Malware, Vulnerability Management

Bug may enable remote code execution in Chrome

Google Chrome contains a vulnerability that could allow an attacker to silently execute remote code on a victim's machine outside of the browser's built-in sandbox protections, according to researchers at Slovenia-based Acros Security.

According to Google, however, the issue is not technically a flaw, but rather a “strange behavior” that would require substantial user manipulation to exploit.

The issue, which Acros researchers disclosed to Google more than a month ago, could result in Chrome, under specific circumstances, loading an encryption configuration file from an insecure location, Mitja Kolsek, CEO of Acros Security, told SCMagazineUS.com on Monday. This could allow an attacker to execute remote code on a victim's machine outside of the Chrome sandbox, intended to protect sensitive resources from being accessed by malicious code.

The flaw involves an encryption configuration file called pkcs11.txt, which is loaded in Chrome by one of Mozilla's Network Security Services (NSS) libraries that is integrated into the browser, Kolsek explained. The same flaw might exist in other products that use NSS libraries.

To exploit the bug in Chrome, an attacker would have to set up a network share and place a malicious pkcs11.txt file inside of it. The adversary would then have to trick the user into opening or saving the nefarious file. If the user was successfully duped, Chrome would automatically set the current working directory to an insecure location.

Successful exploitation thus is a complex scenario, leading researchers at both Google and Acros to believe that the risk of exploitation is low.

For an attack to work, Google must not be the default search engine within the browser, researchers said. Other browsers, such as Yahoo and Bing, do not send any HTTPS requests when Chrome is launched, and therefore allow the attack to be performed.

Additionally, a user cannot have visited any websites that send HTTPS requests before the attack. Finally, Chrome's current working directory must be set to an attacker-controlled location for the attack to work.

"HTTPS" is ann encrypted protocol that prevents the unauthorized hijacking of private sessions.

Google employees have notified Mozilla about the issue, a source close to Google told SCMagazineUS.com on Monday. A fixed version of the Network Security Services code is expected to be integrated into Chrome in an upcoming version.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.