After enjoying 3 decades of ‘hackers-proof status‘ and after staying unhacked from the last three Pwn2Own hacking competitions, Google Chrome, one of the most secure web browsers available today has finally been hacked, according to what Vupen, a French security company claims.
So if you are a Google Chrome fan and had enjoyed it as a browser that can not be hacked (thanks to Chrome’s inbuilt sandboxing approach which is key to the browser’s core protection from hacking attacks), then rejoice no more — Google Chrome browser now has been hacked and cracked!
This attack code is designed to pierce key defenses built into Google’s Chrome browser, allowing the hackers to reliably execute malware on end user machines.
The security firm said that the attack required sophisticated attack code and breaks through Chrome without exploiting a Windows Kernel vulnerability. They released video proof showing that it’s possible to force the browser to download and run a calculator application without the browser crashing or computer showing any signs of something going on. In a regular attack, this calculator would be replaced with a hacker made payload (malicious program).
The exploit apparently works with “default” Chrome installations on all 32-bit and 64-bit Windows systems. The tested Chrome version was 11.0.696.65.
Google said it was unable to confirm Vupen’s claims. “The exploit … is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox,” said Vupen in a blog post Monday. “It is silent (no crash after executing the payload), it relies on undisclosed (‘zero-day’) vulnerabilities and it works on all Windows systems.“
VUPEN Pwned Google Chrome Sandbox Bypass [Video]
This video is showing the latest version of Chrome running on a 64-bit version of Windows 7. By loading the address of a specially designed website, the researchers are able to force the browser to download and run a calculator application without crashing or showing any other signs of anything fishy.
And evidently it is not just Google Chrome’s security that has been exposed by this hack. The Vupen attack code also bypassed Windows 7′s ASLR (address space layout randomization) and DEP (data execution prevention), two other security technologies meant to make hackers’ jobs tougher.
“This code and the technical details of the underlying vulnerabilities will not be publicly disclosed,” said Vupen. “They are shared exclusively with our Government customers as part of our vulnerability research services.“
But even though Vupen has refused to reveal to the public or Google what the holes are, hopefully Google fixes the vulnerabilities soon before other hackers catch wind of the exploit and start making use of it.