The flaw was discovered last week by the expert Andris Atteka who filed also a bug report.
“Recently I reported a crash bug in Google Chrome (issue #533361). This issue reminded me of the recent Skype vulnerability – both occur with simple URL strings. So how can you crash Google Chrome? By adding a NULL char in the URL string:
Unfortunately no reward was awarded as this was deemed to be only a DOS vulnerability. Anyway, making secure software is much harder than finding issues in it. Thanks Google.” wrote Andris Atteka.
This crashes someone’s browser in web gtalk/chrome if you msg them that URLhttps://t.co/vi0e10IEFH
— mdowd (@mdowd) September 20, 2015
Experts at The Register published the image of two URLs that could be used to crash Chrome, users can kill their browser just rolling the mouse over them in a page, or launching them from another application such as an email client, or pasting them into the address bar.
The above URLs trigger a breakpoint rather than exploit a buffer overflow vulnerability.
The two URL works on Chrome 45.0.2454.93 on OS X El Capitan and Windows 10 and also Opera 32.0 which is based on Chromium 45 crash. The experts also noticed Chromebooks crashing by managing the URL, meanwhile Android’s Chrome seems to be immune.
%%300at the end of the URL is converted into
0x30is the ASCII code for ‘0’. The %%300 becomes this string of characters: the original ‘%’, the converted ‘0’, and the original ‘0’. Combined, that’s ‘%00’.) This sticks a NULL byte at the end of the web address.
GURLToDatabaseURL()which expects the URL to still be valid, and calls
DCHECK() that causes the software to bail out – even on the release build.
The Chromium team is currently working to fix the issue.
(Security Affairs – Chrome, hacking)