Google Chrome PWNED on Windows, exploit leaps over sandbox/ASLR/DEP - UPDATE

Google Chrome PWNED on Windows, exploit leaps over sandbox/ASLR/DEP - UPDATE

Summary: If you've been using Google Chrome and feeling smug that you're browser is immune to being attacked, think again.

SHARE:

If you've been using Google Chrome and feeling smug that you're browser is immune to being attacked, think again.

Here's an interesting hack attack on the browser than not only bypasses the Google Chrome sandbox, but also Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on Windows.

All that is required it to trick a user into visiting a specially crafted web page hosting the exploit and a number of payloads will be executed silently with no user interaction.

[UPDATE: VUPEN now says that this exploit does not rely on a Windows kernel exploit, so ASLR and DEP are secure.]

Here's a video that shows the sophisticated exploit in action (the video below shows Chrome on Windows 7 SP1 being PWNED):

Scary stuff, not just because it bypasses the Chrome sandbox, but because it walks through two Windows defense systems to do so.

It's obvious that there are a number of zero-day vulnerabilities at work here.

More details over on VUPEN.

[UPDATE: I have no more information on the exploit here than what's given. I'm assuming that multiple exploits are needed to get past the three layers of defense since it's hard to imagine a single zero-day bypassing the sandbox, ASLR and DEP (although I suppose it could happen).

I have approached Vupen with some questions and will keep you updated.]

[UPDATE 2: There's a fair bit of hyperventilation going on in the TalkBack sections about who or what is to blame here. Is it a Google issue? Is it Microsoft? There's also claims that I'm 'picking' on one multi-billion dollar corporation or another.

Sheesh.

I know as much as you know here, which isn't very much. VUPEN say that this:

- Is a Google Chrome vulnerability - It does not rely on a Windows kernel vulnerability - It works on all Windows systems (including 32-bit and 64-bit) - Relies on undisclosed zero-day vulnerabilities - Sandbox, ASLR and DEP are bypassed

Given that VUPEN now clearly say that this doesn't rely on a Windows exploit, it's both safe and fair to say that this is a Google problem. And given that this exploit isn't in the wild, there's no need for a Chicken Little reaction.

This isn't about the merits of Windows vs. Mac vs. Linux, or who's to blame, or pledging allegiance to one multi-billion dollar corporation or another. It's about keeping end users safe.]

Topics: Windows, Browser, Google, Microsoft, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

101 comments
Log in or register to join the discussion
  • A fortress is only as strong as its foundation.

    That's the takeaway from this. It really doesn't matter how "secure" the browser is when the underlying operating system is insecure. Security and modern operating systems seem to be mortal enemies, so another story about another vulnerable piece of software must mean it's Tuesday. Or Wednesday. Or Thursday. Or Friday...
    jasonp@...
    • Except...

      @jasonp@...

      The odds of *3* seperate (and difficult-to-defeat) mitgation defeneses from two different vendors being penetrated simultaneously is pretty rare.

      And yes, it matters a great deal how secure the browser is because usually the browser is in front of the OS...
      wolf_z
      • Exactly, people were depending on Chrome to keep them safe on Windows.

        No excuses.
        DonnieBoy
      • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

        @DonnieBoy - Ouch this must hurt a little. That's OK my wallet thanks for responding so quickly, just one more from DTS and I hit the trifecta today.
        ItsTheBottomLine
      • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

        @ItsTheBottomLine We all know that DTS will respond. I stake my reputation on it.
        Your Non Advocate
    • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

      @jasonp@...

      Logic fail much?

      The takeaway is that Chrome is not nearly as secure as people have given it credit for.

      A better analogy is a shield that can't withstand a sword blow, when that sword is a celery stick.
      sagec
      • Well, no excuses for Chrome, but, no excuses for Windows 7 either.

        NT.
        DonnieBoy
      • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

        @jacec "no excuses" is the catch-phrase Donnieboy picked up from his emperor Jobs in yesterday's article.

        You're a poor imitation Donnie.
        rtk
      • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

        @jacec The better analogy is that a shield is no defense for flaming arrows when you're standing in gasoline.
        blueskip
    • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

      @jasonp@...

      Based on your comment you should never comment on security again because you have no clue about it.

      Your comment is like saying it doesn't matter how secure the bank vault doors are if the shelves inside the vault are insecure. The browser is the gateway for the attack and because of its usage of Windows features like ASLR and DEP it got into that part of the OS.

      No software or operating system will ever be secure. This is just another case of Chrome increasing in usage and popularity and it becoming a tempting target for attackers.

      Also keep in mind that this is designed to trick a user into visiting the page. This is very common tactic of attacks today.
      bobiroc
      • More like Chrome had the entrance to the bank covered, and Windows 7 was

        the vault. Both deserve blame.
        DonnieBoy
      • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

        @bobiroc

        Actually, a more fitting analogy would be the browser being the vault door, and the floor of the vault being the OS. I have to agree with him - if the OS isn't secure, it doesn't matter how secure the browser is. Using the bank example, if the floor of the vault is made out of wood, even the strongest steel vault door isn't going to keep theives out.
        NetAdmin1178
      • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

        @NetAdmin1178

        I see what you are saying but the question is does Google Chrome access those parts of Windows for legitimate reasons and once Chrome got exploited it automatically had access to parts of WIndows because of it.

        The reason I say that is because similar attacks happen through other 3rd party software for Windows and other Operating systems too such as Java, Flash, Acrobat Reader. Once these programs are installed they gain access to parts of the Operating System to function because they are legit apps. If those apps get exploited it can use that access to exploit the OS.

        It doesn't change the fact that ASLR and DEP are good security measures on their own right.
        bobiroc
      • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

        @bobiroc

        Hmm, no I got one! Okay, Chrome is a vault door, right? Okay, so Microsoft is the contractor they outsourced to for the keypad lock, and they put in a keypad the verbally tells passerby the code.
        tkejlboom
    • I call BS here

      @jasonp@...
      How does making excuses for Google and Chrome make it any more secure.

      (here's ahint - It doesn't!!)
      Bill Pharaoh
      • Message has been deleted.

        DonnieBoy
    • Message has been deleted.

      DonnieBoy
    • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

      @jasonp@... Ever ready to jump to the defense of Google. This shows that, not only do they spy on everything you do, but that they are fallible in the software design. One day, all the profiles on billions of people around the world, stored in Google databases, will get leaked. Google remains the world's biggest spynet. Microsoft remains simply inept.
      jorjitop
    • ASLR/DEP not necessarily involved

      @jasonp@... Depending the Chrome exploit - ASLR and DEP wouldn't even be a factor - throwing them makes Adrian sound like he knows what he's talking about even though he doesn't
      archangel9999
  • RE: Google Chrome PWNED on Windows 7, exploit leaps over sandbox/ASLR/DEP

    That was inevitable. It had to happen but Chrome is still the most secure browser out there...period
    shellcodes_coder