ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Google Chrome PWNED on Windows, exploit leaps over sandbox/ASLR/DEP - UPDATE

By | May 10, 2011, 5:13am PDT

Summary: If you’ve been using Google Chrome and feeling smug that you’re browser is immune to being attacked, think again.

If you’ve been using Google Chrome and feeling smug that you’re browser is immune to being attacked, think again.

Here’s an interesting hack attack on the browser than not only bypasses the Google Chrome sandbox, but also Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on Windows.

All that is required it to trick a user into visiting a specially crafted web page hosting the exploit and a number of payloads will be executed silently with no user interaction.

[UPDATE: VUPEN now says that this exploit does not rely on a Windows kernel exploit, so ASLR and DEP are secure.]

Here’s a video that shows the sophisticated exploit in action (the video below shows Chrome on Windows 7 SP1 being PWNED):

Scary stuff, not just because it bypasses the Chrome sandbox, but because it walks through two Windows defense systems to do so.

It’s obvious that there are a number of zero-day vulnerabilities at work here.

More details over on VUPEN.

[UPDATE: I have no more information on the exploit here than what's given. I'm assuming that multiple exploits are needed to get past the three layers of defense since it's hard to imagine a single zero-day bypassing the sandbox, ASLR and DEP (although I suppose it could happen).

I have approached Vupen with some questions and will keep you updated.]

[UPDATE 2: There's a fair bit of hyperventilation going on in the TalkBack sections about who or what is to blame here. Is it a Google issue? Is it Microsoft? There's also claims that I'm 'picking' on one multi-billion dollar corporation or another.

Sheesh.

I know as much as you know here, which isn't very much. VUPEN say that this:

- Is a Google Chrome vulnerability
- It does not rely on a Windows kernel vulnerability
- It works on all Windows systems (including 32-bit and 64-bit)
- Relies on undisclosed zero-day vulnerabilities
- Sandbox, ASLR and DEP are bypassed

Given that VUPEN now clearly say that this doesn't rely on a Windows exploit, it's both safe and fair to say that this is a Google problem. And given that this exploit isn't in the wild, there's no need for a Chicken Little reaction.

This isn't about the merits of Windows vs. Mac vs. Linux, or who's to blame, or pledging allegiance to one multi-billion dollar corporation or another. It's about keeping end users safe.]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Google Inc., Web Browser, Google Chrome, Microsoft Windows 7, Web Browsers, Microsoft Windows, Operating Systems, Software, Internet, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

101
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
Scarface Claw 12th May 2011
What man can make, man can break.
View in thread
0 Votes
+ -
A fortress is only as strong as its foundation.
jasonp@... 10th May 2011
That's the takeaway from this. It really doesn't matter how "secure" the browser is when the underlying operating system is insecure. Security and modern operating systems seem to be mortal enemies, so another story about another vulnerable piece of software must mean it's Tuesday. Or Wednesday. Or Thursday. Or Friday...
0 Votes
+ -
Except...
wolf_z 10th May 2011
@jasonp@...

The odds of *3* seperate (and difficult-to-defeat) mitgation defeneses from two different vendors being penetrated simultaneously is pretty rare.

And yes, it matters a great deal how secure the browser is because usually the browser is in front of the OS...
0 Votes
+ -
Exactly, people were depending on Chrome to keep them safe on Windows.
DonnieBoy 10th May 2011
No excuses.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
ItsTheBottomLine Updated - 10th May 2011
@DonnieBoy - Ouch this must hurt a little. That's OK my wallet thanks for responding so quickly, just one more from DTS and I hit the trifecta today.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
facebook@... 10th May 2011
@ItsTheBottomLine We all know that DTS will respond. I stake my reputation on it.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
sagec 10th May 2011
@jasonp@...

Logic fail much?

The takeaway is that Chrome is not nearly as secure as people have given it credit for.

A better analogy is a shield that can't withstand a sword blow, when that sword is a celery stick.
0 Votes
+ -
Well, no excuses for Chrome, but, no excuses for Windows 7 either.
DonnieBoy 10th May 2011
NT.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
rtk 10th May 2011
@jacec "no excuses" is the catch-phrase Donnieboy picked up from his emperor Jobs in yesterday's article.

You're a poor imitation Donnie.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
blueskip 10th May 2011
@jacec The better analogy is that a shield is no defense for flaming arrows when you're standing in gasoline.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
bobiroc 10th May 2011
@jasonp@...

Based on your comment you should never comment on security again because you have no clue about it.

Your comment is like saying it doesn't matter how secure the bank vault doors are if the shelves inside the vault are insecure. The browser is the gateway for the attack and because of its usage of Windows features like ASLR and DEP it got into that part of the OS.

No software or operating system will ever be secure. This is just another case of Chrome increasing in usage and popularity and it becoming a tempting target for attackers.

Also keep in mind that this is designed to trick a user into visiting the page. This is very common tactic of attacks today.
0 Votes
+ -
More like Chrome had the entrance to the bank covered, and Windows 7 was
DonnieBoy 10th May 2011
the vault. Both deserve blame.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
NetAdmin1178 10th May 2011
@bobiroc

Actually, a more fitting analogy would be the browser being the vault door, and the floor of the vault being the OS. I have to agree with him - if the OS isn't secure, it doesn't matter how secure the browser is. Using the bank example, if the floor of the vault is made out of wood, even the strongest steel vault door isn't going to keep theives out.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
bobiroc 10th May 2011
@NetAdmin1178

I see what you are saying but the question is does Google Chrome access those parts of Windows for legitimate reasons and once Chrome got exploited it automatically had access to parts of WIndows because of it.

