Google Chrome Hacked, Sandbox Escaped

[Deozaan]

One reason new users have been flocking to Google Chrome is the promise of improved security. Its internal Flash plug-in has been repeatedly been patched prior to the old-style NPAPI version for other browsers, it's plugged in to Google's malicious link-checking service in the cloud, and its sandbox has proved impenetrable for more than two years.

Now, VUPEN's research team has successfully exploited Google Chrome and escaped its sandbox. In the proof-of-concept video you'll see the Windows 7 cursors spin with activity while Chrome sits quietly in the background, blissfully unaware of what's about to occur. Yes, it's only Calculator that opens at the end, but that's not the point -- a malicious payload could have been triggered just as easily.

-http://www.browserscene.com/2011/05/google-chrome-hacked-sandbox-finally.html

Maybe this explains why my PC is suddenly calculating 5318008 upside down?

[Renegade]

Ouch... That's harsh...

[phitsc]

Where I work, IT actually took measures to prevent people from using Chrome. You can install it, but you can't launch the chrome.exe process.

(I had to rename it to something else )

[Carol Haynes]

Oh dear ... and that is the current version ...

[JavaJones]

Ouch indeed, however with the frequency Google puts out updates and the fact that Chrome is automatically updated for end-users by default, it has the best chance of any of the browsers to at least fix an issue like this and get it out to users fast. No other browser I can think of has as high a likelihood of addressing this problem within a short time period due in part to the (sometimes reviled) practice of auto-updating. Google also pays a good bounty for stuff like this, so it's win-win (provided it doesn't get exploited maliciously in the wild before an update is available). Here's hoping.

- Oshyan

[phitsc]

I don't know. I think I've read somewhere that of the popular browsers, Chrome was indeed found to be the most vulnerable one. But I think that was a report sometime end of last year.

Edit: here's something from Nov. 2010: http://www.favbrowse...-chrome-and-firefox/

[Mark0]

It seems that things may be quite a bit different than initially reported:

'As usual, security journalists don't bother to fact check,' said Tavis Ormandy, a Google security engineer, in a tweet earlier Wednesday. 'Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug.' Chris Evans, a Google security engineer and Chrome team lead, tweeted, 'It's a legit pwn, but if it requires Flash, it's not a Chrome pwn.'

Computer World - Google engineers deny Chrome hack exploited browser's code

As noted also in today keynote at Google I/O, at the moment Flash on Chrome is partially sandboxed; it too (like web pages / tab are now) will be full sandboxed in the near future. Anyway, for the moment, a partial sandbox, in addition to the Flash automated update, is far better than nothing.

[Deozaan]

"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation."

Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors -- as do many researchers -- but instead would reveal its work only to paying customers.

-http://www.computerworld.com/s/article/9216627/Google_engineers_deny_Chrome_hack_exploited_browser_s_code

Does this mean that Vupen are black hat hackers? Or they're white hat hackers using blackmail?