Google Chrome hacked with sophisticated exploit

Google Chrome hacked with sophisticated exploit

Summary: Security researchers from VUPEN have successfully hacked Google's Chrome browser with a sophisticated exploit that bypasses all security features, including ASLR/DEP and Chrome's heralded sandbox feature.

SHARE:

Security researchers from the French pen-testing firm VUPEN have successfully hacked Google's Chrome browser with what is being described as a sophisticated exploit that bypasses all security features including ASLR/DEP and Chrome's heralded sandbox feature.

VUPEN released a video of the exploit in action to demonstrate a drive-by download attack that successfully launches the calculator app without any user action.

The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

VUPEN, which sells vulnerability and exploit information to business and government customers, does not plan to provide technical details of the attack to anyone, including Google.

In the video (see below), the company demonstrates the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which executes various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level).

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP, VUPEN explained.

VUPEN made headlines in March this year when a team of its researchers hacked into Apple's MacBook via a Safari vulnerability to win the CanSecWest PWN2Own contest.

Topics: CXO, Browser, Google, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

67 comments
Log in or register to join the discussion
  • So, the vulnerability only works on the Chrome version for Windows?

    It must be the combination of a bug in Chrome, along with the way that they implemented the sandbox on Windows?
    DonnieBoy
  • RE: Google Chrome hacked with sophisticated exploit

    I understand they sell their "vulnerability" data but until it is verified by a third party, it's my junk is bigger than your junk talk.

    I'd like to see how they did it if it is a true exploit.
    yzfdude1@...
  • RE: Google Chrome hacked with sophisticated exploit

    You still have to click onto a compromised website. Stick to web addresses you know to be safe and stop cliking links and it will not effect you.
    bruiser2
    • RE: Google Chrome hacked with sophisticated exploit

      @bruiser2 And of course nobody ever got re-directed to a compromised page by going someplace safe due to compromised ads. Sure. Safe today, compromised tomorrow. Welcome to the new paradigm.
      xelan
      • RE: Google Chrome hacked with sophisticated exploit

        Welcome to AdBlock Plus + Sandboxie. While ad-block will stop any ads from even showing up (let alone exploiting your browser), Sandboxie has kernel based protection that will stop anything, including drive-by-downloads, from getting through it. Also, please give a big welcome to... disabling and/or whitelisting Java and Flash! With those disabled plus doing the rest, you're not going to get compromised anytime soon. And even then, Google's malware detection web service will stop you from going anywhere that can exploit the browser. So yes, maybe you can exploit Google Chrome, but not without Google intervening first.
        Aled J
    • Ludicrous suggestion.

      @bruiser2
      Stick to web addresses you know? Seriously. In other words, don't click on anything that will take you to a web address you have never been to before? Or perhaps, do some research on the specific web address you are being suggested to go to so you can verify its legit? And don't forget to do that research through only websites you know are safe?

      And for heaven sake, don't stop there!!! As the other poster mentioned, you might reasonably think your going to a familiar and trusted website but you could ALWAYS be getting redirected through any number of means so always keep a list of verified web addresses handy so you can instantly cross check the web address popping up to be sure its the real one and not a redirection to a phishing scam!

      Is this suggestion for real? Nobody has the time or energy for that nonsense. The fact is that even completely legitimate websites can get compromised for periods of time by sophisticated hackers so how in the world can such a suggestion even be taken seriously.

      The sheer notion of not entering new and unproven websites would pretty much grind the expansion of the web to a halt. The bottom line is bruiser2's suggestion of " Stick to web addresses you know to be safe and stop clicking links and it will not effect you" is plain ludicrous as it gets. You might as well say the proper way to avoid food poisoning is to never put anything in your mouth that you haven't already verified somehow as being safe to eat. And obviously for a plate of food, just like a website, the fact that you have had this before doesn't mean todays dish is safe anymore then the website is safe just because it was before. I guess we all need "site testers" just like the kings of old had "food testers". A live in sucker to take the hit first if something goes sideways.

      Its just further proof in the absolute that no browser or OS is so safe it cant be exploited in an effective way by a determined hacker.

      One thought to leave with those who in their heart of hearts believe otherwise. Do you really think that if the whole world suddenly went Linux for example that the hackers would fold their tents and have to get legitimate jobs? Do you think they would throw up their arms in disgust and say "you win, we give up!"

      No sir. Necessity is the mother of invention and it would be every bit as true even if the whole world only used Linux. The hackers would find it necessary to invent anew and as such, if you don't understand that they would invent anew and would have some success then you simply fail to understand how the world works.

      Either its possible or its impossible, and if its possible someone will figure out how to do it then teach others just the same. As humans we have spent many a millennium proving that to be a fact of life, so live with it.
      Cayble
      • RE: Google Chrome hacked with sophisticated exploit

        @Cayble This isn't really that hard to do. I have made it a habit to do a txt based curl just to read the page and look for redirects to latvia for example. The list of new websites most people visit that wasn't recommended or sent by a verifiable source should be pretty small these days. Before you go all troll on me, yes it is still possible.
        Keegan2149
      • RE: Google Chrome hacked with sophisticated exploit

        @Keegan2149

        does your text based curl detect DNS results poisoning? i did a proof of concept in a class lab demonstrating it is possible to poison the results of an add to give the drive-by effect on a "known safe" page, simply because that page happened to have an add in it.
        erik.soderquist
    • RE: Google Chrome hacked with sophisticated exploit

      @bruiser2
      The point is that a sandbox should protect the user against "compromised websites".
      "Sticking on known addresses" means "no browsing at all".
      Following your line we should reach the security turning off all computers, nailing our windows and doors, and eventually doing absolutely nothing. Don't breath, air could be polluted...
      Chrome failed, and that's all.
      Maurizio Albera
    • RE: Google Chrome hacked with sophisticated exploit

      @bruiser2 "Stick to web addresses you know ... and stop cliking[sic] links and it will not effect you."

      What about the ad networks? How many of those do you know? Maybe two? Four at most? It's best to find a method to block content from suspected or known malware sites, and there are several reputable ones. One I use regularly is MVPS.org's HOSTS file (links are http://www.mvps.org/winhelp2002/hosts.htm and
      http://www.mvps.org/winhelp2002/hosts.zip)

      And the HOSTS file itself can be used in almost all OSes, not just Windows.
      Raymond Danner
      • RE: Google Chrome hacked with sophisticated exploit

        @Raymond Danner <br><br>actually Windows does have a hosts file, on 32 bit systems it is located at <br><br>%windir%\system32\drivers\etc\hosts<br><br>and it works just like you would expect a hosts file to work

        pays to remember that Microsoft copied the BSD TCP/IP stack to get Windows into the TCP/IP world
        erik.soderquist
      • RE: Google Chrome hacked with sophisticated exploit

        "And the HOSTS file itself can be used in almost all OSes, not just Windows."

        "actually Windows does have a hosts file..."

        gud readin comprehenshun!
        ALISON SMOCK
  • RE: Google Chrome hacked with sophisticated exploit

    By "VUPEN ... does not plan to provide technical details of the attack to anyone, including Google", I assume you mean unless Google agrees to pay a large sum for the information. Yes? Not much point in their doing it, otherwise,
    justin.donie@...
    • RE: Google Chrome hacked with sophisticated exploit

      @justin.donie@... Agreed. This sounds to me like a mild form of extortion. "We just hacked your browser, now we'd like you to pay us to show you how we did it."

      Also, to those saying "don't click on links you don't recognize", this is an argument for a service like OpenDNS or a web proxy service, that would screen potentially dangerous content/domains from the hapless user. Of course, they have to find out about it, first...
      dcnblues
      • RE: Google Chrome hacked with sophisticated exploit

        It's not extortion since they don't plan to use it against them if they don't pay up. There's no threat or force here (not even potential bad PR for not paying up - only the technically ignorant would accuse google for putting users at risk by not paying). The fact that there's an undisclosed exploit out there by itself doesn't mean anything. The fact that it's software means that's obvious.
        ALISON SMOCK
  • RE: Google Chrome hacked with sophisticated exploit

    VUPEN exposes the 'researcher' network for what it is.

    Interested in attention and its own profits only.
    Narr vi
    • RE: Google Chrome hacked with sophisticated exploit

      @Narr vi

      What's wrong with getting paid for your work?
      crashonhead
      • RE: Google Chrome hacked with sophisticated exploit

        @crashonhead Agreed. It isn't as if these researchers are independently wealthy and doing this out of the kindness of their hearts.
        xelan
    • Well...Ha!

      @Narr vi
      Ya, I guess police, doctors, politicians, lawyers, ambulance drivers, teachers, nurses, and just about anyone else who provides a useful service are all bums because they are out to earn a living as opposed to providing their expertise for free.

      Face it, these guys did some heavy lifting in the research department in looking for exploits and they found a slick one. Killing the messenger who wants to be paid for the news he is delivering is usually the backwards way of thinking in any society that would like to progress and improve.
      Cayble
      • RE: Google Chrome hacked with sophisticated exploit

        @Cayble et al,<br><br>Guys, the key is in this quote from the original post:<br><br>"VUPEN, which sells vulnerability and exploit information to business and government customers, does not plan to provide technical details of the attack to anyone, including Google"<br><br>Getting paid is reasonable, and happens. However, the apparently extortionate manner of it is not. <br><br>Or call it straight destructive, perhaps in some kind of foot-stamping about something-or-other one might guess, if the quote is completely accurate about not providing the information under any circumstance.<br><br>Sensible, capable people negotiate sensible, capable terms.
        Narr vi