Re: [Full-disclosure] Google Chrome Browser Vulnerability
n3td3v wrote: On Thu, Sep 4, 2008 at 5:46 PM, Chris Pritchard [EMAIL PROTECTED] wrote: I don't think it's your list, and even if it was, you didn't have to be so rude about it Its Gadi Evron's list because Mossad told him to make it so. Who's really in control of the propaganda on this mailing list, Gadi Evron, he gets quoted in all the journalist articles as soon as he spams some new claim about which country is to blame for a cyber attack, and the journalists believe him, then it becomes the true version of events... even if its not really. Thats why I think its time for journalists to rethink who the trusted security professionals are and who is gaming the system for political outcomes, that an intelligence agency has told them to make happen. Its true that Full-Disclosure is a powerful platform, and all it needs is a couple of Gadi Evron's and Dancho Danchev's spamming what the truth is and everyone goes with it. I find it suspicious that Dancho Danchev was a standard blogspot blogger one week, then after about two posts on Full-Disclosure was suddenly upgraded to the Zdnet zero-day blog... splitting out more information about cyber attacks and which country is to blame. We've got to keep an eye on the so-called trusted security professionals now, because they are trying to game the system for a political end, the intelligence services in U.S are responsible for a number of cyber attacks, which have been blamed on other countries and entities. I post proof that Marcus Sachs wants to influence the political system in America at the highest level of government, so his group can get lots of money. So we know the mind set which is going on right now, so its not like I haven't post proof, intelligence agencies and certain trusted security professionals want control of cyber and they will do anything they can to get it. We must proceed with caution and think carefully about who is telling the truth before quoting trusted security professionals from now on. The Marcus Sachs Youtube video is extremely damaging for the security industry, what the true intentions are of some people and how power hungry they are. Would Marcus Sachs, Gadi Evron and Dancho Danchev etc tell a lie to become more powerful, you bet they would, especially if being leaned on by certain rogue elements of the intelligence agencies. The truth is, there are people out there looking to ramp up cyber security as a national security agenda, even though naturally cyber security is no where near being a national security issue, they still want to ramp it up anyway because it will give them power and money in an area that has yet to be decided upon. Cyber is like a new area, and folks are racing to become the leaders of cyber before one another, thats why its a dangerous time right now and there is lots of propaganda flying around the mailing lists as soon as a cyber attack happens, which are probably false flags anyway created by the very people who are on Youtube videos looking for ways to become powerful with lots of money. I found the Cnet news article that goes with the Youtube video, we have *some* of the people that are power hungry in the photograph thats on the Cnet News article. 'Cybersecurity commission' to proffer advice to next president http://news.cnet.com/8301-13578_3-10009603-38.html We've got to follow these people around in real life, monitor their internet connection and phone calls to see who are have discussions with, so no foul play happens because they are so desperate to impress the next administration. All the best, n3td3v How does this pertain to the Google Chrome Browser vuln? We all know that Evron is a moronic jew, who cares? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
Well, things keep happening to Safari as a matter of fact. On 9/3/08, James Matthews [EMAIL PROTECTED] wrote: The same thing happened to safari when it came out on windows. On Tue, Sep 2, 2008 at 5:13 PM, Larry Seltzer [EMAIL PROTECTED] wrote: Holy crap, a crash bug in a beta browser! Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Narang Sent: Tuesday, September 02, 2008 7:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Google Chrome Browser Vulnerability Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in ... eschew obfuscation, espouse elucidation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Fri, Sep 5, 2008 at 8:10 PM, hannibal [EMAIL PROTECTED] wrote: We all know that Evron is a moronic jew, who cares? How should the community deal with Gadi Evron emails? Should we be shooting for a complete ban of cyber politics as well as normal politics which is already banned? If people want to talk cyber politics then the community could setup a cyber-politics mailing list so we can rant to each other all day about cyber politics. And it would get Gadi Evron and n3td3v off Full-Disclosure, and thats got to be a good thing. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
