Fatal exception crashes Google Chrome in sixteen characters

If you see this code and you are using Google Chrome, don't click it, type it in, copy it or even hover your mouse over it http:// a /%%30%30

Google Chrome: 16 characters away from meltdown
Google Chrome: 16 characters away from meltdown

Google's Chrome browser can be crashed with a simple sixteen-character string of code. The bug was surfaced and highlighted by Latvian independent blogger, software engineer and security researcher Andris Atteka.

The code string in question is http:// a /%%30%30 

If the code is live-linked on a web page (as it is not here on SC Magazine UK), simply hovering your mouse over the code will crash Chrome on PC and Mac versions of the browser.

The bug itself is brought about by a SIGTRAP fatal exception. As Chris Williams explains on The Register, “[This fatal exception occurs] rather than the usual memory access violation error caused by an overrun buffer, heap corruption, or similar – even in released code. This means some part of the executable was reached that the programmers never expected normal users to hit. As it turns out, the code at fault is some really old stuff.”

This issue is similar in nature to the Skype bug, which arose earlier this year where the service could be crashed by simply entering the following six-character string “http://:” in the text chat line.

Desktop not safe, mobile Chrome safe

Mobile versions on Chrome do not appear to be affected and the code does not have the same impact upon Firefox, Safari or Microsoft Edge.

Google has said that it is currently fixing the flaw. The search giant is known for planting concealed Easter Eggs inside its products such as hidden games, but this functionality appears to be unintended.

“Recently I reported a crash bug in Google Chrome (issue #533361). This issue reminded me of the recent Skype vulnerability - both occur with simple URL strings. So how can you crash Google Chrome? By adding a NULL char in the URL string,” writes Atteka.

Atteka appears to have initially been under the impression that Google would offer a reward for surfacing this type of vulnerability, although this does not appear to be the case in this instance.

Google has classified the bug NOT as a security threat saying that it is simply a ‘Debug' error. The Chromium developer pages list this problem as issue 533361: ‘GURL re-canonicalization unescapes a second time, can invalidate previously-valid URL'.

CTO at security analysis company Lancope, TK Keanini, spoke to SCMagazineUK.com to say that these types of crash scenarios are never a good thing because, at a minimum, they are disruptive – but as a worst case it opens an opportunity for memory to be exploited and again, it is a race against time to update.   

“Chrome is software and software has bugs. The beauty of Chrome is the fact that it auto-updates and removes a procrastinating or uninformed user from the equation,” he said. 

Keanini reminded us that Chrome's architecture was built from day one to assume this type of scenario: “Fixes here will be pushed out to the world as soon as they are available and this event will be a thing of the past.”

Jaromir Horejsi, malware analyst at Avast told SC that fatal exceptions of this kind are errors which can't be handled by the program and cause the program not to continue – this is communicated either through an error message box or simply by the program crashing. “Here, we see the perfect example of a fatal exception,” he said.

“When a complex piece of software is being developed, it's inevitable that after some time, a bug will be found. Bugs can be exploitable or non-exploitable – in this case, we're dealing with the latter type. Exploitable bugs may pose a threat to end users because through exploiting the bug, malware can be installed in the computer. Non-exploitable bugs may lead to a crash of the software, but they won't result in the execution of malicious code,” added Horejsi. 

Horejsi concluded that fortunately, it isn't possible for this problem to escalate and turn into something bigger, as this type of bug is non-exploitable.

Google's position on security

Google's final word on issues like this comes down to its Reporting Security Bugs statement which says that the Chromium project takes security very seriously, but, the fact is, any complex software project is going to have some vulnerabilities.

According to Google, “So, you can help us make Chromium more secure by following the guidelines below when filing security bugs against Chromium.”