Print
Google Chrome has amassed quite a favorable reputation for security with both users and security researchers. To its credit, it is the only web browser to have never been hacked at the annual Pwn2Own hacking competition. In fact, on the first day of this year’s Pwn2Own contest (Mar 9-11), Google even offered a $20,000 cash prize to anybody who could circumnavigate the browser’s sandbox “using vulnerabilities purely present in Google-written code.” While no one managed to claim the prize back then, researchers from French security firm VUPEN now claim to have finally “Pwnd Google Chrome and its sandbox.” Hit the jump for more.
The company announced its success in a blog post on Monday. In keeping with the company's stated policy, the technical details of the vulnerability are only available to its government customers. Nonetheless, the company did share a short video (below) showing the exploit in action.
“The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox,” the company said, “it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
“The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level.”
A Google spokesperson simply said that the company was not in a position to verify VUPEN's claims "as we have not received any details from them."
Comments are closed on this article
Bogdan
September 05, 2011 at 1:43am
I do not think that google chrome is that secured. All you do on the internet is monitored and can be seen by someone..
Best regards,
kixofmyg0t
May 09, 2011 at 9:31pm
No software is secure. NONE.
I do really like the pwn2own deal though, you really have some of the most talented people actually doing some good.....instead of bitching about a company for sueing somebody and then hacking them and stealing credit card information....
Oh if only talking smack about google was as "hip" and "cool" as talking about Microsoft or Sony....
roninnder
May 10, 2011 at 5:11am
First of all, people talk smack about google constantly. Mostly over privacy concerns.
Secondly, did it ever occur to you that there might be a reason that it's not as 'cool' to talk smack about google as it is about Sony or Microsoft?
Danthrax66
May 10, 2011 at 5:01am
I highly doubt the credit card info was stolen because of the lawsuit with geohot. They gained access and a hacker said hey lets snoop around and then they found all the CC and personal info right ou in the open on the dev network.
