Google Downplays 'Sandbox' Vulnerability Flaw

A newly discovered hole in Google Chrome's built-in sandbox protection could lead to a remote code execution, according to Acros Security.

The Slovenia-based security firm outlined the vulnerability in an e-mail sent to Google Chrome's developer team at the end of September. In it, the company outlined how a hidden configuration file could be uploaded by an attacker to bypass the security features of the Chrome sandbox.

"It is another case of file planting, where an application loads a data file (as opposed to binary file, leading to binary planting) from the current working directory," wrote Acros, in a blog posting. "Similarly to our previously reported file planting in Java Runtime Environment...Chrome loads a data file, namely pkcs11.txt, from the root of the current working directory and in case the file exists, parses and processes its content."

In a response to the vulnerability disclosure, Google said the issue is actually not a "security bug" due to the fact that it would be extremely difficult to pull off. "The preconditions to exploit this are too stretched: non-default browser configuration, freshly started browser, ability to get someone to load a file from your share (which means either being on the same internal network, or somehow getting them to mount a WebDAV share)," wrote Google.

Additionally, some of the preconditions that must be present for a successful exploit include having the Chrome's default browser set to Google, a potential victim cannot visit any other Web site that sends HTTPS requests before the malicious data file is downloaded and installed, and Chrome's working directory must be set to a controlled location for it to work.

While Google has notified other browser companies of this issue, including Mozilla, it said it has no plans to fix the issue due to its low risk level. Google summed up its position with the following statement: "Strange behavior, but we're not treating this as a security bug."

About the Author

Chris Paoli is the site producer for and


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.