Chrome 0Day A No-Show At Security Con

A planned talk that was to unveil a new and previously unknown (or “zero day”) vulnerability in Google’s Chrome web browser was cancelled on Saturday after the researcher, Ucha Gobejishvili, backed out, citing difficulties obtaining a visa to travel to New Dehli, India, where the Malcon hacking conference was held.

Google Chrome Logo

The organizer of Malcon, Rajshekhar Murthy, confirmed in an email to Security Ledger that Gobejishvili cancelled his talk at the last minute.

“(Ucha) did not come at (sp) the conference due to visa issues in the last minute,” Rajshekhar Murthy wrote in an e-mail to Security Ledger on Monday. “The issue stated was he was called in last minute (sp) by the military for compulsory service which conflicted with our event dates.”

Gobejishvili did not respond to e-mail and instant message requests for comment.

In a conversation with Security Ledger last week, he said he would use his talk at Malcon to discuss a security hole in Chrome that he called a “critical vulnerability.” “It has silent and automatically (sp) download function…and it works on all Windows systems” he told Security Ledger in an online chat session.

The Tbilisi-based researcher told Security Ledger that the vulnerability is in a DLL (dynamic link library) that is part of the browser and works on Windows systems running Chrome, and other platforms, as well. The hole, if exploited, could allow a remote attacker to place and run a malicious  executable file on the vulnerable system, Gobejishvili said.

As we noted last week, however, there were questions about Gobejishvili’s presentation from Google and others. The researcher said he would demonstrate an exploit – but not release proof of concept code for it that could be independently verified. He also declined to give Google any information about the hole, despite claims that he discovered it in July.

A copy of Gobejishvili’s presentation slides reveals little about the specifics of the exploit, which Gobejishvili dubbed “Calypso,” beyond a YouTube video that purports to show the exploit being used to run malicious code in the Chrome browser.

Murthy said that Gobejishvili’s travels were complicated by the fact that India does not maintain an embassy in his native Georgia. “The nearest one is at Armenia – that (sp) has issues with Georgia I am told. His family was not willing to allow him to travel overnight in train to apply for VISA in Armenia due to security concerns,” Murthy wrote.
Gobejishvili isn’t unknown in security circles. He has been credited with discovering vulnerabilities in popular Web sites and applications previously, including cross site scripting- and SQL injection vulnerabilities in Yahoo!’s web site, Google Earth and MySQL.com.
Breaking the security of Google’s Chrome browser is another matter entirely – a challenge that stumps some of the world’s top researchers. In just the latest example, Google offered up more than $2 million in bounties for exploitable holes in Chrome in the 2012 Pwnium hacking contest, but paid out only $60,000 for one remotely exploitable hole, demonstrated by the hacker known as “Pinkie Pie.”

Comments are closed.