Firefox, IE and Chrome All Have Problems
By on October 10th, 2012: Tagged as Information Security
In March the same researcher showed up at the CanSecWest conference in Vancouver and was able to compromise Chrome in the first edition of the Pwnium contest, winning a $60,000 reward for his work. At the time, Google security officials said that they knew who the researcher was and that he had been working on that specific attack for some time. Google later detailed the process that PinkiePie used in that attack, after the vulnerabilities had been fixed, and said that the researcher had chained together six individual vulnerabilities in order to accomplish the compromise of Chrome.
PinkiePie used several discrete bugs in order to get to a point where he could impersonate the Chrome extensions manager. After that, he focused on finding a way to break out of the browser’s sandbox.
“Once he was impersonating the extensions manager, Pinkie used two more bugs to finally break out of the sandbox. The first bug (117715) allowed him to specify a load path for an extension from the extension manager’s renderer, something only the browser should be allowed to do. The second bug (117736) was a failure to prompt for confirmation prior to installing an unpacked NPAPI plug-in extension. With these two bugs Pinkie was able to install and run his own NPAPI plug-in that executed outside the sandbox at full user privilege,” Google said.