Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Chrome Exploit Bypasses Sandbox, ASLR and DEP

Posted by Soulskill on from the is-it-time-for-the-disclosure-argument-again dept.

Trailrunner7 writes "Researchers at the French security firm VUPEN say they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine. The company said they are not going to disclose the details of the bugs right now, but they have shared information with some of their government customers. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said."

2 of 150 comments (clear)

  1. What about Google? by d4fseeker · · Score: 3, Informative

    Funny. I don't read anything about them disclosing it to Google (even tough they offer a bug bounty) So I'll just have to guess NSA and all the other good guys are protecting us (yeah right) until someone at Google stumbles across this issue.

  2. Re:Disclosure policy by EvanED · · Score: 3, Informative

    Being able to bypass them is a testament to their bad implementation... ...my understanding is that ASLR's implementation isn't the best, but IMO it's more like "is a testament to the fact that needing ASLR at all is patching a gunshot with a bandaid".

    And you say C++ is insecure and has stupid control structures, but then suggest writing it in C? Really?