The Legend of Google Chrome Sandbox is No More
By on May 9th, 2011

Google Chrome’s sandbox was assumed to be the uber security feature in any browser till date. Prize money worth a whopping hot $20000 and star recognition was not motivation enough to crack Google Chrome’s sandbox. It seemed like Pwn2Own contestants were giving up on hacking Google Chrome. Though now, they will have more hope.

chrome-sandbox-hacked

Finally, VUPEN, a security research firm seems to have gotten in and out of the Google Chrome sandbox with ease. They claim this by saying,

The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

The attack was carried out on Google Chrome v11.0.696.65 on a Windows 7 64 bit system. This attack exploits the Chrome sandbox and successfully downloads a sample calculator program on your computer. This calculator can of course be any other malicious EXE file if you are a cracker. The guys at VUPEN have refused to release any code for the hack, though they have decided to share it with the Government.

This has come up a few hours from the Google I/O Conference and last I heard, Google I/O was going to be all about Android this time.

As expected always, Google must release a statement on this very soon. Over the years, Google has grown extremely protective of Google Chrome and it was only time before someone hacked the sandbox. Clearly, the sandbox is all that stands between the browser and the hacker. In the meanwhile, you can see this video on YouTube and understand better what is happening there.

Check out the VUPEN research page here.

Three years of legacy comes to an end. Google Chrome finally seems to be hacked.

Tags: ,
Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN