Does Google Chrome have a problem with an unknown zero day in dll?

General Topics
1

See: http://securityledger.com/questions-doubts-greet-researchers-claim-to-have-chrome-zero-day/ link author = ledgeditor
FUD or real unknown threat, so Google has a serious problem with the browser?

polonus

2

Seems like there is doubt. When will we know the answer to this?

3

According to the article, Wednesday.

4

Hi bob3160,

Well let us speculate about what Google Chrome dll it will be that has that zero day. I do a prediction and we will see if I took a bet on the wrong black horse so to say. This dll, xinput1_3.dll, is a likely candidate i.m.h.o., because it is a general MS DirectX dll for use with gamepads, and MS says about this dll that it should not come bundled within a browser for instance. They frown upon what Google did. This dll can be used to bypass ASLR + DEP in chrome, and what is even worse in a predictable way. Not building it with ASLR is a problem… (info CimStordal) and read on in this document here: http://www.nsa.gov/ia/_files/app/ADF-12-1216-SCGGoogleChrome.pdf
On page 18 there you can reads that mentioned dll comes from MS and there it says “no DEP”, “no ASLR” for these binairies installed. Well we shall just wait and see. Will it be a non-secure DLL preloading issue?

polonus

5

I just found this. → http://threatpost.com/en_us/blogs/chrome-zero-day-presentation-gives-way-mandatory-military-service-112612

“Murthy told Threatpost that Gobejishvili said the exploit uses a new Java zero-day vulnerability.”

Any new info on this?

6

Hi Charyb,

All we know is that new java exploits are being incorporated by “exploit kits all sorts” in an ever faster sequence. Considering the use of java - it is not the official avast position, some here seem to advise users to disable java inside their browsers, whenever there is no absolute need for a java application to run, as since Oracle overtook java the situation did not seem to improve considering the java zero day records.
Well the Tiblisii researcher seems not to be in the top rank for zero day contributions are concerned. Some consider him a script kiddie which does not fully understands the underlying mechanisms himself. Whatever, he has been drafted, so afraid we won’t hear from him until later.
The dll I speculated about by me is a Google Chrome one, MS has been frowning upon. It is outside DEP & ASLR. It is a general MS DirectX dll, and according to bug reports the dll can be abused with predictable landing results. Do not know how it could be abused with relation to the newer Java exploits? Also this is outside the scope of our reporting, security researchers should be aware however and off course Google Chrome developers should do something about this possible threat e.g. lack of protection…

polonus

7

Yes, my advice is to drop it altogether (not only in the browser)…!!
The ongoing problem is that some users think they would need Java, while they don’t… :wink:

8

If you don’t have applications that use JAVA or you absolutely must visit sites that use JAVA (not javascript), then it isn’t a required installation. Completely uninstalling it seems to be the way to go, if you don’t need it get rid of it, saves you all that hassle of constantly having to update it. Not to mention it removes the possibility of getting hit by a JAVA exploit.

9

Hi DavidR,

That is your or rather our point of view. I like to stress here that the advice tyo uninstall java is not an official avast standpoint as one of the avast team mods have stated in an earlier comment,

polonus

10

Yes, that is my personal view.

11

One problem I have with not having Java is that JRE is required to build a database in OpenOffice. The most recent version of OpenOffice (3.4.1) does not install Java by default and I believe it was installed by default in previous versions. If I remember correctly LibreOffice has always required a separate installation of Java.

12

Some Libreoffice functions do still require JRE, but they are trying to remove the dependencies:
http://www.libreoffice.org/get-help/faq/general-faq/does-libreoffice-require-java/

13

That is why I pre-qualified my opinion with, “If you don’t have applications that use JAVA or you absolutely must visit sites that use JAVA (not javascript)” Obviously if you have then have to balance that against any potential risk in having JAVA installed.