Vulnerabilities / Threats
5/10/2011
02:05 PM
50%
50%

Hackers Subvert Google Chrome Sandbox

Vulnerability research firm Vupen said it's found a way to execute arbitrary code in the browser.

Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
On Monday, French vulnerability research firm Vupen said that it has discovered a way to circumvent the sandbox in the Google Chrome browser. The sandbox is designed to prevent attackers from exploiting arbitrary code via the browser.

According to Vupen, the exploit it created "bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0 day) vulnerabilities discovered by Vupen, and it works on all Windows systems (32-bit and x64)." ASLR and DEP refer to two attack mitigation technologies: address space layout randomization (ASLR), for preventing attackers from easily locating local files to exploit, and data execution prevention (DEP) for preventing attackers from executing arbitrary code.

Vupen, however, didn't provide specific details of the attack. Rather, the company said that it's only releasing details of the proof-of-concept exploit to its government customers. "For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our government customers as part of our vulnerability research services," it said.

For everyone else, Vupen uploaded a video demonstration of the attack to its website, which shows Chrome v11.0.696.65 being exploited when a user visits a Web page containing the exploit code. For the purposes of the demonstration, the exploit code downloads the Calculator application from a remote location, then launches it on the user's PC, outside the sandbox.

Asked for comment on the flaw itself, or the potential risk it poses to Chrome users, Google demurred. "We're unable to verify Vupen's claims at this time as we have not received any details from them," said a spokesperson for Google, via email. "Should any modifications become necessary, users will be automatically updated to the latest version of Chrome.

Google has a reputation for rapidly patching Chrome, helped in no small part--given the prevalence of Adobe Flash, Reader, and Acrobat bugs--by its having first dibs on Adobe patches.

Exploiting Chrome has evidently been on the Vupen researchers' minds. In March, they won a prize in the Pwn2Own hacking contest by compromising Apple Safari in five seconds, which earned them $15,000. But they could have sweetened the pot by $5,000 if they had hacked Google Chrome, which hadn't been cracked during three years' worth of Pwn2Own contests.

At least part of that fact could be due to Google running its own bug bounty program, which now pays anywhere from $500 to $3,133.70 for information on particularly egregious vulnerabilities in or clever exploits of its products. Vupen not submitting the details of the bug it discovered leaves open the possibility that someone else might submit the information in return for the reward.

But Vupen's move also illustrates the market dynamics at work behind vulnerability research. Namely, a company such as Vupen builds its business by attracting subscribers to its software vulnerability information service, meaning that its revenue relates directly to the quality, timeliness, and--sometimes--exclusivity of its bug notices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.