Sogou response to the leak "explosive material"

Absrtact: December 2, in response to the search for Sogou browser high-speed kernel buffer overflow vulnerabilities reported, Sogou company issued a statement that the current cannot confirm the loophole, and said that the explosive material there are obvious traces of human manipulation, suspected of unfair competition. Following is

December 2, in response to the recent Sogou browser high-speed kernel "Buffer overflow Vulnerability" report, Sogou Company issued a statement that the current could not confirm the loophole, and said the "explosive material" there are obvious traces of human manipulation, suspected of unfair competition.

The following is the full statement:

Recently, there is news on the network, Sogou browser high-speed kernel there is a "buffer overflow vulnerability." After investigation, we note the following:

1. Sogou did not confirm the vulnerability, but has been upgraded in accordance with the plan.

Sogou Browser Earlier version of the high-speed engine with Google developed the Chromium 6.0 kernel, and Google browser with the same kernel version. We analyzed and contacted Google's engineers, unable to confirm the vulnerability. But in accordance with the attitude of the user is responsible, we have according to the plan on November 29, the Sogou browser to upgrade to 3.1 version, the version of the new Chromium 14.0 core to enhance the security level. The software industry has a common sense: software is inevitably flawed, in the process of constantly patching and upgrading. A variety of desktop software, including Microsoft IE, Google browser, Firefox browser are vulnerable, the Convention is through upgrades or patches. In 2011 years, for example, Microsoft's security vulnerabilities-related product upgrades (Windows Update) have reached more than 100 times, while Flash software, commonly used on the Internet, has released 12 serious security vulnerabilities this year that affect various browsers using Flash Plug-ins ( Includes a supposedly secure 360 secure browser. Discovering and patching vulnerabilities is the norm in the software industry.

2. There is evidence that the "explosive material" has obvious traces of human manipulation and is suspected of unfair competition.

The message first appeared in a foreign technical forum called Sysinternals, Forum Account "huntvulnerable" registered on November 13, the next day "burst material." It is rare for a technician to go to a small foreign website to name a Chinese browser. According to common sense, if he is a foreigner, more likely to focus on the same kernel and potential vulnerabilities of Google Browser, if he is a Chinese, there is no need for temporary registration of the account sent to foreign forums to let the media "export", and refused to accept the initiative to ask the Sogou. The explosion also claimed that the previous version of Sogou Browser also exists this vulnerability, stating that "he" in the continued "Attention" Sogou browser. From the whole production process of the message to the media distribution path, full of artificial manipulation traces, fully comply with some of the domestic Internet companies unfair competition in the bad practices.

3. In order to protect the interests of users, the discovery of loopholes to inform the manufacturer is the industry integrity, repair system is the safety of manufacturers obligations.

Because every software can not avoid loopholes, so the world's software manufacturers, practitioners (including conscientious hackers) have been adhering to the common values: in a confidential manner timely notify the relevant manufacturers to upgrade or repair, to protect the interests of users. This is the practice of the software industry, but also the obligations of security manufacturers. Google Browser, for example, found that Google will only disclose the bug number and never mention the specific content of the vulnerability. But the leak of information, not notify Google, two not to notify the Sogou, and has not responded to sogou unsolicited inquiries, but chose to spread through the domestic media and micro-blog, and even deliberately out to demonstrate how to attack the user's video. Whether or not there is a so-called loophole, we regret this bad behavior.

4. Calls upon security vendors, 360, to fulfil their positive obligations and assist in analysing the existence of the potential vulnerability.

We learned from reliable sources that some of Qihoo 360 's employees had privately said a few weeks ago that they had mastered and reproduced potential vulnerabilities by studying Google's browser and Sogou browser. In addition, the former Google browser development team of a senior engineer in June joined Qihoo 360. and Sogou browser and Google browser are using Google developed the Chromium kernel, Google's browser development team's core members have the most opportunity to understand the core vulnerabilities. We call, 360 and other manufacturers should fulfill the basic obligations of security manufacturers: if the loopholes exist, should be informed by the proper way to the dog, take measures to control the possible leakage of loopholes, to the vast number of netizens assume responsibility.

We sincerely hope that the scientific heart, the common heart to look at each software, believe that the world's industry to pass decades of industrial law and common values.

It's a great internet era of openness, commitment, and win, and users should have freedom from fear. Only by believing in civilization can we truly get civilization.

Sogou Browser Development Team

December 1, 2011