Chrome Vulnerability Could Lead to Remote Code Execution Attack
- By Chris Paoli
- October 25, 2011
Researchers at Acros Security have found and disclosed a Google Chrome flaw it its built-in sandbox protection that could lead to a remote code execution attack.
The Slovenia-based security firm outlined the vulnerability in an e-mail sent to Google Chrome's developer team at the end of September. In it, the company outlined how a hidden configuration file could be uploaded by an attacker to bypass the security features of the Chrome sandbox.
"It is another case of file planting, where an application loads a data file (as opposed to binary file, leading to binary planting) from the current working directory," wrote Acros, in a blog posting. "Similarly to our previously reported file planting in Java Runtime Environment...Chrome loads a data file, namely pkcs11.txt, from the root of the current working directory and in case the file exists, parses and processes its content."
In a response to the vulnerability disclosure, Google said the issue is actually not a "security bug" due to the fact that it would be extremely difficult to pull off. "The preconditions to exploit this are too stretched: non-default browser configuration, freshly started browser, ability to get someone to load a file from your share (which means either being on the same internal network, or somehow getting them to mount a WebDAV share)," wrote Google.
Additionally, some of the preconditions that must be present for a successful exploit include having the Chrome's default browser set to Google, a potential victim cannot visit any other Web site that sends HTTPS requests before the malicious data file is downloaded and installed, and Chrome's working directory must be set to a controlled location for it to work.
While Google has notified other browser companies of this issue, including Mozilla, it said it has no plans to fix the issue due to its low risk level. Google summed up its position with the following statement: "Strange behavior, but we're not treating this as a security bug."