Re: [SECURITY] [DSA 2695-1] chromium-browser security update
On Sun, Jun 2, 2013 at 11:51 AM, Nick Boyce wrote:
> On Sunday 02 Jun 2013 16:13:43 Michael Gilbert wrote:
>
>> On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote:
>>
>> > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote:
>> >
>> >> or possibly have unspecified other impact via unknown vectors.
>> >
>> > I'm just wondering ... is that Google language for "or possibly allow
>> > remote code execution" ?
> [...]
>> That is the intentionally vague language of CVE (e.g.
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837).
> [...]
>> In terms of chromium, your best bet is simply to wait for the bugs to
>> become unembargoed (e.g.
>> https://code.google.com/p/chromium/issues/detail?id=235638).
>
> Thanks. It's just that I tend to expect that by the time a security fix is
> released, those bugs *are* unembargoed, researchers are poring over code diffs,
> and clear descriptions are usually forthcoming cos there's no longer any point
> in being coy. For instance, by the time a Firefox release is made Mozilla
> states explicitly in the release information whether or not each bug could
> cause rce. Same thing for Microsoft.
It's really Google's decision to make, and they have a statement in the faq:
http://www.chromium.org/Home/chromium-security/security-faq
Unfortunately their bugs tend to be embargoed for months (and I've
seen a couple take over a year), which doesn't really live up to the
spirit of their new 7 day policy, but then again that is only for
issues that are known to be exploitable in the wild:
http://googleonlinesecurity.blogspot.com/2013/05/disclosure-timeline-for-vulnerabilities.html
You can always try pestering them at security@chromium.org. It's
probably more of a matter of neglect than intentional.
Best wishes,
Mike
Reply to: