Hackers Break Into Google Chrome Sandbox

Google malware

Researchers from France-based Vupen Security, who revealed the hack in a blog post and video Monday, said that the attack contained two exploits, which can bypass all of the browser's security features, including ASLR and DEP, two key security measures built into Windows Vista and Windows 7.

The attack, which relies on yet undisclosed zero day vulnerabilities in Chrome, is also silent -- meaning it does not crash the system after dropping the payload -- and works on all Windows systems.

The video demonstrates the exploit with Google Chrome version 11.0.696.65 running on Microsoft Windows 7 SP1.

Google has yet to confirm the existence of the security bug. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome,” said Google in a statement.

In a real life attack scenario, the user would be duped into opening a malicious Web page hosting the exploit -- typically through some kind of social engineering scheme. The attack then would execute malicious payloads before it downloaded the Calculator remotely, launching it outside the sandbox.

The Google Chrome sandbox is a security measure that isolates HTML rendering and JavaScript execution, which allows Web applications to be launched in their own browser windows without the ability to write or read files from other areas. The security measure is designed to prevent malware from compromising the browser, even if there is a potentially critical security flaw in part of the code.

Thus far, Google Chrome has been hard to crack, and has managed to remain undefeated in the infamous CanSecWest's Pwn2Own hacker contest.

"While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP," the researchers wrote.

While the Vupen researchers said that they would not publicly disclose the exploit code or technical details of the hack in the interests of security, they admitted that they planned to share them with the company's government customers as part of the company's vulnerability research services.

However, Google isn't included on that list, and thus far hasn't been notified about the exploit, according to a blog post by Brian Krebs .

The successful Chrome exploit came as Google's developer conference, Google IO, is held this week in San Francisco this week.