A French IT security firm – Vupen – has severely cracked Google's Chrome browser by bypassing the its integrated `sandbox' security features, as well as Windows 7's equally integrated anti-exploit systems.
"We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox", says the company in its latest security blog, adding that the company has posted a YouTube video to highlight its methodologies.The exploit shown in the video, says Vupen, is one of the most sophisticated codes yet seen, since it bypasses all of Chrome’s security features, including ASLR/DEP/Sandbox.
"It is silent – i.e. no crash after executing the payload – and relies on undisclosed (zero-day) vulnerabilities discovered by Vupen and it works on all Windows systems (32-bit and x64)", notes the company.
According to Vupen, the YouTube video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64).
"The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at medium integrity level", says the firm's blog posting, adding that the Calculator can be replaced by any other payload. Read More
