14 DAY TRIAL // French vulnerability research company VUPEN Security announced that the upcoming version of Google Chrome, 12, is also vulnerable to the sandbox escaping attack it recently developed.
On Monday, VUPEN announced that, after a lot of work, its researchers managed to devise a Web-based attack capable of breaking out of the Google Chrome sandbox and executing malicious code on the system.
The company called the exploit "the most sophisticated codes we have seen and created so far," because it not only bypasses the renowned Chrome sandbox, but also the DEP and ASLR exploit mitigation technologies in Windows.
The team originally published a video of the attack in action against the latest stable version of Chrome, 11.0.696.65, running on a fully patched 64-bit Windows 7 SP1 installation.
Since then it also tested the exploit on Chrome 12.0.742.30, which is currently in beta and is expected to ship in around four weeks.
VUPEN's announcement has stirred quite a bit of controversy among users who follow security news, because the company did not present any evidence of the attack, except for the video, to neither the public nor Google.
Instead, it said that details are shared with its government customers, as part of its vulnerability research service, for both offensive and defensive purposes
This seems to have upset some readers, who are unaware that security research teams and companies are in the business of providing such intelligence to governments, albeit without advertising it as openly as VUPEN.
Nevertheless, the company claims to have strict customer selection criteria and that only countries that are members of the North Atlantic Treaty Organisation (NATO), the Association of Southeast Asian Nations (ASEA), or are Australia, New Zealand, United States Security Treaty (ANZUS) signatories, can apply.
VUPEN has stopped providing timely vulnerability information to vendors who are not its customers since last year, therefore joining the "no more free vulnerabilities" movement. The company will eventually share some information about the flaws, but not the exploit, with Google after some time has passed.