CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
91.6%
Use-after-free vulnerability in Google Chrome 17.0.963.66 and earlier
allows remote attackers to bypass the DEP and ASLR protection mechanisms,
and execute arbitrary code, via unspecified vectors, as demonstrated by
VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary
affected product may be clarified later; it was not identified by the
researcher, who reportedly stated “it really doesn’t matter if it’s
third-party code.”
Author | Note |
---|---|
jdstrand | VUPEN won’t release the exploit to Google to fix it, and access to the exploit is behind a paywall, so there is nothing to do. Marking deferred for now. Will re-open if new information is available. |
pwn2own.zerodayinitiative.com/status.html
twitter.com/vupen/statuses/177576000761237505
www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/
www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588
launchpad.net/bugs/cve/CVE-2012-1845
nvd.nist.gov/vuln/detail/CVE-2012-1845
security-tracker.debian.org/tracker/CVE-2012-1845
www.cve.org/CVERecord?id=CVE-2012-1845