FYI: This was assigned to BID30983: http://www.securityfocus.com/bid/30983 Juha-Matti Rishi Narang [EMAIL PROTECTED] wrote: Hi, Time can definitely plays a major role. There was a collision that occurred due to the fact that I took time to find the real break point in the code, search for a template and to publish at EvilFingers site before sending it to Google and other bugtraqs. Even though I had the vulnerability 4 hrs well before the real publication of the bug and had the exploit along with the some crash details like int 3 Kernel Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and further debug logs; there was this bug published (though without the details of possible cases, exceptions and mouse hover techniques) couple of hours before I released it out at EvilFingers. So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the bug on http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr. Brennan for contacting me about the same. -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in .. eschew obfuscation, espouse elucidation. Wednesday, September 3, 2008, 5:43:40 AM, you wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Narang Sent: Tuesday, September 02, 2008 7:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Google Chrome Browser Vulnerability Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
dear god people, I've got null ptr derefs in firefox but I don't make full disclosure posts about them. I care about them nearly as much as vulnz in a browser no one uses for more than 5 minutes. Get the fuck off my list. 2008/9/4 Juha-Matti Laurio [EMAIL PROTECTED]: FYI: This was assigned to BID30983: http://www.securityfocus.com/bid/30983 Juha-Matti Rishi Narang [EMAIL PROTECTED] wrote: Hi, Time can definitely plays a major role. There was a collision that occurred due to the fact that I took time to find the real break point in the code, search for a template and to publish at EvilFingers site before sending it to Google and other bugtraqs. Even though I had the vulnerability 4 hrs well before the real publication of the bug and had the exploit along with the some crash details like int 3 Kernel Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and further debug logs; there was this bug published (though without the details of possible cases, exceptions and mouse hover techniques) couple of hours before I released it out at EvilFingers. So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the bug on http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr. Brennan for contacting me about the same. -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in .. eschew obfuscation, espouse elucidation. Wednesday, September 3, 2008, 5:43:40 AM, you wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Narang Sent: Tuesday, September 02, 2008 7:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Google Chrome Browser Vulnerability Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
I don't think it's your list, and even if it was, you didn't have to be so rude about it -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fionnbharr Sent: 04 September 2008 13:33 To: Juha-Matti Laurio Cc: full-disclosure@lists.grok.org.uk; evil fingers Subject: Re: [Full-disclosure] Google Chrome Browser Vulnerability dear god people, I've got null ptr derefs in firefox but I don't make full disclosure posts about them. I care about them nearly as much as vulnz in a browser no one uses for more than 5 minutes. Get the fuck off my list. 2008/9/4 Juha-Matti Laurio [EMAIL PROTECTED]: FYI: This was assigned to BID30983: http://www.securityfocus.com/bid/30983 Juha-Matti Rishi Narang [EMAIL PROTECTED] wrote: Hi, Time can definitely plays a major role. There was a collision that occurred due to the fact that I took time to find the real break point in the code, search for a template and to publish at EvilFingers site before sending it to Google and other bugtraqs. Even though I had the vulnerability 4 hrs well before the real publication of the bug and had the exploit along with the some crash details like int 3 Kernel Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and further debug logs; there was this bug published (though without the details of possible cases, exceptions and mouse hover techniques) couple of hours before I released it out at EvilFingers. So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the bug on http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr. Brennan for contacting me about the same. -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in .. eschew obfuscation, espouse elucidation. Wednesday, September 3, 2008, 5:43:40 AM, you wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Narang Sent: Tuesday, September 02, 2008 7:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Google Chrome Browser Vulnerability Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Thursday 04 September 2008 13:46:33 Chris Pritchard wrote: I don't think it's your list, and even if it was, you didn't have to be so rude about it I -- as well as many others in the list I'm sure -- have given up on this thread. As usual, its popularity is propotional to how much it sucks. if anyone has anything useful to say please consider creating another thread. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Thu, Sep 4, 2008 at 5:46 PM, Chris Pritchard [EMAIL PROTECTED] wrote: I don't think it's your list, and even if it was, you didn't have to be so rude about it Its Gadi Evron's list because Mossad told him to make it so. Who's really in control of the propaganda on this mailing list, Gadi Evron, he gets quoted in all the journalist articles as soon as he spams some new claim about which country is to blame for a cyber attack, and the journalists believe him, then it becomes the true version of events... even if its not really. Thats why I think its time for journalists to rethink who the trusted security professionals are and who is gaming the system for political outcomes, that an intelligence agency has told them to make happen. Its true that Full-Disclosure is a powerful platform, and all it needs is a couple of Gadi Evron's and Dancho Danchev's spamming what the truth is and everyone goes with it. I find it suspicious that Dancho Danchev was a standard blogspot blogger one week, then after about two posts on Full-Disclosure was suddenly upgraded to the Zdnet zero-day blog... splitting out more information about cyber attacks and which country is to blame. We've got to keep an eye on the so-called trusted security professionals now, because they are trying to game the system for a political end, the intelligence services in U.S are responsible for a number of cyber attacks, which have been blamed on other countries and entities. I post proof that Marcus Sachs wants to influence the political system in America at the highest level of government, so his group can get lots of money. So we know the mind set which is going on right now, so its not like I haven't post proof, intelligence agencies and certain trusted security professionals want control of cyber and they will do anything they can to get it. We must proceed with caution and think carefully about who is telling the truth before quoting trusted security professionals from now on. The Marcus Sachs Youtube video is extremely damaging for the security industry, what the true intentions are of some people and how power hungry they are. Would Marcus Sachs, Gadi Evron and Dancho Danchev etc tell a lie to become more powerful, you bet they would, especially if being leaned on by certain rogue elements of the intelligence agencies. The truth is, there are people out there looking to ramp up cyber security as a national security agenda, even though naturally cyber security is no where near being a national security issue, they still want to ramp it up anyway because it will give them power and money in an area that has yet to be decided upon. Cyber is like a new area, and folks are racing to become the leaders of cyber before one another, thats why its a dangerous time right now and there is lots of propaganda flying around the mailing lists as soon as a cyber attack happens, which are probably false flags anyway created by the very people who are on Youtube videos looking for ways to become powerful with lots of money. I found the Cnet news article that goes with the Youtube video, we have *some* of the people that are power hungry in the photograph thats on the Cnet News article. 'Cybersecurity commission' to proffer advice to next president http://news.cnet.com/8301-13578_3-10009603-38.html We've got to follow these people around in real life, monitor their internet connection and phone calls to see who are have discussions with, so no foul play happens because they are so desperate to impress the next administration. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On 02 Sep 08, at 21:48, Paul Ferguson wrote: - -- James Matthews [EMAIL PROTECTED] wrote: The same thing happened to safari when it came out on windows. Well, no kidding. :-) Maybe the flaws that will hound Chrome are due to the fact that it uses Safari as a codebase? WebKit != Safari. Security-related bugs in rendering engines are pretty uncommon. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Andrew Farmer [EMAIL PROTECTED] wrote: On 02 Sep 08, at 21:48, Paul Ferguson wrote: - -- James Matthews [EMAIL PROTECTED] wrote: The same thing happened to safari when it came out on windows. Well, no kidding. :-) Maybe the flaws that will hound Chrome are due to the fact that it uses Safari as a codebase? WebKit != Safari. Security-related bugs in rendering engines are pretty uncommon. Okay, well you cannot deny this is a lackluster starting point. I hope Google can use this inauspicious starting point to build the advertising empire they desire. I for one do not welcome the advertisement overlords. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIvj6aq1pz9mNUZTMRAgEKAKC8rCgCiSPDcSLX8sAe1/ZJRR4fDACeIq9x X1b4Rd9bxRevUo78azKBi5o= =ic8T -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 5:37 PM, Paul Ferguson [EMAIL PROTECTED] wrote: Okay, well you cannot deny this is a lackluster starting point. I hope Google can use this inauspicious starting point to build the advertising empire they desire. I for one do not welcome the advertisement overlords. you're not the only one; don't worry. