Their site seems to be going down, so here's the text:
---
Hi everyone,
We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level. Note: The Calculator is used here as an example, it can be replaced by any other payload.
While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.
This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services.
Unless Google is one of their customers it may actually be a little while before this exploit is fixed. VUPEN does security research and doesn't disclose to original vendors unless they happen to be customers.
I both love and hate them. They are extremely talented and find absolutely awesome bugs that are hard to discover without a lot of work, and I hate them because they don't disclose their work unless it is for money. While I can understand that they have to make a living too, it just feels wrong to not protect everyone in the world when possible.
The reality is that there is probably no chance that they would ever find these bugs if they weren't funded to do it and the only way to be funded is to have customers.
The net result is probably safer software for all.
The net result in this case is the government owning a zero-day root exploit for every Chrome/Win citizen’s computer. It’s worse than zero-day because we have no reason to expect a patch, so the window of attack will stay open.
The government is generally more worried about keeping foreign governments out of high-tech firms like Google than about their ability to hack high-tech firms like Google.
Out of speculation, would this tie in at all to an article I saw on HN a while back about the Government hiring 3rd parties to hack Google for some reason?
I never said if anything was right or wrong, nor did I assume any of it, I just asked if it was related. Good to know curiosity gets flagged around here.
On an exploit like this, I expect a patch. I'm sure people at Google and abroad (if the exploit exists in Chromium) are scrambling to find it, both for the e-cred and just to make other people safer.
Agreed, no need to freak out, the sky's not falling. I expect Google will either find the spoit on their own, or pay what to them is a pitance to become a customer and acquire it that way. Sounds like a good company to have on the payroll anyway, doing what three years of Pwn2own hasn't managed to.
"The net result is probably safer software for all."
I don't think that follows. Clearly there are folks in some governments who would fund finding zero day exploits so that they can use them to conduct cyber-warfare operations. Stuxnet comes to mind and the HBGary emails were telling in this regard. It seems there is a market for 0 day attacks that are not known to the manufacturer. So while Google would clearly give them $13,373 for the bug report but that is no doubt mouse nuts compared to what the someone would pay them while it's not in the 'known' state.
So I find Vupen's business model not unlike the business of creating munitions. No doubt profitable but not something I'd personally want to participate in.
I'm confused. Why would the government want to break Chrome? Also, if they are not going to release the exploit soon (especially to Google), why are you saying 'safer software for all'?
Maybe I'm naive but it could simply be because they are evaluating it for internal use. The FBI and CIA don't want to use vulnerable browsers any more than we do.
I'm going to say that's definitely naive. It's a well-known fact that the US government has gradually been placing more and more emphasis on "cyber-warfare" over the last several years. A 0-day vulnerability allowing code execution (in a browser that's popular with tech-savvy users, even) is a very valuable tool in that regard.
you know that there is more than one government on earth... and all of them arent pro free-speech :)
Safer software for all, because it's a better thing that VUPEN discover the bug than if it's discovered by some criminals who keep it secret and scam/hack
Arguably, that's exactly what VUPEN is doing here. They're keeping it secret, and only letting those who are willing to pay have the necessary knowledge regarding this vulnerability and any possible workarounds. It might not be a scam, but I do find it morally questionable to hide the details of a bug of this significance.
> Safer software for all, because it's a better thing that VUPEN discover the bug than if it's discovered by some criminals who keep it secret and scam/hack
I suppose it depends on the point of view, but having it exclusively in the hands of governments can easily mean it's limited to criminals who keep it secret and hack.
Thanks for your response, but my question remains.
Why would a entity as big as "the government" would invest in breaking one browser used by a minority (~10%) of users in the web? Wouldn't it be much easier to just compromise their Internet connections?
Let's say that, like most everyone else in the world, they already know how to break firefox and internet explorer, etc. They don't want to spy on your net, they want to steal your files.
The Govt in question is obviously the US Govt. They want to know how to break Chrome, and every other net-facing app, so that they can hack your computer and spy on you, whoever you might be. Did you know, the CIA does do espionage?
I wonder if this kind of thing will set a precedent. If a security firm can "extort" google, what stops a lone hacker to put up a video of a chrome exploit on youtube and demand some arbitrary amount of money as compensation?
According to Wikipedia it is technically not extortion because the obtained information that is of value to google is not obtained "unlawfully" and doesn't seem to fall under the category "money, property or services". There seem to be some similarities though.
> I wonder if this kind of thing will set a precedent.
Erm... it's a traditional business model of security firms on the internets...
> If a security firm can "extort" google, what stops a lone hacker to put up a video of a chrome exploit on youtube and demand some arbitrary amount of money as compensation?
