Google speech recognition was vulnerable to use-after-free attack

A specially crafted webpage could hook a dangling pointer created by Google Chrome and Chromium's speech recognition API object and use it to access a block of memory on a user's machine.

The vulnerability was discovered two years ago and applies to Chrome 39.0. It was reported to Google which patched it in February 2015 and engineered out in Chrome 43.0.2357.65.

The researcher, Berend-Jan Wever, is only now releasing details of the exploit as part of a series of posts about web exploits he has discovered over the years.

In this “use after free” exploit, the attacker reads a pointer from freed memory and calls a function, allowing arbitrary code execution.

For this exploit to work, the victim has to open the specially crafted webpage to initiate a piece of javascript and then use Google Chrome's voice recognition feature.

“An attacker looking to exploit this issue is going to want to try and control the contents of the freed memory, before getting the code to use the dangling pointer to call a virtual function. Doing so would allow an attacker to execute arbitrary code,” Berend-Jan Wever wrote on his blog.

He said the exploit can be triggered at a time of the attacker's choosing, giving him ample opportunity to prepare the contents of the freed memory for the exploit.

However, Wever said that to develop the vulnerability into a real exploit would have required bypassing existing mitigations such as Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP).


Sign up to our newsletters