14 DAY TRIAL // Researcher Le Duc Anh from the Security Vulnerability Research Team (SVRT) of the Vietnamese company Bach Khoa Internetwork Security (BKIS), has discovered a critical buffer-overflow vulnerability in Google Chrome. The vulnerability was patched in version 0.2.149.29.
Almost a week ago, Google launched the first public beta build of its new browser platform called Chrome and the security researchers didn't miss the chance at poking around to find its flaws and vulnerabilities. First, security researcher Aviv Raff noticed that Google Chrome uses an older vulnerable version of the Apple WebKit and released a proof-of-concept exploit to demonstrate how a user could be tricked into downloading and running a JAR executable file without any warning. Not long after, another security guru, Rishi Narang posted a simple, yet efficient way to crash Chrome with all tabs by using the “evil” % sign in a URL address.
The vulnerability discovered by SVRT-BKIS might be the most critical yet. According to the information they provided, due to a boundary error when using the “SaveAs” function in Chrome, an attacker could remotely execute arbitrary code on the system. Upon encountering a page that has a very long HTML tag, a stack-based buffer overflow occurs in the program. In order to exploit this, an attacker can create such a page containing malicious code and then trick the user into downloading it for offline use.
The team has provided proof-of-concept exploits that will either run the calc.exe program found on Windows computers or crash the browser entirely. The vulnerability was discovered in version 0.2.149.27 and their report suggests that they have notified Google in advance - “We have submitted this Vulnerability to Google. They confirmed and assign a verifier for build 0.2.149.28.” Ryan Naraine, security evangelist at Kaspersky Labs, reported on his blog that Google confirmed this. “We became aware of this vulnerability last night and began working on a fix immediately. We expect to release the fix soon through an automated update to the browser, so users will not have to take any action to be protected. As always, Google asks researchers to practice responsible disclosure, so potential vulnerabilities can be evaluated and fixed before they become public and before users are subjected to unnecessary risk. Security bugs for Google Chrome can be filed at code.google.com/p/chromium,“ said the reply from Google's PR team.
The vulnerability was patched in release 0.2.149.29 which can be obtained either from the Google Chrome website or through the browser's auto-update function.