Whitehats Hack into Google’s Chrome
Investigators from VUPEN a pen-testing company in France claim that they've successfully infiltrated the Chrome Web-browser of Google that otherwise is regarded as highly safe for use.
Actually the investigators state that after creating one exploit, which they inserted into primary defenses incorporated inside Chrome, they managed to effectively plant malicious software onto users' computers.
Meanwhile during the attack, 2 different attack codes were used that helped to evade the security defenses comprising ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention) as well as a 'sandbox' created for making browser functions and basic operations of OS separate. Hitherto, more-or-less a small number of exploits have been reported which can pierce through the sandbox that has therefore enabled the browser to come up unharmed when the yearly Pwn2Own hacker contest was held over 3 consecutive years.
Moreover, in a video the investigators developed, VUPEN shows their attack code working on Chrome version 11.0.696.65 running on Microsoft Windows 7 SPI (x64). In that demonstration, the end-user is so duped that he accesses a maliciously created web-page harboring the attack code that runs different payloads for eventually taking down the Calculator that's remotely located as well as introducing it externally to the sandbox.
The demonstration is rather impressive that an extremely high-profile vulnerability research group globally has shown; however, it merely suggests that only very skilled hackers can design an effective assault on Google's Chrome, while the initiative will in great probability far overshadow the gains they'd anticipate.
VUPEN that supplies priced exploit and vulnerability details to government and business clients doesn't have any plans for furnishing technicalities of the assault even if that's for Google. Rather it's thinking about using them only along with government clients with the latter getting benefited with threats lessened.
In a remark on behalf of Google, the company's Spokesman stated that Google wasn't able to confirm what VUPEN asserted at the moment since no specifications from them had come to the Internet giant. However, incase any alterations were found essential, there'd be automatic revision of Chrome to the most recent edition for end-users, the Spokesman added. Theregister.co.uk published this.
Related article: Whitehouse.org, Fake Site Harboring Malware
» SPAMfighter News - 17-05-2011