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIvj6aq1pz9mNUZTMRAgEKAKC8rCgCiSPDcSLX8sAe1/ZJRR4fDACeIq9x X1b4Rd9bxRevUo78azKBi5o= =ic8T -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ -- noon silky http://www.themonkeynet.com/armada/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 8:52 AM, silky [EMAIL PROTECTED] wrote: On Wed, Sep 3, 2008 at 5:37 PM, Paul Ferguson [EMAIL PROTECTED] wrote: Okay, well you cannot deny this is a lackluster starting point. I hope Google can use this inauspicious starting point to build the advertising empire they desire. I for one do not welcome the advertisement overlords. you're not the only one; don't worry. - - ferg I think the world's biggest hacker HD Moore will be releasing exploits for the browser soon, you know what he's like, so you shouldn't need to worry. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
PT: FODA-SE! 1) Perdao, mas eu nao vi em nenhum lugar voce ajudando em coisa alguma. 2) Eu falo e escrevo em portugues, estou no Brasil. Obrigado mas eu nao quero postar coisas em ingles para quem quer que seja ler. Urlan On Wed, Sep 3, 2008 at 12:18 AM, The Mad Hatter [EMAIL PROTECTED] wrote: On Tuesday 02 September 2008 23:28:33 Urlan wrote: Por que todo esse alvoroço por causa de um bug na versão beta?! pt: não seja tão imbecil en: don't be such a moron you are lame twice; first for posting in portuguese, then for giving a stupid negative contribution to the thread. if you don't have shit to say at least don't say shit. -- tmh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
shut the fuck up From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Urlan Sent: 3. september 2008 14:37 To: The Mad Hatter Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Chrome Browser Vulnerability PT: FODA-SE! 1) Perdao, mas eu nao vi em nenhum lugar voce ajudando em coisa alguma. 2) Eu falo e escrevo em portugues, estou no Brasil. Obrigado mas eu nao quero postar coisas em ingles para quem quer que seja ler. Urlan On Wed, Sep 3, 2008 at 12:18 AM, The Mad Hatter [EMAIL PROTECTED] wrote: On Tuesday 02 September 2008 23:28:33 Urlan wrote: Por que todo esse alvoroço por causa de um bug na versão beta?! pt: não seja tão imbecil en: don't be such a moron you are lame twice; first for posting in portuguese, then for giving a stupid negative contribution to the thread. if you don't have shit to say at least don't say shit. -- tmh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
Sorry for my mistake. Urlan 2008/9/3 Fabio N Sarmento [ Gmail ] [EMAIL PROTECTED] So what fuck are you doing here? This list speak english, if you dont want to, get out. 2008/9/3 Urlan [EMAIL PROTECTED] PT: FODA-SE! 1) Perdao, mas eu nao vi em nenhum lugar voce ajudando em coisa alguma. 2) Eu falo e escrevo em portugues, estou no Brasil. Obrigado mas eu nao quero postar coisas em ingles para quem quer que seja ler. Urlan On Wed, Sep 3, 2008 at 12:18 AM, The Mad Hatter [EMAIL PROTECTED] wrote: On Tuesday 02 September 2008 23:28:33 Urlan wrote: Por que todo esse alvoroço por causa de um bug na versão beta?! pt: não seja tão imbecil en: don't be such a moron you are lame twice; first for posting in portuguese, then for giving a stupid negative contribution to the thread. if you don't have shit to say at least don't say shit. -- tmh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Em caso de dúvidas estou a disposição + Coordialmente, + Fábio N Sarmento ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
So what fuck are you doing here? This list speak english, if you dont want to, get out. 2008/9/3 Urlan [EMAIL PROTECTED] PT: FODA-SE! 1) Perdao, mas eu nao vi em nenhum lugar voce ajudando em coisa alguma. 2) Eu falo e escrevo em portugues, estou no Brasil. Obrigado mas eu nao quero postar coisas em ingles para quem quer que seja ler. Urlan On Wed, Sep 3, 2008 at 12:18 AM, The Mad Hatter [EMAIL PROTECTED] wrote: On Tuesday 02 September 2008 23:28:33 Urlan wrote: Por que todo esse alvoroço por causa de um bug na versão beta?! pt: não seja tão imbecil en: don't be such a moron you are lame twice; first for posting in portuguese, then for giving a stupid negative contribution to the thread. if you don't have shit to say at least don't say shit. -- tmh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Em caso de dúvidas estou a disposição + Coordialmente, + Fábio N Sarmento ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, 03 Sep 2008 10:04:43 BST, n3td3v said: I think the world's biggest hacker HD Moore HD is incredibly talented, and deserves a round of applause for Metasploit. However, a minute's thought will show that we don't have a fucking *clue* who the world's biggest hacker is. We have plenty of candidates for biggest hacker who screwed up and got caught and biggest hacker who blabbed to his friends. But just as any ninja you actually see isn't a very good ninja, we won't know who the biggest hacker is. I'd place bets that whoever it is, they're on the RBN payroll... pgpnY5c9esXzx.