Google Chrome Sandbox Hacked - gHacks Tech News

Google Chrome Sandbox Hacked

Two of the core reasons for installing Google Chrome are the browser's speed and security. Especially the latter with its sandboxing approach proved to be very effective against many common attack forms and hacking attempts.

Even the security experts at the Pwn2Own conference were not able to penetrate Chrome's defense system, most did not even bother to try.

VUPEN Research yesterday announced that one of their security teams was successful in exploiting the Google Chrome web browser by escaping the web browser's sandbox.

The sandbox has been designed to separate website contents from each other and the browser core.

A video was published that demonstrates the exploit under Chrome 11.0.695.65, the latest stable version of the Internet browser. The operating system in the video is the 64-bit edition of Windows 7.

The developers are opening a specifically prepared local website which, after a while, triggers the start of Windows Calculator to demonstrate that the sandbox has been penetrated. The calculator ran with the same privileges as the web browser.

Malicious hackers would obviously use the exploit for a serious attack instead of launching the calculator.

How does it work?

The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level.

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.

The vulnerability has not been confirmed yet by Google and it is unclear if the two companies are in contact with each other. VUPEN have not posted the exploit code or a proof of concept demonstration on their website.

It is likely that we will see a quick patch to address the issue in Chrome. VUPEN are very vague on their website, and it is not clear if all Chrome versions are affected or only the stable version. It is however likely that the exploit works on all versions of Chrome.

The issue can only be utilized by attackers if a Chrome users visits a specifically prepared page on the Internet. While it is unlikely that a single page exploiting the issue is already online, it might be a good idea to stay away from questionable sites for a while.

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. DanTe said on May 10, 2011 at 3:08 pm
    Reply

    Vupen only releases their code(s) to the highest bidder. In this case, some unidentified government agency.

    I’m guessing they used simple exploits of either Flash or Java to get this running outside of the Chrome sandbox. Most likely Adobe Flash.

  2. ilev said on May 10, 2011 at 6:09 pm
    Reply

    “execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.”

    It is the much hyped and faked sense of “security” of Windows 7 (UAC, ASLR,DEP) that failed and not for the first time.

  3. bastik said on May 10, 2011 at 7:00 pm
    Reply

    According to some resources (Jay Nancarrow and Chaouki Bekar) VUPEN has not reported the issue to Google. Since VUPEN does share information with paying customers it was not intended to do so.

    The second layer might have a hole, but Chrome should be more secure than browsers without a sandbox.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.