Google rushes out Chrome patch for sandbox exploit, other still lurksBy Rick Burgess 7 comments
Shortly after two security researchers publicly bested Chrome at Pwn2Own and Pwnium a couple days ago, Google has rolled out a fix for one of the exploits. However, the second hack remains both a mystery and ominously at large.
At Google's own contest, Pwnium, a Russian university student by the name of Sergey Glazunov defeated Chrome via a cross-site scripting exploit and "bad history navigation". His method allowed him to escape Chrome's sandbox, a much touted security feature that isolates Chrome and would-be hackers from critical system operations.
For his efforts, Glazunov earned a cool $60,000.
Subsequently, Google prepared a patch for the exploit within 24 hours of the discovery. The fix has already been rolled out automagically in the latest Chrome update, 17.0.963.78. Users need only to restart Chrome in order to install it.
Despite Google's obvious efforts in keeping Chrome iron-clad, there may still be one more serious sandbox flaw remaining.
For the first time ever at Pwn2Own, security researchers revealed a zero-day exploit which penetrated Chrome's defenses. The security firm responsible for the hack, Vupen, bypassed Windows-based safe guards such as DEP (data execution prevention) and ASLR (address space layout randomization). The firm was then able to exploit a vulnerability found in the "default installation" of Chrome which also allowed them to escape Chrome's sandbox.
Unlike Pwnium however, Pwn2Own does not require hackers to disclose details about sandbox vulnerabilities. The reasoning is that such an exploit is far more valuable than the contest's prize of $20,000.
Pwn2Own's optional non-disclosure was a point of contention for Google, prompting the creation of their own spin-off, Pwnium, where disclosure is required but the prizes are larger.
As a result, Vupen refused to reveal the gory details about their hack. However, some security experts speculate that the firm exploited a flaw found in Chrome's integrated Adobe Flash module. If so, it may be a problem Adobe has to address.