Security research firm Vupen Security has claimed to have successfully hacked Google Chrome with an exploit of an undisclosed, zero-day vulnerability. According to a blog post on the Vupen Security website attributed to "Vupen Team," Vupen’s researchers were successful in bypassing many of Google Chrome's security features, such as virtual "sandboxing” and other measures.
Vupen posted a video showing their exploit in action, which I've embedded below. Here are some additional details of what is shown in the video, excerpted from the Vupen Security blog:
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
Google Chrome had been one of the more difficult web browsers for hackers to exploit, having fared well at the recent CanSecWest Pwn2Own security challenge. Vupen shared the technical details of the Chrome vulnerability with their "Government customers as part of our vulnerability research services.” I’ve reached out to Vupen Security for more details on the exploit, and will post an update to this story when new information becomes available.
Does this news make you think twice about using Google Chrome as a web browser? Let me know what you think by adding a comment to this blog post or by starting up a conversation on Twitter.