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On 9/3/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: ... I'd place bets that whoever it is, they're on the RBN payroll... ... If they really were the biggest hacker, why on earth would they work for a large group that would merely dull their shine and take from their profits, etc. No, the biggest hacker works alone, because he, or she (zomg!), doesn't really need anyone else. -- Razi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 5:06 PM, [EMAIL PROTECTED] wrote: I'd place bets that whoever it is, they're on the RBN payroll... I thought a high ranking security professional like yourself would stick to facts, not the latest disinformation handed out by so-called trusted security professionals. Marcus Sachs is good at it, Sans is good at it. We already know the CIA use Sans for it, http://www.securityfocus.com/brief/666. Yet you continue to hang out with them on #dshield on Freenode. You are being led up a garden path by power hungry folks feeding the media news about anything they can orchestrate to ramp up cyber security as a national security agenda item as the next administration is coming in so they can become more powerful in Washington, yet you still trust them. Stop playing into the hands of these guys and have your own opinion about things, unless you two are part of the power hungry cyber security circle of folks who are trying to artificially ramp up and put infront of the media a common cyber enemy, as the next administration is coming in. We will never forget the Youtube video...How do we put it infront of the media and get their attention? We can get Valdis to keep repeating an artificial common cyber enemy and have Valdis put random comments on the mailing lists? We all know you hang out with the power hungries because i've idled on #dshield and seen you, and it wouldn't suprise me if you were at that particular speech Marcus Sachs did. No one believes what you say anymore Valdis, you're part of the group who is trying to get the attention of the next administration as they are coming in and 100 days after the next president is in the White House. The Youtube video says it all about what's going on in the world and everything thats wrong with it. Don't be part of the corruption thats going on Valdis, don't be associated with the Marcus Sachs's of the world, you don't want to be that type of person, trust me it will get you into a lot of trouble when it comes to building the evidence of who is guilty for what false flags and who was involved in the ground work and propaganda building on the internet. http://www.youtube.com/watch?v=FSUPTZVlkyU ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 03 Sep 2008 14:47:22 -0400 n3td3v [EMAIL PROTECTED] wrote: On Wed, Sep 3, 2008 at 5:06 PM, [EMAIL PROTECTED] wrote: I'd place bets that whoever it is, they're on the RBN payroll... I thought a high ranking security professional like yourself would stick to facts, not the latest disinformation handed out by so- called trusted security professionals. Marcus Sachs is good at it, Sans is good at it. We already know the CIA use Sans for it, http://www.securityfocus.com/brief/666. Yet you continue to hang out with them on #dshield on Freenode. You are being led up a garden path by power hungry folks feeding the media news about anything they can orchestrate to ramp up cyber security as a national security agenda item as the next administration is coming in so they can become more powerful in Washington, yet you still trust them. I'd like to see you provide some proof that this is disinformation aside from your delusional theories. There has been plenty of proof that RBN is a real threat, if you are going to try and call people out on spreading misinformation, then you need to be prepared to present a counter argument proving it is disinformation. Otherwise all you are doing is flapping your mouth off. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 3.0 wpwEAQMCAAYFAki+3yIACgkQGwcl4JwqQeAHagP/aRprRXQYDWWL6tFJ4Ee+QywkG+dZ GV0HdSOUNQGEGdUygvtjIXztlRZuNza0/eSdDwaxDKoM2POCjpcRXoOfikA419S8XrqA L7gFcL5Xn5I/NFO0sIhH/Co4gtlGdxe6nLNzCNc+8BS4rnf77cSJNGINQpkAfwxsYfiY WnZB+yo= =i1Ep -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
Hi, Time can definitely plays a major role. There was a collision that occurred due to the fact that I took time to find the real break point in the code, search for a template and to publish at EvilFingers site before sending it to Google and other bugtraqs. Even though I had the vulnerability 4 hrs well before the real publication of the bug and had the exploit along with the some crash details like int 3 Kernel Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and further debug logs; there was this bug published (though without the details of possible cases, exceptions and mouse hover techniques) couple of hours before I released it out at EvilFingers. So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the bug on http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr. Brennan for contacting me about the same. -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in ... eschew obfuscation, espouse elucidation. Wednesday, September 3, 2008, 5:43:40 AM, you wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Narang Sent: Tuesday, September 02, 2008 7:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Google Chrome Browser Vulnerability Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 8:01 PM, [EMAIL PROTECTED] wrote: On Wed, 03 Sep 2008 14:47:22 -0400 n3td3v [EMAIL PROTECTED] wrote: On Wed, Sep 3, 2008 at 5:06 PM, [EMAIL PROTECTED] wrote: I'd place bets that whoever it is, they're on the RBN payroll... I thought a high ranking security professional like yourself would stick to facts, not the latest disinformation handed out by so- called trusted security professionals. Marcus Sachs is good at it, Sans is good at it. We already know the CIA use Sans for it, http://www.securityfocus.com/brief/666. Yet you continue to hang out with them on #dshield on Freenode. You are being led up a garden path by power hungry folks feeding the media news about anything they can orchestrate to ramp up cyber security as a national security agenda item as the next administration is coming in so they can become more powerful in Washington, yet you still trust them. I'd like to see you provide some proof that this is disinformation aside from your delusional theories. There has been plenty of proof that RBN is a real threat, if you are going to try and call people out on spreading misinformation, then you need to be prepared to present a counter argument proving it is disinformation. Otherwise all you are doing is flapping your mouth off. The biggest hackers of the world are not in the RBN... this is disinformation. He just made it up because it helps to sex things up to influence the next administration as it is coming in. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even though I had the vulnerability 4 hrs well before the real publication of the bug and had the exploit along with the some crash details like int 3 Kernel Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and further debug logs; there was this bug published (though without the details of possible cases, exceptions and mouse hover techniques) couple of hours before I released it out at EvilFingers. This is an out of bounds memory read that crashes the browser. It is a major exaggeration to call this a vulnerability, especially considering this is a beta browser. Not that others haven't already said it, but people never seem to learn that a browser crash is a stability issue, not a security issue. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 3.0 wpwEAQMCAAYFAki+9g8ACgkQGwcl4JwqQeBgBgP/YGeDE2VtxDaxw4S81LadJc0GbCJo BmkN5g+6VhimPxUwvLgGyYoyaJg+Ab/cPzDELLMfp6h9jV+14jLO+2NYMnM8/G236Xjd sew1u81YXnKUjaDkX0clUT9K9sWkQ2kJwnH6ZbMncnSpTXBLISiXyhoDCvtrdeTI1y8t 9a2kAMc= =ysci -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
This is an out of bounds memory read that crashes the browser. It is a major exaggeration to call this a vulnerability, especially considering this is a beta browser. Not that others haven't already said it, but people never seem to learn that a browser crash is a stability issue, not a security issue. This is a healthy discussion. This topic leads to a very good question. When do we call a bug as a vulnerability and when does an issue really turn out to be a security issue. When we have memory index out of bound error or when we have a OS level code having a out of bound memory error or when we reference an index value that doesn't exist or in many other cases, we do reference it as a vulnerability. So, in such cases where simple bugs and vulnerabilities overlap, is it not good to call it a vulnerability and correct it rather than downgrading from what it should be. I am not saying anything pertaining to this situation or redb0ne's email. It is a really good topic to discuss about. Like what redb0ne has mentioned, we always have 2 subsets. Common bugs that are not security related and something that is a security issue. And the overlap in these two would be bugs that leads to vulnerabilities. Let me know if I am missing something or if you guys know some materials where I can learn such missing gaps. My sincere apologies if this email sounded stupid. Shyaam -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 3.0 wpwEAQMCAAYFAki+9g8ACgkQGwcl4JwqQeBgBgP/YGeDE2VtxDaxw4S81LadJc0GbCJo BmkN5g+6VhimPxUwvLgGyYoyaJg+Ab/cPzDELLMfp6h9jV+14jLO+2NYMnM8/G236Xjd sew1u81YXnKUjaDkX0clUT9K9sWkQ2kJwnH6ZbMncnSpTXBLISiXyhoDCvtrdeTI1y8t 9a2kAMc= =ysci -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My judgment is telling me to just ignore this, but I'll entertain it with one response. On Wed, 03 Sep 2008 20:04:34 -0400 Shyaam [EMAIL PROTECTED] wrote: This is a healthy discussion. This topic leads to a very good question. When do we call a bug as a vulnerability and when does an issue really turn out to be a security issue. When we have memory index out of bound error or when we have a OS level code having a out of bound memory error or when we reference an index value that doesn't exist or in many other cases, we do