Vupen Security Pawns Google Chrome
Article by George Norman
On 12 May 2011
Google Chrome web browser has made a name for itself by being one of, if not the fastest browser on the market today. The browser also made a name for itself by offering a properly good level of security; what I mean by that is that for the past three years it survived the Pwn2Own contest, computer hacking contest held at the annual CanSecWest security conference, beginning in 2007 and sponsored by TippingPoint.

Chrome’s restrictive sandbox and other security measures meant that Pwn2own contestants could not pwn the browser. They could pwn other browsers, like Microsoft’s Internet Explorer, Apple’s Safari or Mozilla’s Firefox, but not Google’s Chrome.

Advertising

The news is that Chrome’s reputation of being unpwnable has been broken by Vupen Security, world leader in vulnerability research for defensive and offensive security. Vupen announced that it pwned Chrome, that it came up with a sophisticated exploit, the most sophisticated one Vupen has ever come up with, exploit that bypasses Chrome’s sandbox and other security features, including DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

Vupen explained that the exploit it came up with does not exploit a Windows kernel vulnerability; it exploits an undisclosed 0-day vulnerability discovered by Vupen, vulnerability that works on all 32-bit and 64-bit Windows systems. The exploit is silent, there’s no crash after executing the payload; it works on Chrome 11.X and 12.X.

“We are (un)happy to announce that we have officially Pwned Google Chrome and its sandbox,” said Vupen. “While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP.”

A video that presents the Vupen-uncovered exploit in action is available on YouTube here.
In the video a user of Chrome 11.0.696.65 on Windows 7 SP1 is tricked into visiting a malicious website that hosts Vupen’s exploit. The exploit code downloads a Calculator program from a remote location and launches it outside Chrome’s sandbox.



Tags: Google, Chrome, Security
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 24 Jul 2017
As someone who has been using Firefox day-to-day for a very – VERY – long time, I’ve grown to know a lot about Mozilla’s web browser. As such, I thought it a good idea to share part of my knowledge with you and highlight 10 tips & tricks that I’m sure you’ll find very useful.
By George Norman on 21 Jul 2017
Firefox Focus for Android, the ad-blocking browser that Mozilla rolled out back in June, has reached a very important milestone: 1 million downloads. To celebrate this joyous occasion, Mozilla decided to update the browser and add 3 features that people had been asking for.
Related News
By George Norman on 20 Mar 2017
Google Chrome, the web browser that has more than 1 billion users and loads more than 771 billion pages each month, is best known for its minimal interface, lightning fast speed, and wealth of settings. Hidden among them are...
By George Norman on 03 Apr 2017
Any other day of the year, Google is a serious and focused company that doesn’t mess around. But on April 1st, all seriousness goes out the window and Google shows that it has a fun side and that it loves to pull pranks.
By George Norman on 05 May 2017
There’s only so much that Incognito (or Private Browsing) mode can do to protect your privacy. While it does protect part of it, it leaves other areas uncovered. You aren’t protected against...
By George Norman on 27 Mar 2017
Your web browser will remember every website you visited, everything you’ve downloaded, everything you’ve searched for, and more. This is private information that you might not want the browser to remember, especially if you take your privacy seriously.
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
Vupen Security Pawns Google Chrome
HTML Linking Code