Questions, Doubts greet Researcher’s Claim to have Chrome Zero Day

Google says that it will wait to see what transpires at a New Delhi hacking conference this week before responding to a researcher’s claim that he has discovered a remotely exploitable vulnerability in its Chrome web browser.

Ucha Gobejishvili
Ucha Gobejishvili says he will demonstrate a remotely exploitable hole in the Chrome web browser at a New Delhi hacking conference on Saturday.

Speaking with Security Ledger, Google spokeswoman Jessica Kositz said that the company was aware of claims by Georgian researcher Ucha Gobejishvili that he has discovered a previously unknown (zero day) security hole in Chrome and will demonstrate it at this week’s MalCon hacking conference.

Gobejishvili described the security hole in Chrome as a “critical vulnerability.” “It has silent and automatically (sp) download function…and it works on all Windows systems” he told Security Ledger in an online chat session.

While the Tbilisi-based researcher won’t say much about the hole, he told Security Ledger that he discovered it in July. The vulnerability is in a DLL (dynamic link library) that is part of the browser and could potentially work on other platforms, though he will demonstrate it on a Windows system. The hole, if exploited, could allow a remote attacker to place and run a malicious  executable file on the vulnerable system, he said. Beyond that, Gobejishvili said that the exploit will work even on the latest version of Chrome.

However, more than a few questions hang over Gobejishvili’s talk. The researcher said he will demonstrate the exploit at MalCon, and have a “general discussion” about it, but won’t release source code for it. “I know this is a very dangerous issue…that’s why I am not publishing more details about this vulnerability,” he wrote.

But Gobejishvili also said he has not made any attempt to inform Google about the vulnerability and will not publish any details of the zero day hole even after his presentation.

“Google knows that they have issue in chrome product,” he wrote.

But that wasn’t the line from Mountain View, where Google’s spokeswoman said the company knew of Gobejishvili from past interactions, but that it had not heard from the researcher regarding the Chrome issue.

“We still haven’t seen anything about what he’ll say next week,” said Kositz. As a result, Google will wait and see what Gobejishvili presents at MalCon, which is scheduled for Saturday, November 24.

The researcher’s behavior is unusual, to say the least. Google offers monetary rewards for vulnerabilities, and pays top dollar for remotely exploitable holes. In October, the company pledged $2 million in prizes to the winners of the Pwnium 2, an annual hacking contest that takes place at the Hack in the Box security conference in Malaysia. The company paid a top prize of $60,000 to the hacker who goes by the handle “Pinkie Pie” for a hack that exploited two native Chrome vulnerabilities to enable an attacker to circumvent the Chrome application sandbox. Google them issued  a patch for the hole within 24 hours.

Rajshekhar Murthy, Conference Chair for the show, said that, given the value of Chrome zero days, Gobejishvili’s reticence is a mystery.

“It is surprising that he is not selling it to Google (who can pay millions of dollars – even through pwnie contests).. and not even selling it to any intelligence agencies from various places who have offered it to buy it at an amazing price.. even I’m stumped,” he wrote.

16 Comments

  1. looooooooool. This guy is clueless, I’m impressed he knows what a DLL is.

  2. To call this guy a security researcher is like calling Kermit a professor of accountancy.

    He likes to find “security flaws” which he emails the site about. When they ignore his email (since it’s usually based on a complete misunderstanding of security or browsers), he then publishes it to Softpedia, where it seems editorial standards must be as lax as his security abilities.

    Every single report he’s made against Chrome has been rejected so far for not being valid; he shows a misunderstanding of the most basic fundamentals:
    https://code.google.com/p/chromium/issues/list?can=1&q=reporter%3Alongrifle0x

  3. Pingback: ste williams » Mystery Chrome 0-day exploit to be unveiled in India on Saturday

  4. Pingback: Security Researcher Ucha Gobejishvili Claims To Exploit Google Chrome

  5. Pingback: Mystery Chrome 0-day exploit to be unveiled in India on Saturday | Technophile

  6. Pingback: Google demande des preuves d’une faille zero day dans Chrome | Univers jeunesse

  7. Pingback: Mysterie rond Google Chrome zero-day-lek | Am@zing Nieuws Blog

  8. We have update on the MalCon 2012. We contacted the event organizers, and they have confirmed us that Ucha failed to attend the event.

    More info here: http://forums.browserfame.com/20121126/malcon-2012-update/

  9. Pingback: Chrome 0Day A No-Show At Security Con | The Security Ledger

  10. Just to be clear – this story isn’t about trashing Ucha. It’s really about that Chrome 0day which, if it exists, would be a big deal. We take Ucha at his word that he has it and hope that he takes the opportunity to disclose the vulnerability – if not to the public, than at least to the folks at GOOG.

  11. Pingback: Автора таинственной 0-day уязвимости в Chrome забрали в армию | Hacker Info

  12. Pingback: Google demande des preuves d’une faille zero day dans Chrome | ThinkGeek