14 DAY TRIAL // Google had to "bribe" security researchers to break Chrome, but two were finally able to do it a couple of months ago during the Pwnium competition. Google offered rewards for any exploit that successfully managed to escape the Chrome sandbox and run code unrestricted on the system.
No one had been able to do it until then, at least no one that made it public, but two researchers managed to do it.
Google fixed the bugs soon after it was notified of them, but has only now provided a detailed explanation on one of the exploits, since it is confident that the vast majority of people that would be affected by it have upgraded their browser.
The exploit used by Pinkie Pie enabled him to run code remotely via Chrome on a computer. He had to use six different bugs to do this, but he managed to build a successful chain.
Google details how it happened and how the exploit works in its blog post. First, he managed to get Chrome to load a Native Client module from a web page via a bug in the pre-rendering feature. Native Client modules can't run from the web, only from installed extensions and apps normally.
But that was certainly not enough as Native Client code is sandboxed as well. However, via the module Pinkie Pie was able to get access to the GPU and then used a buffer overflow bug to enable him to write to memory he shouldn't be allowed to.
With a bit of work he had the ability to write within the GPU process. But this process is sandboxed as well, though not as much as HTML content or Native Client code. He then exploited another bug to get the GPU process to masquerade as the HTML renderer.
Normally, renderers are sandboxed so this wouldn't do much, but he used yet another bug to access a privileged renderer that could launch the extensions manager. With control over the extensions manager, he used two more bugs to load a custom NPAPI plugin from a path he specified. The NPAPI plugin, of course, can run unhindered on the computer.
Google has fixed all the bugs a long time ago, so they don't pose any threat to any current Chrome version. Google has the details on the 10 bugs Sergey Glazunov used to break out of the Chrome sandbox in his own exploit.
Yet they involve other apps besides Chrome, likely Flash but Google isn't saying, and Google is waiting for everyone else to fix the issues and push the updated versions to users before releasing the details.