The reason I say that is because similar attacks happen through other 3rd party software for Windows and other Operating systems too such as Java, Flash, Acrobat Reader. Once these programs are installed they gain access to parts of the Operating System to function because they are legit apps. If those apps get exploited it can use that access to exploit the OS.

It doesn't change the fact that ASLR and DEP are good security measures on their own right.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
tkejlboom 10th May 2011
@bobiroc

Hmm, no I got one! Okay, Chrome is a vault door, right? Okay, so Microsoft is the contractor they outsourced to for the keypad lock, and they put in a keypad the verbally tells passerby the code.
0 Votes
+ -
I call BS here
Bill Pharaoh 10th May 2011
@jasonp@...
How does making excuses for Google and Chrome make it any more secure.

(here's ahint - It doesn't!!)
0 Votes
+ -
Message has been deleted.
DonnieBoy Updated - 10th May 2011
  • Flagged
0 Votes
+ -
Message has been deleted.
DonnieBoy Updated - 10th May 2011
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
jorjitop 10th May 2011
@jasonp@... Ever ready to jump to the defense of Google. This shows that, not only do they spy on everything you do, but that they are fallible in the software design. One day, all the profiles on billions of people around the world, stored in Google databases, will get leaked. Google remains the world's biggest spynet. Microsoft remains simply inept.
0 Votes
+ -
ASLR/DEP not necessarily involved
archangel9999 11th May 2011
@jasonp@... Depending the Chrome exploit - ASLR and DEP wouldn't even be a factor - throwing them makes Adrian sound like he knows what he's talking about even though he doesn't
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
shellcodes_coder Updated - 10th May 2011
That was inevitable. It had to happen but Chrome is still the most secure browser out there...period
0 Votes
+ -
Did you forget to read the article?
Mr. Dee 10th May 2011
@shellcodes_coder Chrome has been pwned, that obviously means its not secure.
0 Votes
+ -
Did you forget to read the comment?
use_what_works_4_U 10th May 2011
@Mr. Dee
He didn't say it was *secure*, in fact he said an exploit "was inevitable".

What he said was that Chrome is the "most secure", which may or may not be true. I tend to think that Chrome is more secure than some alternatives, but the real takeaway is that complacency = vulnerability and no system will ever be 100% secure.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
MrElectrifyer 10th May 2011
@Mr. Dee LMAO grin
0 Votes
+ -
Message has been deleted.
Dietrich T. Schmitz --- Your Linux Advocate Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
DonnieBoy Updated - 10th May 2011
0 Votes
+ -
Wow, that is funny, do not remember saying anything bad to Dietrich???
DonnieBoy 10th May 2011
Just talking about how Google was still at fault even if Windows 7 was partly to blame.
0 Votes
+ -
Message has been deleted.
bmonsterman Updated - 10th May 2011
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
ItsTheBottomLine 10th May 2011
@bmonsterman - OUCH but yeah there is one, however it's not very flattering.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
ItsTheBottomLine 10th May 2011
@Dietrich T. Schmitz --- Your Linux Advocate - Cha-Ching right on schedule - wow that was easy.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
LoverockDavidson 10th May 2011
Woah, that's not good for Google at all. They already have a tarnished rep and having an exploitable Chrome isn't helping that at all.
0 Votes
+ -
Message has been deleted.
Dietrich T. Schmitz --- Your Linux Advocate Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
DonnieBoy Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
use_what_works_4_U Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
noagenda Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
noagenda Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
noagenda Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
DonnieBoy Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
Dietrich T. Schmitz --- Your Linux Advocate Updated - 10th May 2011
0 Votes
+ -
Message has been deleted.
DonnieBoy Updated - 10th May 2011
0 Votes
+ -
Macadam
rawkusx 10th May 2011
The only 100% secure system is the box that's turned off.
0 Votes
+ -
Yes!! But, still does not justify the creation of systems that are
DonnieBoy 10th May 2011
inherently insecure.
0 Votes
+ -
Didn't you mean?
blueskip 10th May 2011
Windows 7 PWNED using Google Chrome, exploit leaps over sandbox/ASLR/DEP easily penetrates OS
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
YetAnotherBob 10th May 2011
@blueskip Sounds like an Architectural weakness in Win 7. Chrome will need something to make this harder to do in future.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
FlyingsCool 10th May 2011
How come nobody here is addressing the real security issue, the person who clicked on the link to the page with the problem?
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
Gralyndr 10th May 2011
@FlyingsCool
Exactly. Too easy to trade OS and browser punches. happy Rather amusing.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
MrElectrifyer 10th May 2011
@FlyingsCool LMAO, as usual, the problem has and will always be between the keyboard and the chair wink
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
ItsTheBottomLine 10th May 2011
Well just goes to show, they all have them. DTS and Donnie, will have problem excuses and "expert" comments. Should be fun to read.
0 Votes
+ -
Try opening a thread with an actual thought as opposed to being reactionary
Dietrich T. Schmitz --- Your Linux Advocate 10th May 2011
@ItsTheBottomLine
nt
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
jestewart1 10th May 2011
Oh how much I love my Linux, been running it since 2002 without a single problem. Microsoft will have to change the whole kernel before there is any security, sorta like building a skyscraper on an outhouse foundation
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
Viper589 10th May 2011
@jestewart1

hey moron if you didnt know ms actually rewrote the kernel from scratch for vista and 7 just a thought.
0 Votes
+ -
RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP
Scarface Claw 12th May 2011
What man can make, man can break.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix