zz Google Chrome sandbox apparently cracked# Hardware - 计算机硬件
i*1
1 楼
http://www.net-security.org/secworld.php?id=11001
French security firm VUPEN has announced that its researchers have managed
manufacture an exploit able to bypass Google Chrome's sandbox, ASLR and DEP.
It is precisely the sandbox feature what made hackers eschew or fail in
their attacks directed at Chrome at Pwn2Own time and time again - since, as
researcher Charlie Miller pointed out, it has a "sandbox model that's hard
to get out of". The feature is also what secured its reputation as the most
secure browser around.
VUPEN researchers have also presented a video that shows the exploit in
action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64),
though no details about it can be actually gleaned from it. According to
VUPEN, the user only needs to visit a specially crafted web page with the
exploit and a number of payloads are automatically executed, which
ultimately allows an attacker to execute arbitrary code outside the sandbox
at Medium integrity level.
"The exploit shown in this video is one of the most sophisticated codes we
have seen and created so far as it bypasses all security features including
ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it
relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it
works on all Windows systems (32-bit and x64)," they simply say, and add
that the code and the technical details of the underlying vulnerabilities
will not be publicly disclosed, but shared only with their Government
customers.
While I understand that various governments will likely pay infinitely more
for the details of the vulnerabilities than Google would through it's bounty
program, the creation of this exploit, the discovery of this 0day
vulnerability, and VUPEN's refusal to share it with the public or Google is
extremely bad news for Chrome users.
In the end, we can't know which governments have shelled out for the exploit
and how will they use it. If VUPEN doesn't change its mind, I'm afraid the
only thing left for Google to do is to try to find out the hole for
themselves and patch it, or hope that a researcher more inclined to share
with them the details finds it and notifies them.
French security firm VUPEN has announced that its researchers have managed
manufacture an exploit able to bypass Google Chrome's sandbox, ASLR and DEP.
It is precisely the sandbox feature what made hackers eschew or fail in
their attacks directed at Chrome at Pwn2Own time and time again - since, as
researcher Charlie Miller pointed out, it has a "sandbox model that's hard
to get out of". The feature is also what secured its reputation as the most
secure browser around.
VUPEN researchers have also presented a video that shows the exploit in
action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64),
though no details about it can be actually gleaned from it. According to
VUPEN, the user only needs to visit a specially crafted web page with the
exploit and a number of payloads are automatically executed, which
ultimately allows an attacker to execute arbitrary code outside the sandbox
at Medium integrity level.
"The exploit shown in this video is one of the most sophisticated codes we
have seen and created so far as it bypasses all security features including
ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it
relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it
works on all Windows systems (32-bit and x64)," they simply say, and add
that the code and the technical details of the underlying vulnerabilities
will not be publicly disclosed, but shared only with their Government
customers.
While I understand that various governments will likely pay infinitely more
for the details of the vulnerabilities than Google would through it's bounty
program, the creation of this exploit, the discovery of this 0day
vulnerability, and VUPEN's refusal to share it with the public or Google is
extremely bad news for Chrome users.
In the end, we can't know which governments have shelled out for the exploit
and how will they use it. If VUPEN doesn't change its mind, I'm afraid the
only thing left for Google to do is to try to find out the hole for
themselves and patch it, or hope that a researcher more inclined to share
with them the details finds it and notifies them.