Vupen Security demonstrates sophisticated Google Chrome hack

[Matthew DeCarlo]

Google Chrome has earned a reputation for having rock solid security. While Internet Explorer, Safari and Firefox are regularly compromised during the annual Pwn2Own hacking convention, Chrome has always survived unscathed. In fact, Google tried to attract some heavy hitters this year with a record $20,000 bounty for escaping the browser's sandbox -- no one even bothered to try. Despite Chrome's impeccable track record, a French security firm reminds us today that no software is bulletproof.

Vupen Security reports that it has officially "pwned" Google Chrome's sandbox. In the video below (no sound), the company demonstrates an unknown vulnerability that can be used to bypass all of the security mechanisms present in the latest version of Chrome (11.0.695.65) when running on Windows 7 SP1 x64. In the clip, Vupen visits a specially crafted webpage with malicious code that sidesteps the sandbox, ASLR and DEP to remotely download and execute software at a medium integrity level.

Vupen considers the exploit to be one of the most sophisticated it's seen, not only because it bypasses the aforementioned security measures, but because it does so without the browser crashing. With the example shown, an attacker could essentially gain control of your system without you even knowing about it. Since the flaw is unknown and unpublished, there's no immediate threat, but Vupen is reportedly withholding the information from Google, so it's unclear when a fix will come.

Permalink to story.

https://www.techspot.com/news/43728-vupen-security-demonstrates-sophisticated-google-chrome-hack.html

 

[Lionvibez]

Firefox with Noscript FTW!!

 

[Greg S]

The video doesn't show a whole lot. FF4 is secure enough for me. All you have to do is compile it yourself and make sure script is disabled permanently *evil laugh*

 

[gwailo247]

Yeah, the lack of NoScript is a dealbreaker for me. I don't trust any web site's promises, I only enable enough scripts to get the page working. White lists, trusted sites, etc, sorry, faith in those has been gone for quite a while.

 

[Guest]

I could not agree with the above posters more. The lack of NoScript is THE dealbreaker for me. I know about NotScript, but it just doesn't cut it compared to NoScript. When Chrome gets NoScript and the tracker option, I will use Chrome, but until then it's FF4 all of the way.

 

[stewi0001]

Next they will make a video of them teleporting between all the google offices and saying that they have been pwned!

 

[Zecias]

dunno why you guys are complaining about chrome's security; i've never had any probelms with it.

 

[insect]

Umm, you can open the calculator with a keyboard shortcut. This doesn't prove anything other than someone can do a little trickery. I think it's just to get their name out there with a viral video. If they were truly a security company they would disclose this to Google ASAP.

Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?

 

[captaincranky]

Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?

So then, I suppose you're not a Google fanboi? The first sign of anything is denying it, and a close second is accusing others of it. Please continuing using Chrome, with my blessing. That way, Google will have its corporate nose up your a**, instead of mine.

And BTW, you don't have to hack Chrome, its got the spyware built in. Googleupdate.exe, Googleanalytics, don't you just feel all warm and fuzzy with Google watching over you all the time?

 

[lawfer]

captaincranky said:

Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?

So then, I suppose you're not a Google fanboi? The first sign of anything is denying it, and a close second is accusing others of it. Please continuing using Chrome, with my blessing. That way, Google will have its corporate nose up your a**, instead of mine.

And BTW, you don't have to hack Chrome, its got the spyware built in. Googleupdate.exe, Googleanalytics, don't you just feel all warm and fuzzy with Google watching over you all the time?

Oh yes he loves the warmth and the fuzziness. And dear lord, couldn't his username be any more appropriate?

 

[Guest]

Heck I could reproduce that video.

Step 1: Install apache
Step 2: Create html page that says "Chrome getting pwned"
Step 3: Launch Chrome
Step 4: Go to local html page
Step 5: Press the calculator key on my keyboard

That doesn't prove any exploit whatsoever. Show tits or gtfo.

 

[gwailo247]

insect said:
Also... really?! First Chrome "hack" ever and all the FF fanboys come out in droves despite the once per week hacks of FF. Really? That insecure about your browser?

Actually I would really like to use Chrome as my primary, I prefer its aesthetics and functionality to FireFox. But it doesn't have NoScript, which is pretty much what all us "fanboys" said about it.

These days you have to worry about what companies do legally on the web as much as you have to worry about criminals.

 

[Lurker101]

I'm calling bullshit on that video. There's nothing in that video that can't be reproduced without an exploit.

 

[slamscaper]

Yep, using FF and NoScript is the most reliable way to browse safely. I can't say enough good things about this add-on. It saves me headaches. When I want to get even bolder with my browsing habits, I launch my VM and have at it like there's no tomorrow.

 

[insect]

captaincranky said:
So then, I suppose you're not a Google fanboi? The first sign of anything is denying it, and a close second is accusing others of it. Please continuing using Chrome, with my blessing. That way, Google will have its corporate nose up your a**, instead of mine.

And BTW, you don't have to hack Chrome, its got the spyware built in. Googleupdate.exe, Googleanalytics, don't you just feel all warm and fuzzy with Google watching over you all the time?

I actually like IE9, FF, and Chrome. They all have the same basic functionality and features. But I'd rather have Google making me feel warm and fuzzy than a script-kiddie making me miserable. I was just pointing out the irony of the first four posts being about people saying how FF was somehow "better" cause Chrome got "hacked" once, which as others and I are pointing out appears to be BS.

 

[stewi0001]

Guest said:
Heck I could reproduce that video.

Step 1: Install apache
Step 2: Create html page that says "Chrome getting pwned"
Step 3: Launch Chrome
Step 4: Go to local html page
Step 5: Press the calculator key on my keyboard

That doesn't prove any exploit whatsoever. Show tits or gtfo.

sorry Guest but you failed to reproduce it because you need a mouse to slowly glide over the calculator buttons XD

 

[tonylukac]

I dunno, but websites simply don't render without javascript. Don't you have to disable java anyway to be really safe, or does noscript do this?

 

[fpsgamerJR62]

One instance of an alleged successful exploit isn't enough for me to dump Chrome in favor of any of the other 4 browsers installed on my PC. Until such time that Vupen Security discloses to Google the full details of the exploit, the company cannot escape the suspicion that the video was no more than a publicity stunt.

 

[Guest]

What is with all these people who make assumptions without knowing (a simple google search would have found the Chrome alternative).

CHROME HAS NOSCRIPT! It is called NotScripts.

 

[LNCPapa]

Guest, please read the rest of the thread before making angry posts about the posts you've made it to.

 

[gwailo247]

insect said:
I was just pointing out the irony of the first four posts being about people saying how FF was somehow "better" cause Chrome got "hacked" once, which as others and I are pointing out appears to be BS.

You don't really appear to understand how NoScript works. FireFox isn't better, NoScript is better. Since Chrome doesn't have NoScript, I use FireFox. You don't really seem to understand the concept of irony either.

 

[Guest]

gwailo247 nailed it.

Also, for those using Firefox and want additional privacy add-ons, I recommend Ghostery and Better Privacy. Honestly, I do prefer Chrome, I'm not a Firefox fanboy. I'm a little concerned however that Chrome is the only major browser who still hasn't implemented a "Do Not Track" header. Hell, even Safari & IE9 have it! Anyways, once NoScript (not NotScript) is ported to Chrome and they add a "Do Not Track" header, I'll use Chrome from here on out.

--The same Guest who posted the 4th comment.

 

[insect]

gwailo247 said:

insect said:
I was just pointing out the irony of the first four posts being about people saying how FF was somehow "better" cause Chrome got "hacked" once, which as others and I are pointing out appears to be BS.

You don't really appear to understand how NoScript works. FireFox isn't better, NoScript is better. Since Chrome doesn't have NoScript, I use FireFox. You don't really seem to understand the concept of irony either.

Why get more add-ons to do the work Chrome already does for you? Run in a sandbox and who cares if a script tries something malicious. Just close the sandbox instance (i.e., tab).

 

[Guest]

Any one else see how the one of the icons on the bottom right hand corner disappeared after the browser has been "pwnd"? Just seems kind of weird to me.

 

[Chazz]

I guess chrome has the "Apple effect" on it's users. This isn't the first exploit chrome has had and it won't be the last. Chrome has very good security but holes are being patched constantly, they just aren't vocal about it as other companies are.

And if I recall correctly, Google Patched chrome the day of Pwn2Own which is the reason no one even attempted to hack it. I don't think the other browsers did that. Thats kind of cheating.