They're not extorting anything. They're not menacing google or anything like that, they have not obtained this information illegally, they've done security research and are releasing their findings to their clients because that's how they make their money. That's it.
people were telling the same about HBGary before they started to tell the opposite. Though my post isn't about technical brilliance. Being in bed with Power and relaxing one's moral standards to better serve it always leads the same way....
To profit? I believe most people would get into bed with the government if offered the correct incentives. I probably would, too. It's unfortunate, but that's how things work. Is it immoral not to relax your morals to, e.g., secure a better life for yourself and your family?
(Apologies for being meta, but I've recently begun studying morality/ethics so I'm exploring ideas for which I currently do not have answers. Suggestions/directions are appreciated.)
As you are researching I'd check out the writing and thoughts of Norwegian Philosopher Arne Næss. He has a lot to say about different levels of rationality which are quite interesting. He began his philosophical as a hard-core rationalist with the Vienna school but later in life expanded rationality to include a larger rationality and human feeling. Also Christopher Alexander has insight here about including human feeling as an objective instead of solely subjective part of decision making.
I'm curious if you have a link to decent evidence of this. From both personal experience and per city data I've found, police response times are universally pretty dismal but I would be interested to see the same data broken down by neighborhood.
I've read various stuff to this extent, but the most interesting treatment was in the documentary called "Crips and Bloods: Made in America" that examines the origins of those two gangs.
A big part of it was how the LAPD would only enforce laws in certain neighborhoods. The gangs were literally trained by the police that if they commit crimes on one side of a particular street, the laws will be enforced, but if they commit crimes on the ghetto side of the street, they will not be.
LOL, and Google does not have enough money to pay them a few measly billions to help fix their crown jewel chrome browser?? Don't make me laugh like that! Poor Google, not enough money, that'll be the day.
These things should not in my opinion be disclosed to (the idiot skript kiddie segment of) the public before the vendors have been given a good long window to fix them.
I prefer what VUPEN does when compared to irresponsible discoveries by black hats who do not give a shit about the integrity of the installed product and privacy / safety / security of how many millions of users, who can then be screwed over by every skript kiddie and his dog because they released the info straight to the public.
Sure, if the vendor has absolutely ignored you and your loud demos of the bug, and won't respond to threats to release, you might release the exploit to a small segment of the IRREPROACHABLE VANILLA WHITE HAT security community with the intention that they might help persuade the vendor to take it seriously. That's about as far as I'd want go with releasing serious exploits. Although of course grey/black hat stuff is fun - look, mum, I have a cool exploit!
If VUPEN are sworn to secrecy by their Government customer, and cannot tell the vendor or help them fix the bug, maybe it's time to get a new Government and public service. Your Government (US arrogances with a captial G) is trying to pwn you and spy on you. Fuck that, the government should answer to the will of the people (and don't talk to me about the farce we call democratic election. Democracy is where (almost) all the people are deeply involved in determining policy, it's more like the ideal soviet system, really, which was not realized AFAIK.)
Anyway, isn't that why you're carting guns around all these years, in case your (US) Government turns nasty and starts pwning your ass up down right and left with a canoe? (Not that it wasn't already.) Yes indeed, guns!! However let it not be said that I am inciting violent revolution with this sarcastic post, as I don't believe in or wish to promote that or any violent act.
"VUPEN provides vulnerability research and intelligence for defensive and offensive security." so, they are I presume happy to help the US CIA/MIL fvck people over (who most likely don't deserve it).
I can understand their joy but the last sentence in the post and the Twitter update: "Sorry Google...we have officially pwned Google Chrome and its sandbox with a 0-Day." [1] seem rather unprofessional for the "world leader in vulnerability research for defensive and offensive security" [2], a company with "Government customers".
VUPEN cracks Chrome for the Government!!!!! On Windoze, even!
I would have thought if they really had a US govt / CIA / military / espionage customer, said customer would NOT want them to reveal ANYTHING about the exploit to Google nor the public, especially not its existance. So, they told us that there is an exploit, and now it's top hax0r news, might likely feature in mainstream news. Most sensible people will most likely hear of it, and will disable flash / plugins in chrome until someone fixes it. Any worthy target for netspionage with any money and brain will hear about it immediately, and quit using chrome for lynx, dillo, or something even simpler.
Anyone who uses such a large app as a modern over-engineered web HTML5 bugzilla-feeding browser is kissing security goodbye forever. GNU ls(1) may have security bugs FFS, do you think your browser doens't? Do they include Chrome or Firefox in the 'pretty secure' OpenBSD base install? No, no, they do not nor never will do this, although it is a most popular app!! (also because nearly all *BSD boxes become servers, but you get my drift.) Even if Chrome were regarded as an essential system service for every box to run, they would NOT include it! better the system grind to a halt by itself without yielding access.
