I reported on French security firm VUPEN earlier this week when the company announced that it created an exploit that successfully broke through the vaunted security sandbox in the Chrome web browser. Moreover, the researchers also claimed that they were able to defeat ASLR and DEP, which meant that any proof of concept code could be easily incorporated into a new malware.

Fortunately, VUPEN chose not to disclose the exploit that it created, also known as proof-of-concept code. Unfortunately, the company has also declined to outline the technical details of the underlying vulnerabilities the company exploited--not even to the Chrome web browser team who could have rectified the vulnerability. 

Several Google (NASDAQ: GOOG) security engineers have since come forward to question the claim by VUPEN, according to a new report by Computerworld. Airing their thoughts on Twitter, at least three Google security engineers dismissed the purported exploit as a bug in Flash's code, and not the Chrome browser itself. Google security engineer Justin Schuh put it this way in a tweet: "No one is saying it's not a legit exploit. The point is that it's not the exploit [Vupen] claimed."

Chaouki Bekrar, Vupen's CEO and head of research held on to a contrary view, however. In an email to Computerworld in which Bekrar asserted that VUPEN "will not help" Google to find the vulnerabilities, he wrote: "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation." At stake here is Chrome's reputation as a secure browser. Unfortunately, it's practically impossible to figure out if the Chrome sandbox is indeed flawed if the pertinent information is not made available. 

As I noted in my earlier post, I cannot help but notice the commercialism at stake here--VUPEN says that information pertaining to the exploit will only be exclusively shared with the company's Government customers as part of its vulnerability research services. Mind you, the Chromium Security Reward tops up at a cool $3,133.70 for security bugs submitted for Chrome. Clearly however, VUPEN stands to gain much more by serving the narrow needs of its own customer base.

While it is understandable that all commercial businesses need to generate returns on their research, I'm not sure I like what I see ahead. Will only the well-heeled (and the government) be able to afford vulnerability information, and hence adequately protect themselves, in the future?

For now, heated words continue to fly between Google and VUPEN. In response to Bekrar's barb that "When it comes to critical vulnerabilities, all software vendors/devs (including Google) always try to downplay the findings... #pathetic" Schuh retorted with "I was thinking something similar about researchers who inflate their accomplishments." - Paul Mah  (Twitter @paulmah)