The Exploit

A user visiting the page is tricked into thinking they are at the correct web page that hosts the exploit which executes a variety of actions that end in downloading the Calculator from a remote location to externally launch it from Google Sandbox.

Technical Details

According to Vupen, the exact details of the breach including the code have not been publicly disclosed and will only be shared with their government customers to prove the effectiveness of their services. The exploit has been noted as one of the most sophisticated codes as it completely bypasses all security features such as ASLR/DEP/Sandbox.

Also, the vulnerability does not crash following the execution of the exploit and it relies on zero-day vulnerabilities found by Vupen Security while working within a Windows system. Chrome is said to be one of the most secure sandboxes in the industry. Vupen is the first to find a reliable method of executing code on a default installation regardless of the security measures.

Chrome Security Features

Chrome was developed with advanced security technologies like Safe Browsing, auto updates and sandboxing to protect its users from malicious activities. Therefore, the browser shows the user a warning message before they visit the website. Meanwhile, the sandbox feature adds protection by eliminating web pages that leave malicious programs on a local computer while monitoring web activities.

The Vupen Team

Furthermore, the software analyzes and patches known flaws and other vulnerabilities. The Vupen Security team is dedicated to uncovering new vulnerabilities across widely used software to assist vendors with the elimination of vulnerabilities resulting in an airtight software program. However, since Vupen is under contract with the vendor, they are never allowed to release the exact technical details found with the security exploit.

Although it was difficult, cracking the Google Chrome web browser will significantly help the company improve security to make it almost impossible for any hacker to develop an exploit. In this situation, Vupen has definitely done their job well by helping the largest search engine company in the world.

Related posts:

• December 6, 2011 – Comparing The Best Web Browsers
• February 19, 2009 – Fighting Back Against Website Attacks
• December 29, 2008 – Browsers Aiding in Website Attacks
• September 30, 2011 – What the New User can Learn from the GoDaddy Account Hack
• September 23, 2011 – Keep Your Site Safe – Learn What Not to Do
• September 21, 2011 – How To Deal With A Possible Intruder On Your Server
• September 9, 2011 – Several Security Risks and How to Avoid Them
• September 6, 2011 – Performing IP Filtering Through cPanel – A Brief Tutorial
• July 29, 2011 – Is SSL Essential for eCommerce Sites?
• July 22, 2011 – LulzSec’s Hacking Career Slated to End

Despite the fact that several improvements have been made, none of the top web browsers are completely secure.  Because of this, many web security experts are projecting that website attacks will continue to be an issue.  The combination of enhanced functionality and the lack of adequate security implementations have left a number of browsers vulnerable to sophisticated attacks.  Some researchers are saying that the increasing number of exploits is the direct result of Web 2.0 technologies and advanced web hosting features.

Evolution in Technology Opens Doors to Further Threats

Things were fairly innocent in the early days of the internet when static pages were prevalent, before technologies such as JavaScript and Active X came into play.  Today’s World Wide Web is dominated by dynamic web-based applications and complex server-side scripting languages, factors that enable browsers to be used in various ways to exploit websites.  Gary McGraw of Cigital, a software security company, agrees that these feature-rich designs have made browsers far less secure, stating that they are structured more like complete operating systems.

This past September Google released Chrome, its new web browser which was immediately faced with stiff competition in the form of Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Opera.  While internet users have a wide variety of browsers to choose from, the options are still limited in terms of security, including Chrome.  Experts contend that the browser war of who can out do one another in the feature department is what ultimately leads to these security vulnerabilities.

Though quite serious, the security issues associated with today’s popular web browsers are not attributed to a lack of effort.  Some say that developers are doing all they can but when considering the fact that website attacks such as cross site scripting and cross site request forgery are typically the result of design, these flaws tend to be much harder to fix than bugs found in software code.  Observers suggest that the vulnerabilities are not going to disappear entirely but do stress that browser developers can do more to enhance security.

In general, development teams only have a little time to address browser vulnerabilities before the hacker community is able to discover them.  Developers are being encouraged to practice browser security just like those who make other software products.  This is extremely important as the major web browsers literally have hundred of millions of users.  One solid approach towards website security is standardized authentication, something that would need to be addressed by system administrators.  Another recommendation is for browser developers to design products that alert users when they are being directed to intranet zones such as localhost or RFC1918 as attackers are increasingly targeting internal devices.  Security firms have also predicted that the manner in which data is handled when requests are made between a browser and website should play a critical part in future designs.

Related posts:

• November 26, 2009 – Authentication Hacking: Is Your Site Vulnerable?
• December 6, 2011 – Comparing The Best Web Browsers
• May 30, 2011 – Google Chrome Browser Cracked
• October 16, 2009 – Major Threats to Business Website Security
• April 9, 2009 – Cross Site Scripting: The Underestimated Website Attack
• January 13, 2009 – How to Find Secure Shared Hosting
• October 20, 2011 – Google Dart – Ready or not, a new Language Arrives
• June 28, 2010 – Shared Hosting and Site Downtime
• February 1, 2010 – False User Authentication: A Common Hacking Tactic
• December 30, 2009 – Five Simple Website Safety Tips