A team from a French security firm hacked Microsoft's Internet Explorer 9 (IE9) yesterday at "Pwn2Own," making it two browsers busted in two days at the annual contest.
Also on Thursday, Google patched Chrome to fix two vulnerabilities that a long-time contributor to its bug bounty program used the day before to win $60,000 at "Pwnium," Google's first-ever hacking event.
The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system.
On Wednesday, Vupen researchers had hacked Chrome, also on Windows 7, by leveraging one zero-day -- Google suspected it was not in the browser's native code -- to execute code and with another, to break out of Chrome's "sandbox."
Chrome uses a sandbox -- essentially an isolating technology -- to prevent malware from leaking out of the browser and infecting the computer's operating system.
HP TippingPoint's Zero Day Initiative (ZDI), Pwn2Own's sponsor, confirmed Vupen's work late Thursday.
Vupen has been virtually unopposed at Pwn2Own. As of early Friday, it had racked up 124 points in the scoring system that will be used to crown cash prize winners later today.
"Their lead looks impossible to beat at this point," said Aaron Portnoy, the leader of TippingPoint's security research team and the organizer of Pwn2Own, in an interview yesterday. The top scoring researcher or team will be awarded $60,000 by ZDI, with second- and third-place winners, if there are any, taking home $30,000 and $15,000.
For its part, Google patched the two zero-days disclosed Wednesday by Sergey Glazunov, who so far has been the only researcher to claim cash from the $1 million pot that Google set aside for its own Pwnium.
Google issued a new edition of Chrome 17 early Thursday, less than 24 hours after a proxy for Glazunov demonstrated the exploits to the company's security team at CanSecWest, the Vancouver, British Columbia conference hosting both Pwn2Own and Pwnium.
Glazunov was awarded $60,000 for his work.
Pwn2Own is in its sixth year at CanSecWest; rival Pwnium debuted this year.
Glazunov demonstrated what Google classified as a "full Chrome exploit." While Google did not release any additional information about the vulnerabilities -- as it always does when it patches Chrome, it blocked public access to its bug-tracking database for the flaws it just fixed -- that label meant Glazunov had to have exploited a code execution flaw as well as a second "sandbox-escape" bug, with both vulnerabilities limited to Google-made code.
Google has not patched the Vupen vulnerabilities because it has not yet received information from ZDI, a spokeswoman said in an email reply to questions on Thursday.
Google security engineers at CanSecWest noted that as well. "I really would like ZDI to hand off the bugs so patches can get pushed," said Justin Schuh of Google on Twitter Thursday.
Pwn2Own has yet not handed over vulnerability information to either Google or Microsoft, but will, said Portnoy, once the contest wraps up Friday.
Google and ZDI have been at odds over the CanSecWest hacking contests since the former pulled out of Pwn2Own and created its own event. The disagreement centered around what would be reported by ZDI to vendors after the contest.
ZDI said it would report code execution bugs to vendors, but not sandbox-escape vulnerabilities, which it said were so rare, and thus valuable, that ruling otherwise would make it impossible to attract researchers to try their hand at hacking Chrome.
Last week, ZDI went so far as to say that it did not think any researcher would part with a Chrome sandbox-escape vulnerability and exploit, even with Google's $60,000 top prize on the line.
When asked yesterday to comment on that ZDI prediction, Portnoy noted that Glazunov was a frequent contributor to Google's bug-reporting program, and argued that his submission showed the value of vendors forging strong relationships with independent researchers.
"Building such relationships is valuable," said Portnoy, adding that there have been times when researchers, although not entirely happy with the money they've received for their bugs, have still submitted vulnerabilities to ZDI because "they know us, and know they can come to us for help."
He suggested that Google benefited in the same way from its relationship with Glazunov.
Glazunov is a Chrome bug-reporting machine: In 2011, he was paid nearly $59,000 by Google for filing scores of vulnerabilities.
As per its practice, ZDI has not disclosed the bugs the Vupen team used to hack Chrome and IE9 -- and will not until the vendors deploy patches. Google's Schuh, however, was convinced that the code execution flaw the French team exploited was not in Chrome's own code, but in Adobe's Flash Player, which is distributed with each Chrome update.
Both ZDI and Google have each hinted at more browser hacking demonstrations before Pwn2Own and Pwnium wrap up today.
The patched version of Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google's website. Users now running Chrome will receive an automatic background update the next time they launch the browser.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.