Speed and safety are two of the main reasons people use Google Chrome as a browser, but that feeling of being protected from web attacks was shattered by security firm VUPEN. Although Google has promoted the superior security of its browser since it launched Chrome, VUPEN researchers figured out how to hack their way out of the sandbox and past Window 7's anti-exploit technology - meaning they found a way to make Chrome on a Windows computer run any program or code they want.
According to the VUPEN:
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64)
Vupen said a user could be tricked to visit a maliciously coded website where the exploit could be executed. Although the video shows Windows Calculator was downloaded as the payload, "in an actual attack, the "calc.exe" file would be replaced by a hacker-made payload."
Sandboxing in Chrome is supposed to keep the web code in different browser tabs isolated from each other as well as from the user's computer. Chrome's sandbox is considered such an obstacle that no whitehat took on Chrome during the last Pwn2Own contest. In fact, Chrome has gone unscathed for the last three years at the annual Pwn2Own contest. At that same 2011 hacking competition, however, VUPEN shamed Safari 5 in only five seconds and then walked away with a new MacBook Air notebook and $15,000.
The vulnerabilities were exploited using the latest version of Chrome (Chrome 11) running on Windows 7, using two different exploits. If the vulnerabilities were exploited in the wild, it would be wicked - able to steal passwords or to infect a computer with a botnet to attack targeted websites. But VUPEN does not intend to release the 0-day code or technical details to the public or to Google. Instead, the security firm will share the Chrome exploit "exclusively" with Government customers of its vulnerability research services.
VUPEN sells weaponized exploits to intelligence agencies and law enforcement for covert operations or for surveillance, as well as to help these agencies pen test and then protect critical infrastructure from the vulnerabilities before they are exploited by the public.
On the browser market, Chrome climbed past 20% and then fell slightly to 18.3% according to StatCounter's data. We'll have to wait and see whether or not VUPEN hacking the browser will effect Chrome's popularity and market share.