Friday, 09 March 2012 20:36

Google Chrome's Sand Box Takes a Kicking at CanSecWest; Gets Hacked Three Times

Written by
Rate this item
(1 Vote)

Reading time is around minutes.

GoogleGoogle’s previously unassailable Chrome web browser has now been hacked three times in only two days. The first two we have already told you about in a previous article. Vupen a French research company found a 0-day exploit that allowed them to jump out of Google’s Sand Box and then another that allowed them to execute arbitrary code on the OS that Chrome was installed on (in this case Windows). Vupen did this as part of the Pwn2Own competition held every year.

The second breach came from a long time open source and Google contributor Sergey Glazunov and was shown off during Google own Pwnium competition where entrants can earn up to $60,000 in prize money (called bounties) for the exploits they use.

The third was ironically from a teen who previously applied to work for Google, but according to him (he goes only by his alias “Pinkie Pie”) never even received a reply from the Ad/Search giant. Pinkie Pie managed to pull off three 0-day exploits in order to win another $60,000 from Google. What makes his attempt different (besides opening up the Windows image viewer with a picture of Pinkie Pie) was that getting out of the Sand Box was not the most complicated part of the hack. In fact Pinkie Pie said he found a simple way to do it.

The question now is; what is Google going to do to ensure that their Sand Box feature does not have more holes waiting to be exploited. After all having three people find unique ways to get exit the protected space of the browser and execute code on a target machine is not a good thing. We do full expect them to deal with these three security holes and in fact according to Google they have already patched the one submitted by Sergey Glazunov.  

Of the two remaining bugs the one submitted by Pinkie Pie is the most likely to be fixed soon as Google will have to pay Vupen for their sand box escape. We have a feeling that Google might find its browser the target of more attacks soon as the news of these three might make others dig deeper to find more in what would appear to be a rich environment.

Discuss this in our Forum

Read 2466 times Last modified on Friday, 09 March 2012 20:44

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.