Google will redouble Chrome's general security and sandbox security in a push-patch, and this will most likely break the hack. Or they will rediscover it. LOL at your short-lived hack, your Government _will_ be pleased that you disrespected their payment and trust, boasting about it everywhere, putting Google and their targets on red-alert.
The 'secret black ops' part of Government would not only be displeased, they would kick their ass so damn hard for revealing that there is an exploit, that they would not be able to discover more exploits for years due to severe ass damage pain.
They pay you to learn stuff so we can do espionage or whatever fuckdoggery they might be intending at poor Arab countries to steal their oil, or suchlike... Then this silly idiot hacker company posts 'woohoo we found an exploit, look at us: but we can't tell you how it works - 'tis just for our pals in the govt'. Then the presumably nasty branch of govt gets out the concrete mixer and applies the concrete slippers - national borders not being much of an obstacle - then tosses the talkative hackers into the middle of the pacific trench (there's deep water there). They are then eaten by those nasty deep-sea fish with big teeth, and lights on stalks to freak us out.
So anyway, this 'half-secret hack' business reeks deeply of bullshit to me.
For some real bullshit, forget everything else I said. Windows is the utter pinnacle of bullshit for security, full stop. I understand that certain few idiots among the population do use it for playing games, and watching porn, and trying to be hackers, and in offices, but seriously: if you use Windows, any edition of Windows, for your own security, you obviously have not a clue nor give a real fuck about your security at all. Your password is probably 'dog' or 'cat'. OS X and Linux are barely any better for security.
If you want real security, throw away all the public and commodity crap operating systems and build your own. Or pay someone smart to build it. If it takes you less than 5 years to debug it before deployment, or it's more than 100KB of code in total size, I guess you failed: it's not secure. I'll give you a hint. Every process in the system should have access to precisely nothing by default. Not even the CPU, not even the time of day. Every single resource that is needed must be introduced to the process's environment by a neighbor or parent process (if possible, and in most cases it should not be). The entire system, especially process / resource structure, privilege and connection must be visible as a nested, nodes-and-arcs graph, for the user / sysop to verify and check what the hell is going on in it. If there's no link from Chrome to your printer, and you've disabled changes to that part of the process structure, Chrome will not ever print anything unless there's a solar storm - or similar stimulus - that miraculously alters everything without crashing it. You ANTICIPATED THAT UNLIKELY EVENT, and made 3 or 4 systems running everying exactly the same, in parallel, in sync at each step. If one screws up due to solar fuckdoggery, throw it in the bin and swap in another (like RAID). They do this shit in planes I believe, not the swap in bit, until it lands. The solar demons won't miraculously pseudo-break them all at once in the SAME WAY.
Windows, Microsoft, Security - can you spot the odd one out?
Can you see a juxtaposition here folks? Can you feel it? A disturbance ripples through the force, out through the local cluster (of galaxies) and back, because those three words were collected together in one place.
No amount of ill-acquired M$ money spent on Windoze security enhancements can break their appallingly bad track record for security holes, loss of privacy, and the happy virus cultivation ecosystems that Microsoft has consistently provided over the years with every version of Windows, almost from before viruses were invented. I think the first well-made and famous exploit came well before windows was conceived, I'd suggest Ken's cc hack. That's the first brilliant exploit I happen to know about - from the vendor himself, sly bastard. It's hard to believe he didn't go to jail for that, anyway, heh.
So yeah - VUPEN, Chrome, Windoze, haX0Rz working for the Big-G Government. LOL. Security Jokes all around. Chrome being the more respectable and secure among them in my opinion. And anyone who runs a nuclear reactor that depends for its stability or continued safe operation on a computer is a cow-tipping idiot too. Cars don't even. @stuxnet @.mil
I am still waiting for that obvious evidence. That includes more details and also tests on the latest dev version of Chrome (Chromium). I am not defending Google in any way, but some claim with no real evidence shouldn't convince anybody.
I saw a similar mentality on the Skype for Mac thread, as if there is a huge incentive to just make up vulnerabilities. More or less, when HN threads don't want something to be true ("terrible Chrome vulnerability with no public info and no pending patch!"), they make up controversies to keep them from having to accept that it's true. It's a bad habit.
I have over the years participated on a number of communities "for smart people", and this is the case in all of them. People have their particular points of view, and when there is some evidence against what the group considers to be good they use all kinds of ad-hominem attacks. I know it is just human nature, but it is sad that people don't see these patterns occurring.
Browser bugs are found in every single browser on every single platform. They're reported for free, traded privately, sold privately, given to the vendor for a bounty, used to spread malware, discovered in American corporations, discovered in Iranian corporations, and more. There is nothing exceptional here. This is business as usual. It's non-trivial, but far from exceptional.
Given that at least some of their customers will probably ask for this vulnerability, you have to judge whether this is a reputable company that would have a reputation to lose if they started spewing out false reports about their capabilities. It appears to be, so I would default to believing it.
