VUPEN Security Research - Google Chrome Blink "locationAttributeSetter" Use-after-free (Pwn2Own)

VUPEN Security Research - Google Chrome Blink "locationAttributeSetter"
Use-after-free (Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen

I. BACKGROUND

"Google Chrome is a freeware web browser developed by Google. Chrome
version 28 and beyond uses the WebKit fork Blink. As of 2013,
StatCounter estimates that Google Chrome has a 39% worldwide usage
share of web browsers" (Wikipedia).

II. DESCRIPTION

VUPEN Vulnerability Research Team discovered a critical vulnerability
in Google Chrome.

The vulnerability is caused by a use-after-free error within the
"DocumentV8Internal::locationAttributeSetter()" function when processing
"document.location" objects under certain conditions, which could be
exploited to leak arbitrary memory and/or achieve code execution via a
specially crafted web page.

III. AFFECTED PRODUCTS

Google Chrome versions prior to 33.0.1750.154

IV. SOLUTION

Upgrade to Chrome version version 33.0.1750.154.

V. CREDIT

This vulnerability was discovered by VUPEN Security.

VI. ABOUT VUPEN Security

VUPEN is the leading provider of defensive and offensive cyber security
intelligence and advanced zero-day research. All VUPEN's vulnerability
intelligence results exclusively from its internal and in-house R&D
efforts conducted by its team of world-class researchers.

VUPEN Solutions: http://www.vupen.com/english/services/

VII. REFERENCES

http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_14.html

VIII. DISCLOSURE TIMELINE

2014-01-26 - Vulnerability Discovered by VUPEN Security
2014-03-13 - Vulnerability Reported to Google/ZDI During Pwn2Own 2014
2014-03-14 - Vulnerability Fixed by Google
2014-03-26 - Public disclosure