Security researchers claim to have cracked open Google Chrome’s sandbox, but will only share the full details with government customers.
Vupen Security said it had found a way to bypass the sandbox in Google’s browser, which has helped keep Chrome safe in competitions such as Pwn2Own – despite Google offering a $20,000 prize.
This code and the technical details of the underlying vulnerabilities will not be publicly disclosed
The researchers said the exploit was one of the “most sophisticated” it had seen, and not only gets past Chrome’s sandbox, but two other security techniques – address space layout randomisation (ASLR) and data execution prevention (DEP) – as well, Vupen said in a blog post.
It makes use of zero-day vulnerabilities discovered by the security firm in Chrome 11, and works on all Windows systems. Vupen demostrated the exploit in a video online, forcing the browser to open up and run a calculator application.
“The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the calculator from a remote location and launch it outside the sandbox at medium integrity level,” the researchers said.
However, that’s all the detail the research firm plans to make public, as Vupen is keeping the hack in-house for its high-end customers.
“This code and the technical details of the underlying vulnerabilities will not be publicly disclosed,” the firm said. “They are shared exclusively with our government customers as part of our vulnerability research services.”
Google has yet to confirm any details of the hack.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