I'm not too sure that's the business VUPEN is in. Sure, it doesn't hurt them much to share their latest Safari exploit given how slow Apple is on the fix, but with Google their window has the potential to be very short.
Citation needed for such a serious accusation. They claim to be ethical. From their about page: "VUPEN follows a private responsible disclosure policy and reports all discovered vulnerabilities to the affected vendor under contract with VUPEN, and works with them to create a timetable pursuant to which the vulnerability information may be publicly disclosed."
> As the world leader in vulnerability research, VUPEN Security provides weaponized and highly sophisticated exploits specifically designed for Law Enforcement and Intelligence Agencies to help them achieve their offensive missions using tailored and unique codes created in-house by VUPEN for vulnerabilities discovered by our researchers.
Note also the "under contract with VUPEN" part of the disclosure bit.
Chaouki Bekar, VUPEN’s CEO and head of research, confirmed that the company had no plans to share any details about their findings with Google, nor was it aware of any steps users could take to mitigate the threat from this attack.
“No, we did not alert Google as we only share our vulnerability research with our Government customers for defensive and offensive security,” Bekar wrote in response to an emailed request for comment. “Unfortunately, we are not aware of any mitigation to protect against these vulnerabilities.”
Just relying off the quote given: "VUPEN follows a private responsible disclosure policy and reports all discovered vulnerabilities to the affected vendor under contract with VUPEN…"
It makes it sound like if they crack your software, you only get disclosure if you are paying them money. However, I could be wrong.
"With 20 to 25 binary analysis and private exploits/PoCs released each month, the VUPEN In-Depth Binary Analysis and Exploits service allows organizations and corporations to evaluate and qualify risks, and protect national infrastructures and corporate assets from emerging attacks."
If you are interested in protecting your network, patches and workarounds are your first priority, not "proof of concept" exploits.
If VUPEN found the vulnerability, the work around is to pay VUPEN in order to patch your codebase. Pretty simple, theoretically.
If you don't have access to the codebase (like a Safari or MSIE bug), then you pay VUPEN to disclose a firewall filter, or some other kind of deep packet inspection to disallow the code required to execute the vulnerability on your network. Again, pretty simple, in theory.
VUPEN plays a pretty tight game. The only way to get in on their action is money. You know this though, and I doubt our opinions differ on the matter. Unlike opensource, full-disclosure GitHub junkies, some people find enjoyment in financially benefiting on everything they stumble across. Just another side of the coin, and the argument about that topic is best left for other sites. :)
To the best of my knowledge, VUPEN does not disclose vulnerabilities to the vendor affected unless the vendor is under contract with them and pays them. I have seen them post a public claim of a previously unknown vulnerability in one of my employer's products, and as far as I know they have never reported the details.
vupen: "Hey Google, your browser has a very nasty bug that allows for potentially horrible things to happen. We thought we'd share that with the world. If you'd like to know where it is though, you'd better give us money."
Why not? This is highly specialized research that not even well-paid Google employees were able to do.
This is actually quite common in recent years for bug hunters and exploit developers. I can think of a dozen or so companies that do the same thing. Immunity is another example.
Trying to use a moral argument to get out of compensating someone when you have the resources to do so is shameful. Sorry, but this stuff is worth far more than the (up to) $3133 they are offering.
No More Free Bugs, as they say.
They can either pay a nominal fee for doing their security work for them, or they can hire some equally talented people and fund this type of research on their own internally. Fair is fair. There is no reason this isn't worth compensating but something like pagerank optimizations is.
Publicly announcing a security vulnerability, claiming that you're sharing it with other clients with the intent of using it for "weaponized ... offensive missions", and then demanding a fee to gain the information to protect against said weaponization, sounds an awful lot like extortion. In the offline world, I don't think you can legally run a business with a strategy of: discover a problem in the security at one of Exxon's plants, publicly announce that you've discovered a vulnerability and will be selling the information to third parties, and then demand $N from Exxon for the details.
I don't see why not. As long as you don't actually break into Exxon and commit I crime.
The real reason your scenario is unlikely is just that Exxon practically owns the government, so they would change the laws or something to fuck you over.
But I mean what if you discovered a security vulnerability at McDonalds or something, a way to pick their locks. Why are you morally obligated to disclose it without compensation?
It is possible to be an accessory to a crime. If you plan a bank robbery and give the details to somebody else to perform, you're still guilty. Hell, you're still guilty even if you never perform the crime (conspiracy to commit ...)!
If you send a letter to a bank saying "I have found a breach in the kind of vault you use at your banks, I'm giving the details to some expert robbers but you can't have it unless you pay me $10m", with evidence you've done it, I'm pretty sure you will find yourself waking up at gunpoint at 6am, courtesy of the FBI.
