Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Chrome Exploit Bypasses Sandbox, ASLR and DEP

Posted by Soulskill on from the is-it-time-for-the-disclosure-argument-again dept.

Trailrunner7 writes "Researchers at the French security firm VUPEN say they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine. The company said they are not going to disclose the details of the bugs right now, but they have shared information with some of their government customers. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said."

2 of 150 comments (clear)

  1. Re:Disclosure policy by asdfghjklqwertyuiop · · Score: 1, Troll

    The fact that the researchers have to go through the trouble of circumventing ASLR and DEP is a testament to their effectiveness.

    Testament to their effectiveness? If they broken through then they were not effective.

    ASLR and DEP just make existing vulnerabilities harder to exploit.

    It doesn't really matter how hard they made it if they aren't actually containing exploits, or at least some of them.

  2. Re:And.. by master_p · · Score: 1, Troll

    And after reading the above, I conclude that the Windows security model is ...sh1t.

    First of all, it's extremely complex. It takes a long web page just to describe some aspects of it.

    Secondly, it's extremely disjoint: each little piece of Windows, having been developed in isolation, was its own ways, which results in not being able to enforce a single security system all over the system.