This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable,” he noted, and added that he will be pushing the matter further by filing a new bug with the trivial bypass of their fix as a new issue.
“It looks like Comodo pushed a change that removes the ‘execCode’ API that I was using in my exploit. They also hijack DNS settings, among other shady practices,” says Ormandy.Ĭhromodo is described by the company as a “fast and versatile internet browser based on Chromium, with highest levels of speed, security and privacy,” but according to the researcher that claim is untrue, as the browser disables the same-origin policy, effectively turning off web security.Ĭomodo has been notified of the problem, and has apparently fixed the issue, but Ormandy is not satisfied with the fix. “Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. This time it’s Comodo Internet Security and, according to this issue tracking page, the software installs a new browser called Chromodo and sets it as the default browser. Google researcher Tavis Ormandy has found more vulnerabilities in yet another security solution.
0 kommentar(er)
