[FoRK] The Year That Security Collapses Completely

Joseph S. Barrera III joe at barrera.org
Tue Jan 12 11:57:55 PST 2016


Greg, you have predicted something like the subject line (I forget your
exact phrasing), but I don't think it exists. Security will just get worse
monotonically every year, forever. Like the boot stomping on the face in
1984.

http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/

https://code.google.com/p/google-security-research/issues/detail?id=693

Excerpt:

I spent a few minutes trying to understand how the SB shell worked,
and then realized they were just hiding the global objects. I sent
this annoyed follow up:

This thing is ridiculous, wtf is this:
https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require("child_process").spawnSync("calc.exe"))

You were just hiding the global objects and invoking a browser
shell...? ...and then calling it "Secure Browser"?!? The fact that you
also run an old version with --disable-sandbox just adds insult to
injury.

I don't even know what to say - how could you enable this thing *by
default* on all your customer machines without getting an audit from a
competent security consultant?

You need to come up with a plan for fixing this right now. Frankly, it
also looks like you're exposing all the stored passwords to the
internet, but let's worry about that screw up after you get the remote
code execution under control.

Please confirm you understand this report.


More information about the FoRK mailing list