Google has patched a high-risk vulnerability in its Chrome browser that allows an attacker to escape the Chrome sandbox.

That vulnerability is one of 48 bugs fixed in version 52 of Chrome released Wednesday.

Four dozen of those flaws are rated as high risks and Google paid out more than $22,000 in rewards to researchers who reported vulnerabilities to the company. Payment on an additional 11 bugs found by bug bounty hunters is pending, Google said.

Among the other serious vulnerabilities is a URL spoofing bug on iOS, a heap-buffer-overflow and four use-after-free vulnerabilities.

The bugs were found and reported via the Chrome bug bounty program. Longtime bug hunter Pinkie Pie earned $15,000 for a sandbox escape tied to Chrome’s Pepper Plugin API (PPAPI) component of the browser that aims to make plugins more secure and portable.

Google’s sandbox technology isolates system processes in an effort to prevent malware from escaping the Chrome browser and infecting the host computer or allowing it to steal information from the PC or execute remote code. This is just the latest out of many out-of-sandbox escape flaws fixed by Google in previous browser updates. It’s also just the latest sandbox escape flaw found by prolific hacker Pinkie Pie who earned $60,000 in 2012 at CanSecWest for finding several bugs including a sandbox escape bug. The following year Pinkie Pie earned another $50,000 at the Mobile Pwn2Own hacking contest for bugs once again tied to the Chrome sandbox escape bug.

Here are the public bugs fixed in Chrome 52:

[$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
[$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent’s Xuanwu Lab
[$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
[$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
[$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
[$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
[$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
[$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
[$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
[$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
[$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
[$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
[$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
[$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
[$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu

Categories: Hacks, Malware, Vulnerabilities, Web Security

Comments (4)

  1. Stephanie
    3

    I hope that no one has to go through the SPOOFED experience that I went through. It happened to me before spoofing became a known term. when I spoke of it and the emotional stress is unbelievable to most. It took months for my mother to believe me and to this day, she still has her doubts. I gave up all cell phones and computer devices for more than 6 months and demanded for true wired in phonelines. When I went to the Verizon store, they had no idea what I was experiencimg. I finally spoke to a tech that that supposedly corrected my device remotely, which took several hours to do and was still paranoid about whether or not the tech was actually truly aware of how the spoof had affected my entire personality and behavior!!!
    Unfortunately, the entire problem with the device didn’t go away. It came to my realization that all my other computer devices were attacked as well due to plugging in for charging, down or uploading, backing up data, etc. I truly belive my vehicle was also infected, as I had a trigic car accident that nearly unexplainable because the first responders had no idea of what I was speaking of. They thought I was making up the series of events that occurred. Not one person at the scene believed me. I am extremely grateful and lucky to be alive.
    I can’tell express enough about how this..SPOOFING… has literally physically, mentally and sociable has affected my life.
    This subject should be spoken of more publicly warning others of such. I hope for the best on this fix. I just want others know that SPOFFING DOES EXIST!!!
    Stphanie, Charleston, SC

    • Stephanie
      4

      I would like to see and hear about others’ experiences/stories So that I can share it with those who are in disbelief. Stephanie

Comments are closed.