Google's Chrome untouched at Pwn2Own hack match
Scheduled attackers don't show, or pass on exploiting sandboxed browser
Computerworld - Google's $20,000 was as safe at Pwn2Own Wednesday as if it had been in the bank.
The search giant had promised to pay $20,000 to the first researcher who broke into Chrome on the hacking contest's opening day.
But no one took up Google's offer.
"The first contestant was a no-show," said Aaron Portnoy, manager of HP TippingPoint's security research team, and Pwn2Own's organizer. "And the other team wanted to work on their BlackBerry vulnerability. So it doesn't look like anyone will try Chrome."
Only two entries had pre-registered for Chrome: Moatz Khader and one or more researchers going as "Team Anon." (Researchers may remain anonymous if they wish.) Based on a random drawing several weeks ago, Khader was to get first shot, with Team Anon second.
Team Anon is also slated to tackle RIM's BlackBerry OS on Thursday.
Late Wednesday, TippingPoint provided a tentative schedule for today's Pwn2Own; that schedule doesn't show any planned Chrome exploit.
Even if someone unexpectedly stepped up to take a crack at Chrome and exploited the browser, Google would be on the hook for just $10,000. As part of the deal it struck with TippingPoint, the two will split the $20,000 payment for a successful hack on the second or third days of the contest.
If Chrome comes out unscathed, as it now appears it will, the browser will have survived three consecutive Pwn2Owns, a record.
On Wednesday, researchers successfully exploited Safari and Internet Explorer. A team from French security company Vupen took down Safari 5 running on a MacBook Air notebook in five seconds, and independent researcher Stephen Fewer used a trio of vulnerabilities to hack IE8 on Windows 7.
Portnoy was impressed with Fewer's work. "The most impressive so far," said Portnoy. "He used three vulnerabilities to [not only] bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before."
ASLR, for address space layout randomization, and DEP, or data execution prevention, are a pair of technologies baked into Windows that are designed to make it more difficult for exploits to reliably execute. Protected Mode is IE's "sandbox," which isolates the browser -- and thus any attack code that manages to infiltrate it -- from escaping to do damage on the system as a whole.
Pwn2Own continues today and Friday, when Mozilla's Firefox and four smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS will be in researchers' crosshairs.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!