French security firm VUPEN has announced that its researchers have managed manufacture an exploit able to bypass Google Chrome’s sandbox, ASLR and DEP.
It is precisely the sandbox feature what made hackers eschew or fail in their attacks directed at Chrome at Pwn2Own time and time again – since, as researcher Charlie Miller pointed out, it has a “sandbox model that’s hard to get out of”. The feature is also what secured its reputation as the most secure browser around.
VUPEN researchers have also presented a video that shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), though no details about it can be actually gleaned from it. According to VUPEN, the user only needs to visit a specially crafted web page with the exploit and a number of payloads are automatically executed, which ultimately allows an attacker to execute arbitrary code outside the sandbox at Medium integrity level.
“The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64),” they simply say, and add that the code and the technical details of the underlying vulnerabilities will not be publicly disclosed, but shared only with their Government customers.
While I understand that various governments will likely pay infinitely more for the details of the vulnerabilities than Google would through it’s bounty program, the creation of this exploit, the discovery of this 0day vulnerability, and VUPEN’s refusal to share it with the public or Google is extremely bad news for Chrome users.
In the end, we can’t know which governments have shelled out for the exploit and how will they use it. If VUPEN doesn’t change its mind, I’m afraid the only thing left for Google to do is to try to find out the hole for themselves and patch it, or hope that a researcher more inclined to share with them the details finds it and notifies them.