Earlier this week a French security firm called Security Vulpen claimed it had found a vulnerability in the sandbox of Chrome, one of the items that make the browser's currently one of the safest. Failure, they say, is pretty serious, with the potential to allow downloading of malicious files. But according to a pair of engineers from Google, the claim is merely a flaccid prosopopoeia to cherish cattle.
Tavis Ormandy and Chris Evans, both safety engineers at Google, said in their profiles on Twitter that Vulpen used a vulnerability in Flash to make the sandbox Chrome fails, which then gave rise to a controversy. Failure used to break the sandbox of Chrome is in the Adobe Flash plugin. However, Flash is embedded in all installations of Chrome today.
So that means that, by transitivity, Chrome is vulnerable? Or because of failure to be specifically in the plugin from Adobe, the Google browser could still be considered a secure browser?
And please note that neither company has released a demo of the vulnerability publicly and no one has discovered how to exploit it. At least not yet.
