Researchers warn of Google Chrome zero-day

The team at Vupen Security claims to have discovered an exploit which makes light work of the 'sandbox' mode in Google's popular Chrome browser - allowing attackers to execute arbitrary code.

The sandbox feature was introduced in Google Chrome to protect users, and works by executing website code in a specially sealed-off area of memory - from which, the theory goes, it will be unable to access the wider system. It's a trick which has been adopted by several other software packages, most recently Adobe's Reader X - a PDF-viewing app which isn't well known for being the most secure package around.

The sandbox implementation in Google Chrome is, however, particularly well done - and if proof were needed, has survived the attentions of hackers and security researchers at the last three Pwn2Own contests at CanSecWest. Sadly, the protection offered by Chrome's sandbox appears to have been cracked.

The Vupen team claims that its most recent exploit represents "one of the most sophisticated codes we have seen and created so far," capable of bypassing all security features including Data Execution Prevention - which is designed to stop exploits from executing arbitrary code from areas of memory marked for data storage - and Chrome's sandbox mode.

Tested on Chrome v11.0.696.65 on a Windows 7 SP1 x64 host, the team's exploit executes a variety of attacks to ultimately download an executable file from a remote host and run it on the target system. While Vupen's chosen payload is simply a copy of the Windows Calculator, the technique could be used to run any code - including password sniffers and backdoor access Trojans.

"We have now discovered a reliable way to execute arbitrary code on any default installation of Chrome," the team explained following the publication of the findings, "despite its sandbox, ASLR, and DEP."

The code behind the exploit, plus the technical details of precisely how Vupen was able to succeed where many hackers have failed, will not be made public. Instead, the company will be providing the details to government customers of its vulnerability research service programme.

Google has not yet responded to our request for comment - but if Vupen's research proves accurate, Chrome is in sore need of a major security overhaul. Although technical details of the attack aren't available, the exploit can be seen in action in the below video.