Tom Simonite

A View from Tom Simonite

Chrome's Security Crown Slips

A security firm claims to have found a way to use Google’s browser to attack web users.

  • May 9, 2011

Google’s browser Chrome may have just suffered its most serious security setback yet. Security firm VUPEN today announced that its researchers had found a way to have a webpage run any code or program it wants on a Chrome user’s Windows computer.

A video shows how visiting the attacking webpage enables it to download and then execute a calculator program–a standard method of demonstrating how an attack works. If the vulnerability were exploited in the wild it could be used to install programs that steal passwords, or make a computer part of a network of infected computers used to attack websites.

VUPEN hasn’t made the exact details of the hack public, saying only that it required “one of the most sophisticated codes we have seen” and that it will relay the details to government agencies on its customer list. According to the company’s statement:

“This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services.”

VUPEN provides law enforcement and intelligence agencies with what it dubs “weaponized” exploits for surveillance or other covert operations. The company has made no mention of whether Google was warned of today’s announcement, or how it will be helped to fix the exploit.

Google has promoted Chrome since its launch as offering superior security to other browsers. Chrome has never been defeated at the annual Pwn2Own contest that challenges the world’s best hackers to compromise popular software. At this year’s event in March, Firefox and Chrome were the only two popular browsers not defeated.

VUPEN’s attack is the first to beat a feature of Chrome called “sandboxing” that carefully isolates web code in different tabs from each other, and the rest of a person’s computer. The new attack is able to somehow bust out of the sandbox to download and execute any code it wishes. Another of Chrome’s security features will help it minimize the risk to users, though. Unlike most software, the browser silently upgrades itself to the most recent version without a person’s permission whenever possible. That habit will enable the fix to Google’s new security hole to spread fast, once it has been worked out.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

More from undefined

Want more award-winning journalism? Subscribe to Insider Premium.

  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.