Posted by: Samker
« on: 10. May 2011., 08:34:28 »VUPEN Pwned Google Chrome aka Sandbox/ASLR/DEP Bypass
After emerging unhacked from the last three Pwn2Own hacking competitions, Google Chrome, one of the most secure web browsers available today has finally been hacked, according to French security company, Vupen: http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php
All the hackers had to do was let Google Chrome visit a website they coded in order for the browser to be exploited. Despite Google Chrome featuring a sandbox that isolates the browser from the rest of the computer (making it hard for hackers to execute code on the PC), the hack seemed to happen effortlessly.
Vupen released video proof showing that it’s possible to force the browser to download and run a calculator application without the browser crashing or computer showing any signs of something going on. In a regular attack, this calculator would be replaced with a malicious program.
Vupen has refused to reveal to the public or Google what the holes are, due to its policy of only sharing exploits to government customers willing to pay to find out. Of course, there’s no telling if the is real – after all it could have been fabricated (unlikely though); but if it is the truth, hopefully Google fixes the issue soon before other hackers catch wind of the exploit and start making use of it. Watch the demonstration video - above.
(UG)
After emerging unhacked from the last three Pwn2Own hacking competitions, Google Chrome, one of the most secure web browsers available today has finally been hacked, according to French security company, Vupen: http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php
All the hackers had to do was let Google Chrome visit a website they coded in order for the browser to be exploited. Despite Google Chrome featuring a sandbox that isolates the browser from the rest of the computer (making it hard for hackers to execute code on the PC), the hack seemed to happen effortlessly.
Vupen released video proof showing that it’s possible to force the browser to download and run a calculator application without the browser crashing or computer showing any signs of something going on. In a regular attack, this calculator would be replaced with a malicious program.
Vupen has refused to reveal to the public or Google what the holes are, due to its policy of only sharing exploits to government customers willing to pay to find out. Of course, there’s no telling if the is real – after all it could have been fabricated (unlikely though); but if it is the truth, hopefully Google fixes the issue soon before other hackers catch wind of the exploit and start making use of it. Watch the demonstration video - above.
(UG)