Two Zero-Day Flaws Used To Bypass Google Chrome Security

French researchers say they hacked their way out of browsers sandbox, bypassed DES and ASLR

Researchers at French firm VUPEN Security yesterday posted a video of a hack they say they executed using two zero-day vulnerabilities in Googles Chrome browser that successfully bypassed its sandbox and other security features.
VUPEN -- which withheld technical details of the bugs in its disclosure -- had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details, says Chaouki Bekrar, CEO and head of research at VUPEN.
A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. Were unable to verify VUPENs claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome, the spokesperson said.
Chromes sandbox features, which run an application in a restricted environment to protect the system, as well as the use of ASLR and DEP, had made the browser relatively impenetrable to hackers. Adobe also uses Chromes sandboxing technology, but VUPENs Bekrar says Adobes software is not vulnerable to the new hack.
Bekrar says VUPEN employed two different bugs its researchers discovered: one thats exploited inside the sandbox, and one thats executed outside of it. The first one results from a memory corruption leading to the execution of the first payload at low integrity level, inside the sandbox, he says. A second payload is then used to exploit another vulnerability, which allows the bypass of the sandbox and execution of the final payload with medium-integrity level, outside the sandbox.
The exploit, demonstrated
here
using Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), with the user being lured to visit a malware-rigged Web page, also bypasses Microsofts Address Space Layout Randomization (ASLR) security function and Data Execution Prevention (DEP) attack mitigation feature, and works on all Windows systems, including Windows 7 Service Pack (SP) 1, Windows Vista SP2, and Windows XP SP3, according to Bekrar.
Microsofts ASLR protects Windows from an exploit attempting to call a system function: It places code in random areas of memory that make it more difficult for an attacker to run malware on a machine. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data.
VUPEN Security
early last year said it was able to bypass DEP on IE 8
and execute arbitrary code, and that it had sent its exploit code to Microsoft to examine. Other vendors have demonstrated DEP and ASLR bypass attacks: Core Security Technologies
discovered a flaw in Microsofts Virtual PC hypervisor
that can be used by an attacker to cheat DEP and ASLR. And independent researcher Peter Vreugdenhil
at CanSecWest 2010 waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered
in the browser to bypass Windows 7s built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
VUPENs Bekrar says it took the researchers many weeks to find a way to bypass Chromes sandbox. Chrome has probably the most secure sandbox in the market, and it took us many weeks to find a way to bypass it, he says. We have been looking into its whole attack surface and features to find a hole allowing the escape from the sandbox.
Anup Ghosh, founder and chief scientist at Invincea, says its no surprise that the sandbox was hacked. We always knew from the very beginning, while an internal sandbox is a good idea, architecturally youve still got a lot of residual attack space within the browser, Ghosh says. Its always just been a question of when it would happen.
And the hack highlights just how the sandbox -- albeit an extra layer of security -- is still just another piece of software that has vulnerabilities of its own, experts say. Like other security features, such as ASLR, sandboxes are very important as they make exploitation much harder and mitigate threats; however, a sandbox is not unbreakable as it is itself a piece of software, which can be affected by vulnerabilities, Bekrar says.
Invinceas Ghosh says he expects the vulnerabilities to be exploited -- initially by sophisticated attackers targeting specific organizations, and then, eventually, by organized crime syndicates. I have no doubt that this vulnerability will be exploited. The fact that they are not making it public makes it far more valuable, he says.
Meanwhile, there are no ways for Chrome users to protect themselves from these types of attacks.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Two Zero-Day Flaws Used To Bypass Google Chrome Security