Posted in Shoddy Security

Security researcher exposes Google’s double standard on responsible disclosure of exploits

Via Ars Technica:

Vulnerabilities in the Google App Engine cloud platform make it possible for attackers to break out of a first-level security sandbox and execute malicious code in restricted areas of Google servers, a security researcher said Friday.

Adam Gowdiak, CEO of Poland-based Security Explorations, said there are seven separate vulnerabilities in the Google service, most of which he privately reported to Google three weeks ago. So far, he said, the flaws have gone unfixed, and he has yet to receive confirmation from Google officials. To exploit the flaws, attackers could use the freely available cloud platform to run a malicious Java application. That malicious Java app would then break out of the first sandboxing layer and execute code in the highly restricted native environment.

What’s interesting about this is that Google has previously disclosed flaws in Apple and Microsoft software before patches could be released, which made folks in Cupertino and Redmond very angry. Now Google’s getting a taste of its own medicine, except in this case, the researcher who delivered Google’s comeuppance waited a generous period of time without even getting so much as an acknowledgement from the Monster of Mountain View.