0-Day exploit bypasses Chrome sandbox

The exploit bypasses DEP and the sandbox via buffer overflow. It doesn't effect Chrome beta or above.

https://threatpost.com/en_us/blogs/researchers-say-new-bugs-can-bypass-google-chrome-sandbox-050911

I wonder if this'll be addressed in tomorrow's Patch Tuesday.

This is significant because Chrome's sandbox has never been circumvented before.

 

Uh bad. But I guess some good HIPS could have catch it outside Chrome sandbox? Or no?

 

I don't know enough about it. I wouldn't really worry about this particular exploit since it's apparently really complicated and it's been found out by a security company and not a hacker.

 

I would would be VERY worried about this exploit.

* "The exploit shown in this video is one of the most sophisticated codes we have seen" <- It's not their code, they found or acquired it, which means it is in the wild.
* They are not releasing details about it, which means Chrome devs have no idea what's going on.
* It is a perfect remote execution exploit bypassing ALL safeguards.

Scary.

 

It's not as if I hadn't been telling people for months now to forget about Chrome, and stick with IE.

 

I was horrified for a second or so.

 

You misunderstand. Vupen found the exploit, it's not in the wild.

They aren't releasing it... but I wouldn't say the devs have no clue. They know it's buffer overflow so it's not going to be some insane task to track it down.

Including DEP, which means M$ could patch it as well.

This is a single issue that you will likely never run into. This is not something to worry about unless you're a google employee.

And Pirx, both Chrome and IE9 use the same exact security scheme except that:
1) IE9 isn't on as quick of a release schedule. Monthly security updates? A new major version every year maybe? If we're even that lucky.
2) It'll be targeted most of all as long as it's the default browser and holds majority.
3) I don't believe it sandboxes flash, which is frankly a big security flaw if we're holding it up to Chrome.

Both use sandboxing and both use low integrity. The one thing IE9 has is it's better at detecting malicious sites/ downloads. Chrome beta (and maybe stable?) provides this but it's not as good yet from what I've read.

 

They say "we have seen", not "we have developed". That's what's bugging me.

 

Yeah, I know. See the smiley...

Well, in a case like that Microsoft is known to release emergency patches quite quickly. Speaking of which, where is the patch for Chrome? So far my Chrome happily reports it's "up-to-date"...

Yep, true, that.

 

Because you don't create exploits, you find them. They found one using an incredibly complex process using multiple bugs.

I have all emotes turned off as a security feature! You never know what's hiding in .pngs =p

Where's the update for DEP from M$? I'm sure it'll be patched soon... and even if it were never patched it's not a huge security flaw, it's just a single instance that's basically proved Chrome isn't invulnerable =p

Hopefully this is the last time we something like this for at least another three years haha

 

I wonder how many gems like this are not public.

 

Probably not a lot. In fact probably none. You can make a lot more money by selling these than somehow hoarding them for yourself.

 

I think system should have protection layers set like this:
1. Edit: blacklisting (useless for 0-day exploits, but good and fast for known malware)
2. Sandbox (give me a chance to react and decide - but the way how Comodo does it - all is untrusted despite signings and trusted installers)
3. HIPS (something is rotten in the system - let me investigate)

So if sandbox failed HIPS should catch it and stop it.

If HIPS failed then the Cleaning tools come in (CCE, MBAM and other heavy guns).

If that failed - reformat disk .

So if Chrome sandbox was breached, either some other sandbox or HIPS should catch it.

 

Exactly that is being discussed (on Chrome) at WildersSecurity forum; link

 

Looks like you mean blacklisting, not whitelisting. Whitelisting would work perfectly fine for any known or unknown threats, but it is usually considered too cumbersome in practical use.

 

Thanks - blacklisting was what I meant. I must be a negative man

 

i just updated my chrome to 11.696.68
dont know if that fixes this exploit tho

 

big failure of google: they state it's not a chrome exploit, as they used flash.

does that matter? it's software i downloaded from google, called chrome, and it has, bundled with it, a special from-them verified version of flash with a special sandbox handling it. so it's still their problem.

 

Do you have a link?

I'm not surprised that it's flash and while I understand that it's not Google's product I do agree with you.

 

An interesting article on the subject:
Chrome Hack Denied By Google Engineers

It is in fact a flash exploit. Naturally the Google engineers are a bit peeved.

Vupen was making it out to be a flaw in Chrome's code but the fact is this was a flash issue and a flash sandbox issue.

 

Is the flash sandbox Flash code or Chrome code?

 

Google code. It's definitely still a chrome exploit. Like the google engineer said, there's no denying that. But they made it out to be... i dono... 100% Chrome. What I mean by that is that it sounded as if they exploited the chrome browser and then got out of the chrome sandbox. What they did was exploit an adobe bug and then get out of the chrome sandbox.

There's a pretty clear difference there but it does come down to Chrome's sandbox and that's why it's a legit exploit. It's just kinda... lame.

 

" It’s a legit pwn, but if it requires Flash, it’s not a Chrome pwn. – Chris Evans, a Google security engineer and Chrome team lead."

That engineer seems to vehemently disagree with you.

It seems like a Flash bug/exploit has been used in conjunction with a Chrome sandbox vulnerability/exploit.
As the chrome sandbox is an integral part of the chrome browser, I don't see how breaking/exploiting the sandbox doesn't equate to breaking/exploiting the browser.
Also, if Chrome developers are actively working with Adobe on their specific Flash version, a bug in that Flash version will always reflect on Google/Chrome also.
At least more than when a vanilla version of Flash is exploited.

Google won't win this battle of semantics.
They should simply own up.
That is, as far as they can of course because VUPEN isn't disclosing to them as long as Google doesn't pay up.
Pretty harsh of those frenchies but then again, it's their prerogative/business model to not agree to Google's scheme of 'Here-is-what- we-decide-to-pay- you-for-your-research.
Even if Google/Chrome engineers are seriously ticked off by it.

 

Yup. The engineers seem to disagree amongst themselves. It's understandable.

Well I agree with you. For one thing it begs the question "What is a Chrome exploit then?" I mean.... what if they'd used webkit exploits? Webkit isn't google started but they work on it and it's bundled with their browser. Same goes for the V8 javascript engine.

They should absolutely take responsibility. I think the only reason they're reluctant is because flash is handled by another company and their developers only get to patch development builds, they don't have google engineers working on the source code alongside Adobe that I know of.

I don't think Google could buy the exploit from Vupen. The government is willing to pay out tons of money but Google doesn't have as much money as governments do. If it's a bidding war they will lose. It's cheaper for them to simply work it out themselves.

 

That's the only thing where I disagree and then I'll give it a rest...

Check 2011, even a percentage of Q4 ' Cash, Cash Equivalents & Marketable Securities' will do. link
Heck, I'm willing to bet money that VUPEN would agree to shut down and retire for a percentage.
Google is filthy rich and their 'Give-us-your-exploit-research-rewarding-scheme' is.....well, rather meager sometimes.

 

Most of their exploits pay pretty damn well. 1000+ dollars to make a program crash? That's pretty good.

But no, the government still has more money than google.