Google chrome was going strong on its security. It had survived the repeated attacks of hackers since past three years. For this, the entire credit goes to its sandbox model which does not allow outside code to execute within its environment. It locks down all the executable code to prevent damage. But a team of French hackers and a Russian student managed to bypass the Chrome sandbox in fully patched windows 7 and exploit the system.
Both the hackers had participated in the Pwnium, an annual security contest that declared to give away $ 1 million to whoever hacked Google Chrome successfully and $60,000 to those who reported a bug. The Pwnium is an alternative of the annual competition Pwn2own, was held in Vancouver,Canada.
VUPEN, a controversial French company that sells zero-days vulnerabilities hacked the browser within five minutes of the contest using a pair of zero-day flaws, one targeting windows and other targeting Chrome’s sandbox. Vupen was developing the attack against Chrome since six weeks and the attack took just five minutes. Chaouki Bekrar, the firm’s’ research head said,
“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,”
He further added that his team made a web page that could be open on a fully updated Windows and a fully updated Chrome browser. The page contained code capable of bypassing chrome’s sandbox model and execute code on the user’s computer.
Words of Sergey Glazunov
In the second account a Russian student, Sergey Glazunov, hacked into windows 7 using remote code exploits to bypass chrome’s sandbox model. Glazunov received $60,000 for the exploit, which targeted two distinct zero-day vulnerabilities in the Chrome extension sub-system. Glazunov is a regular contributor to Google’s bug bounty where he regularly pointed out bugs in the chrome’s IT security system.
Schuh, who is part of Google’s Chrome security said that the attack was very impressive. Thus he said that Glazunov executed the code with full permission of logged in user and that the attack could have done anything. Thus, Schuh added.
“This is not a trivial thing to do. It required a deep understanding of how Chrome works. it is very difficult and that’s why we’re paying $60,000”.
Final Announcement by Google
Soon after all the scenario, Google announced that the reported bugs will soon come out with a fix for them. LetsNurture continuously learns to improve a lot in various fields and provide the best solutions to ease the woes of the customers
Finally, Google realized that it’s secure system is not that secured after all.
What is your say on this? Share your thoughts on the same with a tweet to @letsnurture.