Security Firm Finds Vulnerabilities in Google Chrome; Should We Be Afraid?

3 minute read
J. Angelo Racoma avatar

Chrome Logo
Since its launch, Google Chrome (news, site) has been pretty much rock-solid in terms of security, to the extent that Google has offered rewards to hackers who can break into Chrome. A recent turn of events might prove that Chrome may not be so secure after all.

During past Pwn2own events, Google Chrome has been subject to scrutiny by ethical hackers and has mostly escaped unscathed. Google went as far as offer a $20,000 reward at Pwn2own 2011 to anyone who can find and exploit a vulnerability in the browser, on top of prizes from the organizers. Just a few months after the last Pwn2own, it seems Chrome has finally found its match in French security firm Vupen (which, incidentally, also won the Pwn2own contest at CanSecWest 2011).

Chrome Not So Secure, After All?

In a video, Vupen demonstrated a zero-day exploit that enables hackers to take control of one's desktop. The exploit involves having a user load a webpage, after which arbitrary code can be executed on one's desktop, bypassing the usual security features of the browser and OS, such as the Chrome sandbox and Windows' ASLR and DEP. Vupen says this can be done in all Windows versions, and the vulnerability is present even with the latest Chrome version (hence being a zero-day exploit).

Vupen says the Chrome exploit is silent, and that Chrome won't crash after executing the payload. Note that the calculator app in the video is just a sample of what the exploit can load -- malicious hackers can theoretically download and execute any piece of software on your computer.

The user is tricked into visiting a specially crafted web page hosting the exploit, which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level)."

Details, Criticisms

Vupen won't disclose specifics to the public for security reasons, although the company says it has exclusively shared these with government-based clients as part of vulnerability research services. Some critics have claimed, though, that the vulnerability is a known flaw with Webkit-based browsers (which includes Chrome and Safari), and that developers are already aware of the vulnerability. Vupen's apparent non-disclosure of the vulnerability to Google was also met with criticism, as it appears as if the company is waiting for Google to offer some compensation in exchange for information.

Learning Opportunities

Apart from Vupen's announcement, the US-CERT has recently found a vulnerability in WebGL, which is present in the latest versions of Chrome, Firefox and Safari. WebGL is a rendering spec for displaying and interacting with 3D graphics without the need for external browser plugins. US-CERT says that WebGL is vulnerable to "multiple significant security issues" which include "arbitrary code execution, denial of service and cross-domain attacks." The exploit that Vupen has discovered might actually be related to the WebGL vulnerability.

Are You Afraid of Your Security?

Whether the exploit publicized by Vupen is valid or not, the fact remains that most of these vulnerabilities will require some user action at some point. For example, Vupen's exploit involves tricking a user "into visiting a specially crafted web page hosting the exploit." The WebGL issue also involves a user opening a website with malicious JavaScript code embedded.

These exploits are often done with the assistance of some crafty social engineering attack, but this doesn't necessarily mean users should close their web browsers and disconnect from the Internet altogether. Of course, you should be careful of the websites that you open, and the links that you click. It all boils down to common sense and being smart with the things you do online.