Multiple Vulnerabilities in Google

Security Explorations, a research group in Poland, is claiming to have discovered multiple vulnerabilities in Google’s App Engine for Java.

According to the information they gave to Full Disclosure, Security Exploration has not received any response from Google denying or confirming Issues 37-41.  They also never received a response on whether or not Issues 35-36 had been fixed, but they had.  According to Security Explorations’ founder and CEO, Adam Gowdiak, if they fixed it, “This is the 3rd time we experience this “silent fix” approach from the company”.

The vulnerabilities allow for complete Java VM security sandbox escapes, though it does not break the sandbox.  It results in partial Google Apps Engine bypass.  These vulnerabilities apparently stemming from incorrect implementation of methods and missing security checks.

Only last year, Security Exploration received a reward of $50,000 from Google for other disclosed vulnerabilities.  One can understand why the silent fixes would be upsetting.  The silence from Google prompted them to release the details:

“We need to treat all vendors equal [..] it’s been 3 weeks and we haven’t heard any official confirmation [or] denial from Google with respect to Issues 37-41. It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code,” said Security Exploration on Full Disclosure.

For  information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *