Google Chrome hacked with sandbox bypass:
The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome security holes.
Glazunov scored a $60,000 payday for the exploit, which targeted two distinct zero-day vulnerabilities in the Chrome extension sub-system. The cash prize was part of Google’s new Pwnium hacker contest which is being run this year as an alternative to the more well-known Pwn2Own challenge.
According to Justin Schuh, a member of the Chrome security team, Glazunov’s exploit was specific to Chrome and bypassed the browser sandbox entirely. ”It didn’t break out of the sandbox [but] it avoided the sandbox,” Schuh said in an interview.
Schuh described the attack as “very impressive” and made it clear that the exploit “could have done anything” on the infected machine. ”He (Glazunov) executed code with full permission of the logged on user.”
“It was an impressive exploit. It required a deep understanding of how Chrome works,” Schuh added. ”This is not a trivial thing to do. It’s a very difficult and that’s why we’re paying $60,000.
Glazunov is a regular contributor to Google’s bug bounty program and Schuh raved about the quality of his research work.
Schuh said Glazunov once submitted a similar sandbox bypass bug but stressed that these kinds of full code execution that executes code outside the browser sandbox form a very small percentage of bug submissions.
Less than 24 hours after Sergey Glazunov hacked into a fully patched Windows 7 machine with a pair of Chrome zero-day flaws, Google rushed out a patch for Windows, Mac OS X, Linux and Chrome Frame users.
Technical details of the vulnerabilities are being kept under wraps until the patch is pushed out via the browser’s silent/automatic update mechanism.
According to Google’s advisory, the flaws related to universal cross-site scripting (UXSS) and bad history navigation.
- [Ch-ch-ch-ch-ching!!! $60,000]   Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.
Glazunov’s exploit also bypassed the Chrome sandbox to execute code with full permissions of the logged on user.
The Google browser was also popped by a hacking team from VUPEN and there’s speculation that a vulnerability in the Flash Player plugin was exploited in that attack. VUPEN co-founder Chaouki Bekrar told that the flaw existed in the default installation of Chrome but declined to say if the faulty code was created by Google or a third-party vendor.
The Flash Player plugin in Chrome runs in a weaker sandbox than the full browser and has always been a tempting target for attackers.
Google is working on putting Flash within the more robust plugin and this will happen before the end of this year.