[chromium-dev] Re: Urgent, a very evil site i think which does evil things (no joke)
Jeremy, i can't see how it will make things any worse to punch these holes you still fork flash in its own process like you do now only you sandbox it how is it any worse ? this is just an observation that if i would write malware (which of course, i would never) i would just use flash plugins exploits to be cross browser compatible and this renders the sandbox nearly useless for future attacks what decent malware writer would bother with webkit explits ? none! besides, if you look at the help forum of chrome, you will see some people are starting to catch malware like this which is btw, how i got this evil site's URL i would never click on my own such a foul looking site as for the auto updating issue, i suggested a solution in one of my prev posts and i am sure you can have a word with adobe for this in a sense chrome makes it easier to infect itself(!) as you run plugins in the medium integrity level (Vista and above) and you normally install chrome in the local user account, so no UAC prompt will help the user if some delicate file or DLL is written to chrome folder, and then it will do something never intended also, one more note, flash is special enough that if you would hard code the solution to it, you would anyays solve most infections problems in the world, and maybe even cancer... who knows ? and regarding what CPU said (and ignoring the auto-update) it seems that flash does work flawlessly using your '--safe-plugins' switch, and doing this on that site does stop the attack (tbh, maybe the attack was stopped because the sun's java died in the sandbox, but Ian said it was a flash based attack) --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Urgent, a very evil site i think which does evil things (no joke)
Alex, your reply irritates me so much that i am willing to take my chancesand if anyone (from @chromium) finds my answer insulting e-mail me and i will remove myself forever from your lists, promise! what kind of an answer is that ? do you know how this attack was carried ? did you even read this thread before suggesting your comments ? even the start of your thread trust the force is so arrogant, and while i don't know who carlos is i would think that even carlos would know that if you intercepted file access you would have easily stopped this attack. jeremy was at least constructive, in suggesting i would patch it myself, but like i said, i don't know NPAPI nor do i know flash for that matter but i do know windows, alex, and whatever flash does internally he cannot access the disk directly, right ? (of course not) so just that simple test would have been enough and again, if anyone(!) from chrome(!) finds my response offensive, reply here and i promise never to post here again with zero hard feelings nakro --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Urgent, a very evil site i think which does evil things (no joke)
Ian, well, i like your reply, so just tell me please for my own knowledge one thing is there ever a reason to allow flash (we are talking only flash here) to fork WinMail.exe for example ? i am a very light weight surfer, and i mostly read tech stuff, so my experience with flash is mostly youtube is this really something which any flash application does ? does flash really expect to have access to 'program files' ? if flash is expected to have access to it all, then you wouldn't have tried to sandbox it in the first place, right ? and btw, i read really a lot of the source code of chrome, and i still do, i even used your sandbox API to various tricks, and i even submitted patches and expect to do more in the future --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Urgent, a very evil site i think which does evil things (no joke)
No adam, i did not sumbit patches to the sandbox :) i just used its API's to forward calls from kernel32.dll to my own DLL's so i could inject code to VC.exe and force it to run in the idle priority class but i still don't get it if Flash expects to be able to SendMessage, then you cannot sandbox it anyways as there is no limit to what can be done and of course, i also look forward to HTML5 All i am saying is that one of the biggest selling points of chrome is that it is secure (no drive by malware anymore) and i was hoping from such a good produce as chrome to protect me there is simple statistics to be had here do most flash apps expect to the able to SendMessage ? if so, i admit, this is a hopeless case but if not, then you should have added an option in chrome to say 'sandbox flash by default' and then you could whitelist some sites you trust --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Urgent, a very evil site i think which does evil things (no joke)
Alex, let me get it, are you part of the chrome team ? i don't recall accusing anyone from chromebut i do recall not liking your reply, so just let me know if you are part of the devs of chrome please i will be honest, if you are, then i think it is time for me to move to a different browser, if you are not then don't decide if i accuse the chrome team or not, let them tell me, and like i said i would remove myself in a second and with no hard feelings --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: 2 Questions about Npapi (and flash in particular)
i have none. if i could do it on my machine i would debug it and (fopefully) find the root cause my intention in posting it here is that maybe the person who wrote NPAPI will say oh, this makes sense or maybe this thread will die .. anyways, the address space issue seems to make sense in a way, but then again, i never wrote anything with flash or anything like it, so i don't know how they handle the Address space issues (they really have only one process for the plugin) --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: 2 Questions about Npapi (and flash in particular)
Evan thanx, but the 2nd part of the --safe-plugins, i know it works on dev, and it does seem to create the plugininside the sandbox, so is this a good solution security wise to suggest to people ? --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: FYI: a new problem with the latest patch for 2008 SP1 (from today/yesterday)
I registered my copy of VS2008, so the update came with windows update, i actually had no idea they did anythingtill my builds started to fail. http://support.microsoft.com/kb/971092/ there were actually 3 updates, but i guess they are ashamed or something, two of them link nowhere now :) and you'd prob better wait till they fix it --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