Since unauthorised access of a computer is a crime in many places, I'm sure you can see the relevance, even if the consequences aren't as drastic. One hopes that we have misinterpreted this and that they have performed 'responsible disclosure' by telling Google all the details.
FYI, the industry has rejected the doublespeak term "responsible disclosure". Even Microsoft has issued statements denouncing the term. Most prefer to call that "coordinated disclosure". This accurately communicates the idea, without sneaking in someone's moral judgement.
This is probably why they keep repeating that their customer is the government. You could probably sell Exxon's security vulnerabilities to the government and demand $N dollars from them to show them how to fix the problem. It's advertising the vulnerability with posts like this that seems most questionable (similar to extortion) to me.
Yeah, that's the part that seemed odd to me as well, though someone knowledgeable in this area of law (at least in the better-settled offline case) could give some better info.
I believe it'd be okay, and probably actually happens, for a private security consultant to do threat assessments for a (non-criminal) client, e.g. prepare a report for DHS on the security of U.S. oil installations. But it seems like they'd be crossing a line if they posted a press release trumpeting a major vulnerability they discovered, mentioning by name which company and approximately where the vulnerability was located, but then refused to disclose it to the company in question.
I'm not sure how much it survives, but I believe there was traditionally even a common-law "duty to warn" if you were aware of significant risks to someone's person or property.
I'd imagine that depends on which government you're talking about. Seems like selling the info to a foreign government could be treading into "espionage" territory.
"Why not? This is highly specialized research that not even well-paid Google employees were able to do."
Correction: not even well-paid Google employees did. They may yet be able, and an existence proof may be all the help they need to find and fix it. Don't give up hope yet.
There's absolutely no evidence that this has anything to do with Flash. In fact, even if it was via Flash, there would still have to be another vulnerability to escape the Chrome sandbox, which could very likely be exploited via other means.
"They can either pay a nominal fee for doing their security work for them, or they can hire some equally talented people and fund this type of research on their own internally."
What makes you think they don't already? You make it sound like Google doesn't give a shit about security. That clearly isn't the case.
Google employs several of the best well-known security researchers in the world, and no doubt many more that we haven't heard much about.
That doesn't mean they're going to find everything, though.
At the end of the day, private companies are perfectly within their rights to do offensive research against Google products, to be selective about how they disclose their results, and to tell the public whatever they want about those results. As long as they aren't lying, there's nothing unethical about it.
I doubt Google will hire them. They seem to be a very unprofessional company, even with their skilled people.
They may pay to know about this security breach, though.
I think you'd be biting off the hand that feeds you. If you eliminate what is arguably a distasteful arrangement here, you also eliminate the incentive to continue doing it. You might get this bug for free, but you get a hidden loss, a bunch of future bugs that you'll never hear about.
Think about the audacity of farmers, who make a profit for food, which you need to live. But nobody thinks like that for some reason.
Earning profit just means you've done something for someone who really wanted it done. It's a necessary signal.
> http://www.vupen.com/english/services/
> As the world leader in vulnerability research, VUPEN Security provides weaponized and highly sophisticated exploits specifically designed for Law Enforcement and Intelligence Agencies to help them achieve their offensive missions using tailored and unique codes created in-house by VUPEN for vulnerabilities discovered by our researchers.
Note also the "under contract with VUPEN" part of the disclosure bit.
Don't think of it as volunteer work -- think of it as a non-financial exchange of value. You provide beta testing in exchange for significantly more affordable software and/or earlier access. If you want rock solid reliability, there are companies and operating systems that provide it, with the price tag and turnaround time to match.
I'm not talking about open source or beta programs. What is VUPEN getting out of giving the fruits of their research to Google for free? They would receive neither more affordable software nor earlier access.
The 100% unhackable browser and OS... how much does it cost? I think the turnaround time is going to be infinite. I'm not sure what you're saying.
These companies have employees, who have a nice situation with a financial exchange of value. Let them do their own work. If I'm going to do something their employees should be doing, they're free to hire me or pay me as a consultant.
This seems extremely unethical to me. Now that the world knows there is massive exploit in Chrome, there are bound to be more hackers attempting to abuse it - and have a few hints from the video. By blogging about this and not disclosing it to Google, they are actually increasing the risk of millions of individuals and companies being hacked.
Edit: Then again, blogging about it also makes Google aware of the exploit. I'm sure they have tons of resources working on it that wouldn't have otherwise...
Looking at the video and time it took to launch the calc.exe, it could be pdf/flash exploit that they are using.
Process count in process explorer started with 5 and at the end of the demo, it looked like they have 8. That tells there are 2 extra processes that are created (discounting 1 for calc.exe).
