Researchers at the French security firm VUPEN say that they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser’s sandbox, as well as ASLR and DEP and run arbitrary code on a vulnerable machine.
The company said that they are not going to disclose the details of the bugs right now, but that they have shared information on them with some of their government customers through its customer program. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said.
VUPEN published a video that demonstrates an attack that exploits the Chrome vulnerabilities, although there is no further clues about the bugs themselves.
“The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64),” VUPEN said in its advisory about the bugs.
“The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level.”
Newer versions of Chrome include a sandbox component that is designed to prevent exploits against the browser from being used to run malicious code in other applications on the machine. Google has been offering bounties for more than a year now to researchers who find and report new bugs in Chrome, and other applications, to the company. The highest reward, which is $3133.7, is reserved for the most serious bugs, including those that are able to bypass the sandbox in Chrome.
But VUPEN is reserving details of the vulnerability and sharing just with its customers. Government agencies and defense contractors have been consistent buyers of vulnerabilities for some time and some researchers say that the prices these organizations pay for bugs can be as much as 20 or 30 times higher than what most vendors offers.