Security Firm Claims to Hack Chrome, Refuses to Share Information
The Chrome browser has survived three years in the Pwn2Own competition it has fallen to the French security firm VUPEN. The hack takes advantage of so-called “0-day” vulnerabilities in the Windows operating system and could allow nefarious types to download and execute code within the browser. So far, the hack only seems possible on Windows computers.
From the VUPEN website:
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level).
Despite Google offering a hefty bounty for bugs in Chrome, VUPEN has decided opted to keep their information for themselves. Instead, they say that the information will be shared with “government customers for defensive and offensive security.” The company has also said that they are not aware of anyway to guard against these attacks. Despite the news, the Krebs on Security blog points out that the browser is still comparably secure, as the hack requires users to have two separate vulnerabilities, whereas Explorer and Firefox can be hacked with just one vulnerability.
Below is a video of a VUPEN employee using the Chrome exploit to download and run an executable file, in this case MS Calculator.