I tried to see if pdf/flash creates new processes but I couldn't verify. Perhaps a chrome developer could get a clue about what is happening looking at the video.
They are obviously hiding something. When they flip back to Process Explorer, Chrome is perfectly sized to cover everything in the window except the calc.exe. My guess is there are other processes running that they're trying to hide that were used in the exploit.
"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers"
seems odd to me that they don't publicly disclose the vulnerabilities, but they do publicly disclose the software versions affected by their "weaponized exploits", thereby giving the heads up to whomever might be targeted to avoid using that newly compromised software.
I think the version disclosure here was less of a "This version has a bug" and more of a "The latest version has a bug." It's a lot safer to tell people which haystack the needle is in than to give away the needle anyway.
The two things I noticed were that 1) The user of the device is named "IAmAdmin", implying that they have admin rights, and 2) The "integrity" of chrome.exe is changed from Low to Medium at somepoint during the attack. Could this somehow be related to breaking out of the sandbox?
To what extent is this extortion? I mean, they have admitted to only selling to a government. That means they find and exploit vulnerabilities in software created by a private corporation, disclose the existence of a vulnerability publicly, but don't allow the corporate body the means of fixing it. This news, if publicised, would harm Google's reputation and goodwill, perhaps non-negligibly, and cause users to switch products. Unless, of course, Google outbids a government. Pay up or suffer - would this be extortion?
I don't believe this crappy little security firm has more resources than Google, even in the Security Research Dept. They can go find it themselves and fix it. Anyway, it's probably mostly a windows bug. If you line the right bytes up together in windows' RAM, it will void itself and yield 'root' or whatever wiener name they have for it. Who knows, maybe they Govt is trying to screw google, and told them to do a fake release. Their post doesn't make them sound like real pros.
Well clearly there are two things going on here, assuming VUPEN is on the level:
1) A remote code execution exploit in Chrome
2) A privilege elevation exploit allowing the hijacked browser process to break out of its mandatory access control jail
Number 1 is of necessity a bug in Chrome itself (or a plugin). Number 2 is probably a vulnerability in the Windows sandbox, but it could instead be that they found a way to successfully attack the small part of Chrome that runs outside low integrity mode. They weren't specific as to the details.
This is, again, at the very least a remote code execution hole in Chrome, and there's no fundamental reason Linux or OS X should be invulnerable to the same hole. That Chrome on Windows is less secure than on Linux or OS X would be the wrong thing to take from this; the point of this demo is that VUPEN accomplished the feat of bypassing all the security mechanisms protecting Chrome on Windows, whereas on the other platforms you have fewer of these mechanisms in the first place (no real ASLR on OS X, no Chrome sandboxing last time I checked on Linux).
I wouldn't assume that. I think the big deal here is that they managed to break out of the Windows sandbox; that's what makes the exploit particularly interesting. The same vulnerability could exist on Linux too, but they just didn't invest the time in developing and demoing an exploit there too.
Or maybe not. I'm just saying, we can't assume either way.
I'd like to mention something to everyone running around crying about the falling sky because THE GUBBMINT has paid a security company to audit Chrome. Oak Ridge National Labs just recently had to shut down COMPLETELY because an Internet Explorer exploit "pwned" them. Do you maybe see how THE GUBBMINT might be interested in knowing if other browsers, such as Chrome, are as vulnerable?
But by all means, put on your tinfoil hats if that's more fun.
Which I suppose begs the question: Are automatic updates the silver bullet they seem to be sold as? I don't unequivocally disagree with them, or rather I disagree with them, but based on principle. In practice, it seems easy to argue that the benefits outweigh the arguments against. Still it'd be nice if there were at least an option to turn off the updates. (Perhaps there is and I've missed it in the settings?) Nonetheless for the time being I'll stick with my old fashioned browser, just because I'm a kind of a geek that prefers to initiative his own updates.
the video is edited, right about when he's showing process explorer post-exploit. the cursor suddenly leaps across the screen, so assuming they're covering up the other child process of the main chrome process is fair. strangely, process explorer's 'process count' only goes up by 1, despite launching calc, and (seemingly) another child process. To be over-zealous, the single row of visible pixels for that other process is consistent with rundll32.exe.
That still doesn't mean that it's not a chrome bug - the exploit may use flash to retrieve the payload, make use of flash-js communication, flash-chrome communication quirks etc.
Impressive, but not surprising. Chrome isn't magical; ASLR and DEP have been bypassed in the past, and even if its own sandbox is perfect, the kernel it's sitting under is a huge attack surface.
ASLR and DEP, by and large, have nothing to do with the kernel. ASLR is a function of the binary loader and memory allocators, which are in userland. DEP is a function of userland memory protection flags (they're handled on the bare metal by the kernel, but the kernel just sets what it's told to by the userland). I'd put any amount of money down on the table that there is no kernel vulnerability here at all -- if there was one, I assure you that it'd be more than a Chrome vuln.
