Google Chrome Browser 0.2.149.27

---------------------------------------------------
Software:
Google Chrome Browser 0.2.149.27

Tested:
Windows XP Professional SP3

Result:
Google Chrome Crashes with All Tabs

Problem:
An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed. Restart now?". It crashes on "int 3" at 0x01002FF3 as an exception/trap, followed by "POP EBP" instruction when pointed out by the EIP register at 0x01002FF4.

Proof of Concept:
http://evilfingers.com/advisory/google_chrome_poc.php

Credit:
Rishi Narang
psy.echo [ at ] gmail.com
www.greyhat.in
www.evilfingers.com
---------------------------------------------------

PoC Working/Exploit:
Click for a demo HERE

Google Chrome Browser 0.2.149.27

A personal note from Rishi
"Time" can definitely plays a major role. There was a collision that occurred due to the fact that I took time to find the real break point in the code, search for a template and to publish at EvilFingers site before sending it to Google and other bugtraqs.

Even though I had the vulnerability 4 hrs well before the real publication of the bug and had the exploit along with the some crash details like "int 3" Kernel Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and further debug logs; there was this bug published (though without the details of possible cases, exceptions and mouse hover techniques) couple of hours before I released it out at EvilFingers.

So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the bug on http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr. Brennan for contacting me about the same.