reference it as a vulnerability. Out of bound array accesses can be vulnerabilities because they can in some cases result in code execution, but not in this case. In this case, it is just an integer underflow that causes a conditional to evaluate to true that shouldn't have and a byte or two of memory being read out of bounds. There is no write, the memory can't be leaked by an attacker, it is simply a crash. You can't even begin to compare a kernel denial of service to a browser crash, killing a browser is a world away from taking down an entire system. Let's face it, the last thing we need is someone whoring out attention for every browser crash they come across. Report it and be done with it, no one cares. -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAki/TP0ACgkQGwcl4JwqQeBmIwP+Lx9ie5O6Pg8NsX4oJOnMlbh7AfWe 05CxdoLEkocqs583yuuaDbxokZU8g4dyB+eNYDl0Y2+xT/rJJSQtXRAsVLJ/NJcdUtiA 9xxLWbZMNkUnVXlnggsYBm3rYvS6BRNezy06+SEChczEz5h8sP5AZYeQJuYsCXBG1uYD bzG+j0A= =P0V0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
Out of bound array accesses can be vulnerabilities because they can in some cases result in code execution, but not in this case. In this case, it is just an integer underflow that causes a conditional to evaluate to true that shouldn't have and a byte or two of memory being read out of bounds. There is no write, the memory can't be leaked by an attacker, it is simply a crash. You can't even begin to compare a kernel denial of service to a browser crash, killing a browser is a world away from taking down an entire system. Let's face it, the last thing we need is someone whoring out attention for every browser crash they come across. Report it and be done with it, no one cares. Cool!!! Thanks... Shyaam ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Chrome Browser Vulnerability
Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in ... eschew obfuscation, espouse elucidation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 12:50 AM, Rishi Narang [EMAIL PROTECTED] wrote: Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php You didn't manage to jail break the entire browser, thats whats unique about Chrome, each tab is in jail, so the entire application doesn't crash. The real elite exploits will come with you can jail break the entire Chrome application... Chrome's architecture lends itself to secure browsing. Each Web page, or tab, runs in its own process, and is blocked from accessing other processes on the computer. We've taking the existing process boundary, the comic says, and made it into a jail. Different and more flexible permissions are being developed for plug-ins, however. http://news.cnet.com/8301-17939_109-10029914-2.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
Hello Larry, Ya, a beta browser (though I forgot to mention it) but, is there any product from Google not in Beta ;) Thanks, our searches are not through a beta search engine. Anyways, it's just an attempt to make it a better place to browse and help it come out of Beta. Rest, I very much liked the minimalist approach and simplicity of it + fast surfing speed. Cheers! Just my 2 cents. -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in ... eschew obfuscation, espouse elucidation. Wednesday, September 3, 2008, 5:43:40 AM, you wrote: Holy crap, a crash bug in a beta browser! Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Narang Sent: Tuesday, September 02, 2008 7:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Google Chrome Browser Vulnerability Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in ... eschew obfuscation, espouse elucidation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 10:13 AM, Larry Seltzer [EMAIL PROTECTED] wrote: Holy crap, a crash bug in a beta browser! oh fuck off with referring to it as beta. beta is just a lame tag so you can release something that you don't entirely trust. imho if it's beta keep it fucking private. if it's public, grow a set of balls and don't call it beta so you can hide behind that when it fails. grow the fuck up, google. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -- noon silky http://www.themonkeynet.com/armada/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 1:28 AM, Rishi Narang [EMAIL PROTECTED] wrote: Hello Larry, Ya, a beta browser (though I forgot to mention it) but, is there any product from Google not in Beta ;) Thanks, our searches are not through a beta search engine. Anyways, it's just an attempt to make it a better place to browse and help it come out of Beta. Rest, I very much liked the minimalist approach and simplicity of it + fast surfing speed. Cheers! Just my 2 cents. It didn't break out of jail for me, did it break out of jail for anyone else? All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