I know; my comments about ASLR/DEP and the kernel were intended to be separate. As for whether there's a kernel vulnerability, I'll defer to you (although it doesn't have to be full-fledged arbitrary code execution; it can just be a system call that's lax about security tokens), but in general the breadth of kernel code the renderers can access is pretty large.
Not saying this isn't true, as I'm sure VUPEN is quite legit, but what stops me from creating a keyboard shortcut to calculator.exe, opening a random website which loads for a few seconds, and then pressing ctrl+alt+f6 or something to open calculator?
If you're sure it is quite legit, why are you suggesting this? It is similar to what news networks do by adding a quotation mark to something they know is false just to suggest something they want to be true.
I'm willing to bet any of their Government customers wouldn't be able to confirm the exploit anyhow. Seems like an easy way to keep a lucrative Government contract...
This video is extremely suspicious to the point of probably being an outright lie. I would wager money that this vulnerability is a Flash exploit sold as a Chrome exploit.
It is not an accident that they hid Process Explorer after the exploit. They closed it before minimizing everything else intentionally. If you do not believe me follow the mouse pointer. The screencaster moved toward bringing Process Explorer top-level at 0:56 then realized it would show the entire thing and restored Chrome on top of it instead. With that in mind it is obvious that they do not want you to see what changed when it ran so instead we have to work with what is visible:
First item of interest is that Chrome shot up to over 400 MB of memory used which indicates that Flash is almost certainly involved.
Second, observe how long it takes for Calculator to start. Again, consistent with Flash being involved and Chrome delay-loading it.
Third, there are scroll bars on the tab. Big ones. This says there is an invisible item on the page taking up a lot of space which again points to Flash. I saved the exact same content to a file and look how small I can go without scroll bars: http://i.imgur.com/R0eqk.png
Fourth, flip back side by side through each photo and notice what disappears. The Windows search indexer disappears between screenshot A and B and this is what Vupen is intentionally covering up. You can still observe it indirectly based on the rows and colors at right. It is my understanding that the child processes of SearchIndexer.exe run at all times and not as some kind of cron but I do not use Windows so please correct me if I am wrong. At any rate they do disappear between A and B.
It would be very intelligent of them to blog post this as a Chrome sandbox bust (which is sort of newsworthy) and gain that link bait attention but, privately, use the exploit as the Flash and Windows vulnerability it most likely is.
I can get Chrome to chew through all of RAM and swap just by repeatedly changing the src= attribute of an img tag (which, by the way, I'd like suggestions on avoiding). Flash isn't required to eat lots of RAM.
I've been meaning to ask on Stack Overflow. It's simulating a video stream from a device with no FPU that's probably too slow to encode WebM or H.264. I'm dynamically generating a PNG image on the device and reloading it at regular sub-second intervals in Chrome via JavaScript. [Edit: I had to write a custom Ruby extension that directly calls libpng to get reasonable performance]
I have a hidden <img> tag and a <div>. In the timer callback I set the src= attribute of the <img> tag to the URI of the image plus the current time (e.g. "/image.png?v=123456789"), then in the <img> tag's onLoad I set the <div> tag's background-image style to the same value.
I was going to try using two <img> tags, and alternately hiding/showing them, but I doubt that will solve the caching issue. My current workaround is to keep the Chrome developer panel closed (which seems to store every resource loaded by a page regardless of any cache directives from the server) and have the page reload itself after 60 seconds of no user activity. Unfortunately, Chrome's memory usage still grows, only not quite as fast.
On an otherwise empty page? Yes, it is extremely likely when combined with the payload delay. If you manage to make a single tab commit that much memory as a delta without Flash (remember, 13 MB to > 400 MB) please screenshot about:memory and get back to me.
The scroll bars on the tab are revealing, too. I may be guessing but it is an educated guess. Additionally, there were multiple claims so I would not call that specific data point a basis for a claim, singular.
(Note that I haven't been able to see the original video so far, so add salt to taste.)
> If you manage to make a single tab commit that much memory as a delta without Flash (remember, 13 MB to > 400 MB) please screenshot about:memory and get back to me.
I can understand this as a weak prediction, but it certainly doesn't work as a strong one. I can trivially make a tab use over a gigabyte of memory in recent Chromium by creating a gazillion nested objects in JavaScript. (I just did, in fact. If you really want the screenshot and/or source, say so and I'll post it somewhere.) Absent some default limit in V8 that I haven't encountered, I could presumably make it use unbounded memory. I can also create apparently-unbounded latency in a single tab's UI this way, by chewing up CPU in blocking JavaScript code, though this will eventually trigger the “page seems unresponsive” dialog box.
