Vupen Security, a group specializing in vulnerability research, claims to have broken through the Google Chrome browser as well as the sandbox thus denting claims regarding the security of the browser. A video was recently released on Vupen’s website displaying the exploit from Google Chrome v11.0.696.65 using Microsoft Windows 7 SP1 (x64). The exploit is also effective on Google Chrome versions 11.x and 12.x
The Exploit
A user visiting the page is tricked into thinking they are at the correct web page that hosts the exploit which executes a variety of actions that end in downloading the Calculator from a remote location to externally launch it from Google Sandbox.
Technical Details
According to Vupen, the exact details of the breach including the code have not been publicly disclosed and will only be shared with their government customers to prove the effectiveness of their services. The exploit has been noted as one of the most sophisticated codes as it completely bypasses all security features such as ASLR/DEP/Sandbox.
Also, the vulnerability does not crash following the execution of the exploit and it relies on zero-day vulnerabilities found by Vupen Security while working within a Windows system. Chrome is said to be one of the most secure sandboxes in the industry. Vupen is the first to find a reliable method of executing code on a default installation regardless of the security measures.
Chrome Security Features
Chrome was developed with advanced security technologies like Safe Browsing, auto updates and sandboxing to protect its users from malicious activities. Therefore, the browser shows the user a warning message before they visit the website. Meanwhile, the sandbox feature adds protection by eliminating web pages that leave malicious programs on a local computer while monitoring web activities.
The Vupen Team
Furthermore, the software analyzes and patches known flaws and other vulnerabilities. The Vupen Security team is dedicated to uncovering new vulnerabilities across widely used software to assist vendors with the elimination of vulnerabilities resulting in an airtight software program. However, since Vupen is under contract with the vendor, they are never allowed to release the exact technical details found with the security exploit.
Although it was difficult, cracking the Google Chrome web browser will significantly help the company improve security to make it almost impossible for any hacker to develop an exploit. In this situation, Vupen has definitely done their job well by helping the largest search engine company in the world.
