Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Chrome Exploit Bypasses Sandbox, ASLR and DEP

Posted by Soulskill on from the is-it-time-for-the-disclosure-argument-again dept.

Trailrunner7 writes "Researchers at the French security firm VUPEN say they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine. The company said they are not going to disclose the details of the bugs right now, but they have shared information with some of their government customers. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said."

3 of 150 comments (clear)

  1. Re:Disclosure policy by Rockoon · · Score: 5, Interesting

    Browsers such as Chrome contain memory allocations that avoid DEP by using VirtualProtectEx() as it is pretty much a requirement of JIT compilation.

    Blaming Microsoft in this case is extremely premature, since we know that Chrome does in fact disable some protections intentionally.

    --
    "His name was James Damore."
  2. Re:And.. by icebraining · · Score: 2, Interesting

    Chrome's sandbox is Windows' sandbox, so that's perfectly possible.

    --
    Dilbert RSS feed
  3. How the exploit will be used by Hmmm2000 · · Score: 5, Interesting

    To me the most troubling part of this issue is what VUPEN does ... from their web site -- "Exclusive and sophisticated exploits for Law Enforcement Agencies". So, the reason the exploit is not being made public is so that Government agencies can use these exploits to install keyloggers or whatever they choose on whatever computer they which to target and monitor.