Bad news for Chrome users: The security researchers of the security service provider Vupen managed to abuse a currently unknown and non-published security vulnerability in the web browser and to bypass all further security mechanisms like the Chrome sandbox, ASLR and DEP – just by visiting a specially prepared website. In effect they silently could download and start any program without crashing Chrome, with medium integrity level (thus no driver installation on system level possible, but malware doesn’t need that necessarily).
According to the news release, Vupen discloses this information only to their governmental customers. They don’t state whether they informed the Google developers, too, so they could fix the issue. As details of the attack aren’t public, Chrome users don’t need to panic. But a new Chrome version may be out very soon.
Dirk Knop
Technical Editor
techblog.avira.com
Leave a reply