I would also tend to expect an exploit to potentially abuse the JavaScript engine by straining its limits, including things like pouring a large number of identical objects onto the heap to fill memory with exploitable patterns.
No, it's not extremely likely. Given that most browser exploits utilize some sort of a heap spray, a growing memory usage is almost standard pattern for a browser vuln.
There is evidence that this is Flash. However, since everyone seems to want to attack individual parts of that evidence without applying Occam's Razor, I concede it could be something other than Flash. It could be Java, too. It could be a "standard browser exploit" too, whatever that is. Could be cosmic rays too.
The tendency to look for ways to prove me wrong with an alternate theory (which yours is) as opposed to acknowledging that multiple theories are possible with zero evidence aggravates me among technical people. In the absence of a disclosure we are both right.
You seem to only want to receive an answer that starts with "You bring up credible evidence, but maybe there's an alternate scenario playing out here, for which I believe the following holds true..." Now I can do that, but since we're all speculating, this is implied. No one is saying you're dead wrong, we're just posting alternate hypothesis and you're taking this very personally.
Let's apply Occam's razor: a) There is no reason why Flash (or another plugin) needs to take up a large amount of space on the page. If I were to write a flash exploit, it'd be a 1x1 object with whatever ActionScript that triggers the vulnerability, no need for a large area. b) VUPEN is a bunch of extremely talented folks and I believe they have little to gain by posting a fabricated exploit video. c) The delay can also be caused by a rather advanced heap-grooming technique, it can be JS garbage collection invoked many times, it can literally be them trying the payload numerous times. Implying it's probably flash is just as speculative as we're being.
Relax man, no one's disagreeing with you to be an asshole, no one's trying to argue with you, we're all just speculating.
Actually, you can fix it, too: chromium is open source.
Good to see this tired claim getting its play in this thread. I wondered how long it would be until it showed up. I think everyone who says "go fix it, it's open-source" should instead be required to come back with a diff within 24 hours.
People are quick to demand bug fixes or better security, but they never seem interested in actually doing the work.
I don't use Chrome or Windows, so I have almost negative personal interest in this story. However, some people probably do use Chrome and Windows, and those people's demands should be tempered by reality. If they didn't find this bug, why did they expect Google to?
I think everyone who says "go fix it, it's open-source" should instead be required to come back with a diff within 24 hours.
I think everyone should be required to give me a pony.
The person you replied to did not demand anything but instead theorized about a way to fix it.
I love how you assert that literally anybody could check out Chromium and fix the sandbox, a sensitive security-essential part of the browser, with very little effort required to appreciate the source and all of the moving parts.
Not dumb, there's just a lot of skills assumed to work on the security components of a modern Web browser. I would never claim that I could turn around and fix this bug as an outside developer. Words in my mouth.
In my opinion, this is one step away from sacrificing a virgin to make it rain. We should control our own software destiny and not just hope other people will do it for us.
It just sounds to me like they are exploiting a size overflow in some kind of content - a 400MB image, video, sound, 400MB of self expanding Javascript ... I'm not sure how you can conclude only flash can take such memory.
Whether or not this exploit is impressive, using the term "pwnd" comes across as incredibly unprofessional and predisposes me to perceiving this whole article in a negative light.
No disrespect intended, but, it doesn't negatively predispose anyone who conducts or utilizes vulnerability research professionally, so I doubt your concern matters much to them.
Oh, thank you for this comment. I wasn't aware that literally everyone who uses vulnerability research as part of their job had had a meeting and elected a spokesperson.
Only hiring offensive security vendors who won't use the term 'pwned' is roughly equivalent to trying to purchase a hand job from someone who won't use the term 'whore'. Neither is likely to get you very far.
Also pwned means something more specific than hacked. "owned" might be more "professional", but potentially more confusing, since Google didn't sell them the Chrome browser.
A video of calculator showing up after clicking a link hardly constitutes proof of an exploit.
Considering the fact that they aren't going to publish the exploit, I just want to point out that this kind of thing could easily be fabricated. There are plenty of interests that benefit from unfortunate news about their competitors.
"Dear Google Employees reading HN:
This exploit, along with VUPEN's affiliation to goverment agencies, scared the crap out of me. Having used Chrome since it's earliest days, I'm now forced to switch my main browser to FF4; it remains so until confirmation from either parties of the bug's "fixed" status."
I think it's time for you to take your computer out back and set it on fire. Best way to be safe until Google fixes this. Whatever it is.
If you think there isn't an active 0-day against Firefox or IE or Safari or... oh boy. This is news because such things are rare against Chrome. Welcome to software.
---
Hi everyone,
We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level. Note: The Calculator is used here as an example, it can be replaced by any other payload.
While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.
This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services.
The video in question is http://www.youtube.com/watch?feature=player_embedded&v=c...