May 11, 2011 3:56 PM
Researchers dig deep hole in Chrome's sandbox
It had to happen eventually, but finally someone has found a way to break through Google’s much-vaunted Chrome sandbox security, which let’s remind ourselves, first appeared in the browser as long ago as 2008.
As exploits go, the one publicised by security researchers VUPEN is about as good as it gets and appears to 'pwn' Chrome (that is, v10.696.65 running on 64-bit Windows 7 SP1) completely.
It works on all versions of Windows, it exploits a previously unknown 0-day flaw that is not related to kernel mode, and it doesn’t crash the browser. This isn’t just the sandbox but the ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention) that goes with it, so it’s the crown jewels.
The demo video shows the researchers running a calculator app within the browser as a way of proving that it has been broken. The company has no plans to explain the exploit but presumably Google will be fed the details to allow a fix.
Chrome users are now in limbo, unsure of how the sandbox was broken, and without a fix. Google has yet to comment. Exactly what happens next will depend on whether the issue undermines the sandbox in a way that requires a major redesign or just causes a problem that can be patched in the short term. Clearly, the sandbox as users have known it is probably dead and gone.
I’d suggest they are still better off than having no sandboxing at all - Chrome has a generally good reputation in terms of security. It was also the only browser to survive the Pwn2Own contest intact in a contest that saw the other major browsers fall.
Time to shrug and wait for Sandbox II.
As exploits go, the one publicised by security researchers VUPEN is about as good as it gets and appears to 'pwn' Chrome (that is, v10.696.65 running on 64-bit Windows 7 SP1) completely.
It works on all versions of Windows, it exploits a previously unknown 0-day flaw that is not related to kernel mode, and it doesn’t crash the browser. This isn’t just the sandbox but the ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention) that goes with it, so it’s the crown jewels.
The demo video shows the researchers running a calculator app within the browser as a way of proving that it has been broken. The company has no plans to explain the exploit but presumably Google will be fed the details to allow a fix.
Chrome users are now in limbo, unsure of how the sandbox was broken, and without a fix. Google has yet to comment. Exactly what happens next will depend on whether the issue undermines the sandbox in a way that requires a major redesign or just causes a problem that can be patched in the short term. Clearly, the sandbox as users have known it is probably dead and gone.
I’d suggest they are still better off than having no sandboxing at all - Chrome has a generally good reputation in terms of security. It was also the only browser to survive the Pwn2Own contest intact in a contest that saw the other major browsers fall.
Time to shrug and wait for Sandbox II.
Subscribe to this blog
Email
Permalink
Print
Contact Us
Twitter Profile
Linked-in Profile
Google+ Profile
