to be limited to simple website flaws, and he’s arrogantly thinking that this gives him skills in taking taking down browsers and OSs, which are FAR more hardened.
So far, his efforts have been futile, and his trumpet blowing has been deafening. Ease up on the trumpet, and spend the time to learn a bit more, and he could very well become a top security researcher.
Pingback: ste williams » Mystery Chrome 0-day exploit to be unveiled in India on Saturday
Pingback: Security Researcher Ucha Gobejishvili Claims To Exploit Google Chrome
Pingback: Mystery Chrome 0-day exploit to be unveiled in India on Saturday | Technophile
Pingback: Google demande des preuves d’une faille zero day dans Chrome | Univers jeunesse
Pingback: Mysterie rond Google Chrome zero-day-lek | Am@zing Nieuws Blog
We have update on the MalCon 2012. We contacted the event organizers, and they have confirmed us that Ucha failed to attend the event.
More info here: http://forums.browserfame.com/20121126/malcon-2012-update/
Pingback: Chrome 0Day A No-Show At Security Con | The Security Ledger
Just to be clear – this story isn’t about trashing Ucha. It’s really about that Chrome 0day which, if it exists, would be a big deal. We take Ucha at his word that he has it and hope that he takes the opportunity to disclose the vulnerability – if not to the public, than at least to the folks at GOOG.
Pingback: Автора таинственной 0-day уязвимости в Chrome забрали в армию | Hacker Info
Pingback: Google demande des preuves d’une faille zero day dans Chrome | ThinkGeek