Use-After-Free Object Lifetime Vulnerability in Chrome Could Allow Sandboxed Remote Code Execution

2011-04-19T00:00:00
ID MSVR11-001
Type msvr
Reporter Microsoft Vulnerability Research
Modified 2011-04-19T00:00:00

Description

Executive Summary

Microsoft is providing notification of the discovery and remediation of a vulnerability affecting Google Chrome browser versions prior to 6.0.472.59. Microsoft engineers discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the affected vendor, Google Inc. Google Inc. has remediated the vulnerability.

A sandboxed remote code execution vulnerability exists in the way that Google Chrome attempts to reference memory that has been freed. An attacker could exploit the vulnerability to cause the browser to become unresponsive and/or exit unexpectedly, allowing an attacker to run arbitrary code within the Google Chrome Sandbox. The Google Chrome Sandbox is read and write isolated from the local file system which limits an attacker.

Microsoft Vulnerability Research reported this issue to and coordinated with the Chromium Project and the Google Security Team to ensure remediation of this issue. This vulnerability has been assigned the entry, CVE-2010-1823, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Google, see Google Chrome Releases: Announcements and release notes for the Google Chrome browser.

Mitigating Factors

  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
  • Successful exploitation of this vulnerability does not allow for code to run outside of the Google Chrome Sandbox, which is read and write isolated from the local file system, although other attacks may be possible.