Vulnerabilities / Threats
02:05 PM
Connect Directly

Hackers Subvert Google Chrome Sandbox

Vulnerability research firm Vupen said it's found a way to execute arbitrary code in the browser.

Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
On Monday, French vulnerability research firm Vupen said that it has discovered a way to circumvent the sandbox in the Google Chrome browser. The sandbox is designed to prevent attackers from exploiting arbitrary code via the browser.

According to Vupen, the exploit it created "bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0 day) vulnerabilities discovered by Vupen, and it works on all Windows systems (32-bit and x64)." ASLR and DEP refer to two attack mitigation technologies: address space layout randomization (ASLR), for preventing attackers from easily locating local files to exploit, and data execution prevention (DEP) for preventing attackers from executing arbitrary code.

Vupen, however, didn't provide specific details of the attack. Rather, the company said that it's only releasing details of the proof-of-concept exploit to its government customers. "For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our government customers as part of our vulnerability research services," it said.

For everyone else, Vupen uploaded a video demonstration of the attack to its website, which shows Chrome v11.0.696.65 being exploited when a user visits a Web page containing the exploit code. For the purposes of the demonstration, the exploit code downloads the Calculator application from a remote location, then launches it on the user's PC, outside the sandbox.

Asked for comment on the flaw itself, or the potential risk it poses to Chrome users, Google demurred. "We're unable to verify Vupen's claims at this time as we have not received any details from them," said a spokesperson for Google, via email. "Should any modifications become necessary, users will be automatically updated to the latest version of Chrome.

Google has a reputation for rapidly patching Chrome, helped in no small part--given the prevalence of Adobe Flash, Reader, and Acrobat bugs--by its having first dibs on Adobe patches.

Exploiting Chrome has evidently been on the Vupen researchers' minds. In March, they won a prize in the Pwn2Own hacking contest by compromising Apple Safari in five seconds, which earned them $15,000. But they could have sweetened the pot by $5,000 if they had hacked Google Chrome, which hadn't been cracked during three years' worth of Pwn2Own contests.

At least part of that fact could be due to Google running its own bug bounty program, which now pays anywhere from $500 to $3,133.70 for information on particularly egregious vulnerabilities in or clever exploits of its products. Vupen not submitting the details of the bug it discovered leaves open the possibility that someone else might submit the information in return for the reward.

But Vupen's move also illustrates the market dynamics at work behind vulnerability research. Namely, a company such as Vupen builds its business by attracting subscribers to its software vulnerability information service, meaning that its revenue relates directly to the quality, timeliness, and--sometimes--exclusivity of its bug notices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.