VUPEN, a security research company which works closely with Government institutions, has discovered a zero day vulnerability in Google’s Chrome web browser that allows a payload to be downloaded and executed on the host computer just by visiting a specially crafted web page.
As a proof of concept VUPEN has posted a video which shows how the Windows calculator accessory is launched after a web page is opened. Of course, Windows calculator is harmless, but any malware could be downloaded and installed at this point.
This is a complicated hack and has managed to bypass Chrome’s sandbox technology which isolates Chrome from the underlying operating system and is designed to make it difficult for a hacker to execute arbitrary code on the victim’s computer. The sandbox technology has served Chrome well, until now, as it has escaped undefeated in the last three Pwn2Own hacking contests.
This new attack also circumvented Windows 7’s address space layout randomization (ASLR) and data execution prevention (DEP) technologies, both of which are designed to hinder hackers.
VUPEN have not publicly disclosed the nature of the zero day vulnerability, but according to its blog the details will be shared exclusively with VUPEN’s Government customers as part of its vulnerability research services.