[ISN] Anatomy of a hack: 6 separate bugs needed to bring down Google browser (Updated)

From: InfoSec News <alerts_at_private>
Date: Wed, 23 May 2012 06:35:27 -0500 (CDT)

By Dan Goodin
Ars Technica
May 22 2012

An exploit that fetched a teenage hacker a $60,000 bounty targeted six 
different security bugs to break out of the security sandbox fortifying 
Google's Chrome browser.

The extreme lengths taken in March by a hacker identified only as Pinkie 
Pie underscore the difficulty of piercing this safety perimeter. Google 
developers have erected their sandbox to separate Web content from 
sensitive operating-system functions, such as the ability to read and 
write files to a hard drive. Such sandboxes are designed to minimize the 
damage that can be done when attackers identify and exploit buffer 
overflows and other types of software bugs that inevitably find their 
way into complex bodies of code.

Pinkie Pie's attack came during Pwnium, a contest that awarded $60,000 
prizes to hackers who successfully broke out of the protective barrier 
by exploiting only vulnerabilities residing in code that is native to 
the Google browser. The teenager was one of only two contestants to win 
the top prize. He did it after executing a custom-written Netscape 
Plugin Application Programming Interface directly on a Dell Inspiron 
laptop that ran a fully patched version of Chrome on a fully patched 
version of Microsoft's Windows 7 operating system. Google patched the 
severest of the vulnerabilities within 24 hours of them being exploited.

According to technical details Google published Tuesday, Pinkie Pie's 
odyssey began by exploiting a bug in a prerendering engine that helps 
Chrome work faster by gathering clues about webpages before they're 
loaded. By combining the attack with a second one that exploited a 
separate bug, he was able to inject a tiny, eight-byte address into a 
highly restricted section of the browser that processes commands sent to 
graphics cards.


LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
Received on Wed May 23 2012 - 04:35:27 PDT

This archive was generated by hypermail 2.2.0 : Wed May 23 2012 - 04:32:16 PDT