Google patches rare critical vulnerability in Chrome

Sandbox escape vulnerability disclosed at CanSecWest was patched in Chrome 17.0.963.78

Google has patched a critical Chrome vulnerability disclosed Wednesday at the CanSecWest security conference in Vancouver that can be exploited to escape from a browser's secure sandbox.

Russian security researcher Sergey Glazunov demonstrated a remote code-execution (RCE) exploit against a fully patched version of Chrome on Windows 7 as part of Google's Pwnium contest held at the conference..

Glazunov's exploit leveraged two Chrome vulnerabilities -- one that allows the execution of arbitrary code and one that bypasses the browser's much-touted security sandbox, which normally restricts such exploits.

Remote code-execution vulnerabilities, while very serious, are relatively common in all software products. However, the sandbox escape ones are extremely rare and, according to TippingPoint, which runs the separate Pwn2Own contest at CanSecWest, are worth much more than the US$60,000 Glazunov earned from Google for reporting it.

Both vulnerabilities leveraged by Glazunov's exploit were fixed in Google Chrome 17.0.963.78, which was released on Thursday.

"We had the first successful exploit at Pwnium yesterday, and today we've already rolling out an update to protect our users," said Sundar Pichai, Google's senior vice president for Chrome, on Thursday via his Google+ account. "The team took less than 24 hours from initial report to verification to fix development to getting a fix out."

Because of the Chrome's auto-update feature, users just need to restart their browsers in order to deploy the security fix. Organizations can deploy the important update by using the Google Update for enterprise policy.

Glazunov's was not the only Chrome sandbox escape exploit demoed at CanSecWest. A team of researchers from French security vendor VUPEN presented a similar attack as part of TippingPoint' Pwn2Own contest.

However, the Pwn2Own rules don't require researchers to disclose sandbox-escape vulnerabilities to vendors, primarily because the prize money wouldn't justify their disclosure. This means that there is still one highly critical Chrome vulnerability out there that remains unpatched.

The Chrome security team suspects that it's located in the Flash Player plug-in bundled with the browser by default and not in Chrome's own code. There is no confirmation from VUPEN regarding this theory, but if true, the task of patching the vulnerability would fall with Adobe Systems.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?