Chrome exploit for Windows passes every security hurdle
French security services provider Vupen reports that it has developed an exploit for the current version of Chrome which bypasses both the Chrome sandbox and Windows' DEP and ASLR protective features. The company has released a video which demonstrates how visiting a crafted web site in Chrome 11 on the 64-bit version of Windows 7 SP1 launches the calculator, without crashing Chrome or triggering any other suspicious behaviour.
Vupen does not intend to reveal any details of the exploit, including how it bypasses the security features, at present. Government agencies who are Vupen customers have, apparently, already been informed of the exploit. Vupen does not state whether or not it has informed Google of the vulnerability; the company is, however, no longer unreservedly sharing its findings with software vendors.
Not one of the competitors at the last Pwn2Own contest tried their luck with Chrome, judging that the sandbox was too great an obstacle. This is not the first vulnerability which attackers have been able to exploit to run code outside the sandbox, but until now they have always been announced as part of Google's bug bounty program and quickly closed. Exploits which bypass data execution prevention (DEP) and address space layout randomisation (ASLR) have also previously been demonstrated, most recently with Internet Explorer 8 at the Pwn2Own contest.
Chrome's sandbox isolates all rendering processes by placing a proxy between the processes and the Windows API. This proxy, known as a broker, has a policy which it uses to check whether processes are permitted to make a particular call to the API and returns the result to the process. Adobe's sandbox in Reader X operates in a similar fashion. Since Vista, Chrome's sandbox has used integrity levels (see The H Security article "Rights and integrity"), which specify which resources each process is permitted to access.
Internet Explorer 7 and later also implement protected mode in part using integrity levels. By setting a low integrity level, Internet Explorer is refused write access to parts of the file system, making it more difficult for malicious software to bore its way into a system.
- Chrome 12 Beta brings Flash cookie protection, a report from The H.