Questions, Doubts greet Researcher’s Claim to have Chrome Zero Day

Posted by: Paul   November 21, 2012 12:058 comments

Google says that it will wait to see what transpires at a New Delhi hacking conference this week before responding to a researcher’s claim that he has discovered a remotely exploitable vulnerability in its Chrome web browser.

Ucha Gobejishvili

Ucha Gobejishvili says he will demonstrate a remotely exploitable hole in the Chrome web browser at a New Delhi hacking conference on Saturday.

Speaking with Security Ledger, Google spokeswoman Jessica Kositz said that the company was aware of claims by Georgian researcher Ucha Gobejishvili that he has discovered a previously unknown (zero day) security hole in Chrome and will demonstrate it at this week’s MalCon hacking conference.

Gobejishvili described the security hole in Chrome as a “critical vulnerability.” “It has silent and automatically (sp) download function…and it works on all Windows systems” he told Security Ledger in an online chat session.

While the Tbilisi-based researcher won’t say much about the hole, he told Security Ledger that he discovered it in July. The vulnerability is in a DLL (dynamic link library) that is part of the browser and could potentially work on other platforms, though he will demonstrate it on a Windows system. The hole, if exploited, could allow a remote attacker to place and run a malicious  executable file on the vulnerable system, he said. Beyond that, Gobejishvili said that the exploit will work even on the latest version of Chrome.

However, more than a few questions hang over Gobejishvili’s talk. The researcher said he will demonstrate the exploit at MalCon, and have a “general discussion” about it, but won’t release source code for it. “I know this is a very dangerous issue…that’s why I am not publishing more details about this vulnerability,” he wrote.

But Gobejishvili also said he has not made any attempt to inform Google about the vulnerability and will not publish any details of the zero day hole even after his presentation.

“Google knows that they have issue in chrome product,” he wrote.

But that wasn’t the line from Mountain View, where Google’s spokeswoman said the company knew of Gobejishvili from past interactions, but that it had not heard from the researcher regarding the Chrome issue.

“We still haven’t seen anything about what he’ll say next week,” said Kositz. As a result, Google will wait and see what Gobejishvili presents at MalCon, which is scheduled for Saturday, November 24.

The researcher’s behavior is unusual, to say the least. Google offers monetary rewards for vulnerabilities, and pays top dollar for remotely exploitable holes. In October, the company pledged $2 million in prizes to the winners of the Pwnium 2, an annual hacking contest that takes place at the Hack in the Box security conference in Malaysia. The company paid a top prize of $60,000 to the hacker who goes by the handle “Pinkie Pie” for a hack that exploited two native Chrome vulnerabilities to enable an attacker to circumvent the Chrome application sandbox. Google them issued  a patch for the hole within 24 hours.

Rajshekhar Murthy, Conference Chair for the show, said that, given the value of Chrome zero days, Gobejishvili’s reticence is a mystery.

“It is surprising that he is not selling it to Google (who can pay millions of dollars – even through pwnie contests).. and not even selling it to any intelligence agencies from various places who have offered it to buy it at an amazing price.. even I’m stumped,” he wrote.