I'd recommend you to read http://en.wikipedia.org/wiki/Software_release_life_cycle#Beta On Tue, Sep 2, 2008 at 9:35 PM, silky [EMAIL PROTECTED] wrote: On Wed, Sep 3, 2008 at 10:13 AM, Larry Seltzer [EMAIL PROTECTED] wrote: Holy crap, a crash bug in a beta browser! oh fuck off with referring to it as beta. beta is just a lame tag so you can release something that you don't entirely trust. imho if it's beta keep it fucking private. if it's public, grow a set of balls and don't call it beta so you can hide behind that when it fails. grow the fuck up, google. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -- noon silky http://www.themonkeynet.com/armada/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 1:58 AM, silky [EMAIL PROTECTED] wrote: On Wed, Sep 3, 2008 at 10:55 AM, Jardel Weyrich [EMAIL PROTECTED] wrote: I'd recommend you to read http://en.wikipedia.org/wiki/Software_release_life_cycle#Beta i'd recommend you re-read my post, and even that link. beta does not go public. and even if you do, don't release something publically only later to claim oh it wasn't really ready, that's why that's not done. it's just pathetic. can't have it both ways. if you put up, expect to be shot down if there is an angle. -- noon silky http://www.themonkeynet.com/armada/ Ok, so can someone answer the question, does this break out of jail, yes or no? -- A security mailing list for computer security news and relevant world news in a breaking news format. https://groups.google.com/group/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
n3td3v escreveu: On Wed, Sep 3, 2008 at 1:58 AM, silky [EMAIL PROTECTED] wrote: On Wed, Sep 3, 2008 at 10:55 AM, Jardel Weyrich [EMAIL PROTECTED] wrote: I'd recommend you to read http://en.wikipedia.org/wiki/Software_release_life_cycle#Beta i'd recommend you re-read my post, and even that link. beta does not go public. and even if you do, don't release something publically only later to claim oh it wasn't really ready, that's why that's not done. it's just pathetic. can't have it both ways. if you put up, expect to be shot down if there is an angle. -- noon silky http://www.themonkeynet.com/armada/ Ok, so can someone answer the question, does this break out of jail, yes or no? Discover it by yourself. Aren't you the bad ass guy of security? Really, i'm tired of seeing netshit just making noise on this list. Also, a bug in a beta browser is just a bug in a beta browser. I won't expect using it in a near future, so i don't care if it has bugs now. My 2 cents, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 3:01 AM, Giancarlo Razzolini [EMAIL PROTECTED] wrote: Discover it by yourself. Aren't you the bad ass guy of security? I'm just a member of the public, unemployed and stupid... maybe you can help me be badass... although i'd rather be a goodass, cause being badass is bad!!! Take care if your security, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
Por que todo esse alvoroço por causa de um bug na versão beta?! Viagem... Urlan On Tue, Sep 2, 2008 at 11:21 PM, n3td3v [EMAIL PROTECTED] wrote: On Wed, Sep 3, 2008 at 3:01 AM, Giancarlo Razzolini [EMAIL PROTECTED] wrote: Discover it by yourself. Aren't you the bad ass guy of security? I'm just a member of the public, unemployed and stupid... maybe you can help me be badass... although i'd rather be a goodass, cause being badass is bad!!! Take care if your security, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Tuesday 02 September 2008 23:28:33 Urlan wrote: Por que todo esse alvoroço por causa de um bug na versão beta?! pt: não seja tão imbecil en: don't be such a moron you are lame twice; first for posting in portuguese, then for giving a stupid negative contribution to the thread. if you don't have shit to say at least don't say shit. -- tmh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
The same thing happened to safari when it came out on windows. On Tue, Sep 2, 2008 at 5:13 PM, Larry Seltzer [EMAIL PROTECTED]wrote: Holy crap, a crash bug in a beta browser! Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Narang Sent: Tuesday, September 02, 2008 7:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Google Chrome Browser Vulnerability Hi, --- Software: Google Chrome Browser 0.2.149.27 Tested: Windows XP Professional SP3 Result: Google Chrome Crashes with All Tabs Problem: An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window Whoa! Google Chrome has crashed. Restart now?. It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. Proof of Concept: http://evilfingers.com/advisory/google_chrome_poc.php Credit: Rishi Narang (psy.echo) www.greyhat.in www.evilfingers.com --- -- Thanks Regards, Rishi Narang | Security Researcher Founder, GREYHAT Insight Key: 0x8D67A3A3 (www.greyhat.in/key.asc) www.greyhat.in ... eschew obfuscation, espouse elucidation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- James Matthews [EMAIL PROTECTED] wrote: The same thing happened to safari when it came out on windows. Well, no kidding. :-) Maybe the flaws that will hound Chrome are due to the fact that it uses Safari as a codebase? See also: http://raffon.net/research/google/chrome/carpet.html http://www.microsoft.com/technet/security/advisory/953818.mspx Enjoy. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIvhcOq1pz9mNUZTMRAstlAKCPqFEaeSc96HHG1gyL5+EbgAYEQACdHBIK kZWN+fHmLdspT7LNmS8Ey08= =fvYJ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/