Google Downplays 'Sandbox' Vulnerability Flaw

A newly discovered hole in Google Chrome's built-in sandbox protection could lead to a remote code execution, according to Acros Security.

The Slovenia-based security firm outlined the vulnerability in an e-mail sent to Google Chrome's developer team at the end of September. In it, the company outlined how a hidden configuration file could be uploaded by an attacker to bypass the security features of the Chrome sandbox.

"It is another case of file planting, where an application loads a data file (as opposed to binary file, leading to binary planting) from the current working directory," wrote Acros, in a blog posting. "Similarly to our previously reported file planting in Java Runtime Environment...Chrome loads a data file, namely pkcs11.txt, from the root of the current working directory and in case the file exists, parses and processes its content."

In a response to the vulnerability disclosure, Google said the issue is actually not a "security bug" due to the fact that it would be extremely difficult to pull off. "The preconditions to exploit this are too stretched: non-default browser configuration, freshly started browser, ability to get someone to load a file from your share (which means either being on the same internal network, or somehow getting them to mount a WebDAV share)," wrote Google.

Additionally, some of the preconditions that must be present for a successful exploit include having the Chrome's default browser set to Google, a potential victim cannot visit any other Web site that sends HTTPS requests before the malicious data file is downloaded and installed, and Chrome's working directory must be set to a controlled location for it to work.

While Google has notified other browser companies of this issue, including Mozilla, it said it has no plans to fix the issue due to its low risk level. Google summed up its position with the following statement: "Strange behavior, but we're not treating this as a security bug."

About the Author

Chris Paoli is the site producer for and


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.