Vulnerabilities / Threats
02:05 PM
Connect Directly

Hackers Subvert Google Chrome Sandbox

Vulnerability research firm Vupen said it's found a way to execute arbitrary code in the browser.

Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
On Monday, French vulnerability research firm Vupen said that it has discovered a way to circumvent the sandbox in the Google Chrome browser. The sandbox is designed to prevent attackers from exploiting arbitrary code via the browser.

According to Vupen, the exploit it created "bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0 day) vulnerabilities discovered by Vupen, and it works on all Windows systems (32-bit and x64)." ASLR and DEP refer to two attack mitigation technologies: address space layout randomization (ASLR), for preventing attackers from easily locating local files to exploit, and data execution prevention (DEP) for preventing attackers from executing arbitrary code.

Vupen, however, didn't provide specific details of the attack. Rather, the company said that it's only releasing details of the proof-of-concept exploit to its government customers. "For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our government customers as part of our vulnerability research services," it said.

For everyone else, Vupen uploaded a video demonstration of the attack to its website, which shows Chrome v11.0.696.65 being exploited when a user visits a Web page containing the exploit code. For the purposes of the demonstration, the exploit code downloads the Calculator application from a remote location, then launches it on the user's PC, outside the sandbox.

Asked for comment on the flaw itself, or the potential risk it poses to Chrome users, Google demurred. "We're unable to verify Vupen's claims at this time as we have not received any details from them," said a spokesperson for Google, via email. "Should any modifications become necessary, users will be automatically updated to the latest version of Chrome.

Google has a reputation for rapidly patching Chrome, helped in no small part--given the prevalence of Adobe Flash, Reader, and Acrobat bugs--by its having first dibs on Adobe patches.

Exploiting Chrome has evidently been on the Vupen researchers' minds. In March, they won a prize in the Pwn2Own hacking contest by compromising Apple Safari in five seconds, which earned them $15,000. But they could have sweetened the pot by $5,000 if they had hacked Google Chrome, which hadn't been cracked during three years' worth of Pwn2Own contests.

At least part of that fact could be due to Google running its own bug bounty program, which now pays anywhere from $500 to $3,133.70 for information on particularly egregious vulnerabilities in or clever exploits of its products. Vupen not submitting the details of the bug it discovered leaves open the possibility that someone else might submit the information in return for the reward.

But Vupen's move also illustrates the market dynamics at work behind vulnerability research. Namely, a company such as Vupen builds its business by attracting subscribers to its software vulnerability information service, meaning that its revenue relates directly to the quality, timeliness, and--sometimes--exclusivity of its bug notices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio