Vupen Security demonstrates sophisticated Google Chrome hack

By on May 10, 2011, 6:39 PM

Google Chrome has earned a reputation for having rock solid security. While Internet Explorer, Safari and Firefox are regularly compromised during the annual Pwn2Own hacking convention, Chrome has always survived unscathed. In fact, Google tried to attract some heavy hitters this year with a record $20,000 bounty for escaping the browser's sandbox -- no one even bothered to try. Despite Chrome's impeccable track record, a French security firm reminds us today that no software is bulletproof.

Vupen Security reports that it has officially "pwned" Google Chrome's sandbox. In the video below (no sound), the company demonstrates an unknown vulnerability that can be used to bypass all of the security mechanisms present in the latest version of Chrome (11.0.695.65) when running on Windows 7 SP1 x64. In the clip, Vupen visits a specially crafted webpage with malicious code that sidesteps the sandbox, ASLR and DEP to remotely download and execute software at a medium integrity level.

Vupen considers the exploit to be one of the most sophisticated it's seen, not only because it bypasses the aforementioned security measures, but because it does so without the browser crashing. With the example shown, an attacker could essentially gain control of your system without you even knowing about it. Since the flaw is unknown and unpublished, there's no immediate threat, but Vupen is reportedly withholding the information from Google, so it's unclear when a fix will come.




User Comments: 28

Got something to say? Post a comment
Lionvibez said:

Firefox with Noscript FTW!!

Win7Dev said:

The video doesn't show a whole lot. FF4 is secure enough for me. All you have to do is compile it yourself and make sure script is disabled permanently *evil laugh*

gwailo247, TechSpot Chancellor, said:

Yeah, the lack of NoScript is a dealbreaker for me. I don't trust any web site's promises, I only enable enough scripts to get the page working. White lists, trusted sites, etc, sorry, faith in those has been gone for quite a while.

Guest said:

I could not agree with the above posters more. The lack of NoScript is THE dealbreaker for me. I know about NotScript, but it just doesn't cut it compared to NoScript. When Chrome gets NoScript and the tracker option, I will use Chrome, but until then it's FF4 all of the way.

stewi0001 stewi0001 said:

Next they will make a video of them teleporting between all the google offices and saying that they have been pwned!

Zecias said:

dunno why you guys are complaining about chrome's security; i've never had any probelms with it.

insect said:

Umm, you can open the calculator with a keyboard shortcut. This doesn't prove anything other than someone can do a little trickery. I think it's just to get their name out there with a viral video. If they were truly a security company they would disclose this to Google ASAP.

Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?

captaincranky captaincranky, TechSpot Addict, said:

Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?
So then, I suppose you're not a Google fanboi? The first sign of anything is denying it, and a close second is accusing others of it. Please continuing using Chrome, with my blessing. That way, Google will have its corporate nose up your a**, instead of mine.

And BTW, you don't have to hack Chrome, its got the spyware built in. Googleupdate.exe, Googleanalytics, don't you just feel all warm and fuzzy with Google watching over you all the time?

lawfer, TechSpot Paladin, said:

captaincranky said:

Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?
So then, I suppose you're not a Google fanboi? The first sign of anything is denying it, and a close second is accusing others of it. Please continuing using Chrome, with my blessing. That way, Google will have its corporate nose up your a**, instead of mine.

And BTW, you don't have to hack Chrome, its got the spyware built in. Googleupdate.exe, Googleanalytics, don't you just feel all warm and fuzzy with Google watching over you all the time?

Oh yes he loves the warmth and the fuzziness. And dear lord, couldn't his username be any more appropriate?

Guest said:

Heck I could reproduce that video.

Step 1: Install apache

Step 2: Create html page that says "Chrome getting pwned"

Step 3: Launch Chrome

Step 4: Go to local html page

Step 5: Press the calculator key on my keyboard

That doesn't prove any exploit whatsoever. Show tits or gtfo.

gwailo247, TechSpot Chancellor, said:

insect said:

Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?

Actually I would really like to use Chrome as my primary, I prefer its aesthetics and functionality to FireFox. But it doesn't have NoScript, which is pretty much what all us "fanboys" said about it.

These days you have to worry about what companies do legally on the web as much as you have to worry about criminals.

Lurker101 said:

I'm calling bullshit on that video. There's nothing in that video that can't be reproduced without an exploit.

slamscaper slamscaper said:

Yep, using FF and NoScript is the most reliable way to browse safely. I can't say enough good things about this add-on. It saves me headaches. When I want to get even bolder with my browsing habits, I launch my VM and have at it like there's no tomorrow.

insect said:

captaincranky said:

So then, I suppose you're not a Google fanboi? The first sign of anything is denying it, and a close second is accusing others of it. Please continuing using Chrome, with my blessing. That way, Google will have its corporate nose up your a**, instead of mine.

And BTW, you don't have to hack Chrome, its got the spyware built in. Googleupdate.exe, Googleanalytics, don't you just feel all warm and fuzzy with Google watching over you all the time?

I actually like IE9, FF, and Chrome. They all have the same basic functionality and features. But I'd rather have Google making me feel warm and fuzzy than a script-kiddie making me miserable. I was just pointing out the irony of the first four posts being about people saying how FF was somehow "better" cause Chrome got "hacked" once, which as others and I are pointing out appears to be BS.

stewi0001 stewi0001 said:

Guest said:

Heck I could reproduce that video.

Step 1: Install apache

Step 2: Create html page that says "Chrome getting pwned"

Step 3: Launch Chrome

Step 4: Go to local html page

Step 5: Press the calculator key on my keyboard

That doesn't prove any exploit whatsoever. Show tits or gtfo.

sorry Guest but you failed to reproduce it because you need a mouse to slowly glide over the calculator buttons XD

tonylukac said:

I dunno, but websites simply don't render without java script . Don't you have to disable java anyway to be really safe, or does noscript do this?

fpsgamerJR62 said:

One instance of an alleged successful exploit isn't enough for me to dump Chrome in favor of any of the other 4 browsers installed on my PC. Until such time that Vupen Security discloses to Google the full details of the exploit, the company cannot escape the suspicion that the video was no more than a publicity stunt.

Guest said:

What is with all these people who make assumptions without knowing (a simple google search would have found the Chrome alternative).

CHROME HAS NOSCRIPT! It is called NotScripts.

LNCPapa LNCPapa said:

Guest, please read the rest of the thread before making angry posts about the posts you've made it to.

gwailo247, TechSpot Chancellor, said:

insect said:

I was just pointing out the irony of the first four posts being about people saying how FF was somehow "better" cause Chrome got "hacked" once, which as others and I are pointing out appears to be BS.

You don't really appear to understand how NoScript works. FireFox isn't better, NoScript is better. Since Chrome doesn't have NoScript, I use FireFox. You don't really seem to understand the concept of irony either.

Guest said:

gwailo247 nailed it.

Also, for those using Firefox and want additional privacy add-ons, I recommend Ghostery and Better Privacy. Honestly, I do prefer Chrome, I'm not a Firefox fanboy. I'm a little concerned however that Chrome is the only major browser who still hasn't implemented a "Do Not Track" header. Hell, even Safari & IE9 have it! Anyways, once NoScript (not NotScript) is ported to Chrome and they add a "Do Not Track" header, I'll use Chrome from here on out.

--The same Guest who posted the 4th comment.

insect said:

gwailo247 said:

insect said:

I was just pointing out the irony of the first four posts being about people saying how FF was somehow "better" cause Chrome got "hacked" once, which as others and I are pointing out appears to be BS.

You don't really appear to understand how NoScript works. FireFox isn't better, NoScript is better. Since Chrome doesn't have NoScript, I use FireFox. You don't really seem to understand the concept of irony either.

Why get more add-ons to do the work Chrome already does for you? Run in a sandbox and who cares if a script tries something malicious. Just close the sandbox instance (i.e., tab).

Guest said:

Any one else see how the one of the icons on the bottom right hand corner disappeared after the browser has been "pwnd"? Just seems kind of weird to me.

Chazz said:

I guess chrome has the "Apple effect" on it's users. This isn't the first exploit chrome has had and it won't be the last. Chrome has very good security but holes are being patched constantly, they just aren't vocal about it as other companies are.

And if I recall correctly, Google Patched chrome the day of Pwn2Own which is the reason no one even attempted to hack it. I don't think the other browsers did that. Thats kind of cheating.

madboyv1, TechSpot Paladin, said:

insect said:

Run in a sandbox and who cares if a script tries something malicious. Just close the sandbox instance (i.e., tab).

Except if this vulnerability is real (I phrase it this way because people are questioning the legitimacy of this hack), then the malicious page circumvents that sandbox you're so ready to hide behind as well as other security features, all without crashing the browser or otherwise immediately alerting the user. You wouldn't HAVE the chance to close the tab since if you would find out after it was too late.

Just sayin'.

Guest said:

LNCPapa: What is read?

gwailo247, TechSpot Chancellor, said:

insect said:

Why get more add-ons to do the work Chrome already does for you? Run in a sandbox and who cares if a script tries something malicious. Just close the sandbox instance (i.e., tab).

Nevermind. Chrome on buddy.

doradhorror said:

Guest said:

What is with all these people who make assumptions without knowing (a simple google search would have found the Chrome alternative).

CHROME HAS NOSCRIPT! It is called NotScripts.

[link]

Notscript is nothing compared to Noscript

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.