Chrome succumbs to Pwn2Own contest hack
Plus, Google's 'Pwnium' snares a Chrome sandbox-escape exploit with $60K bait
Computerworld - Google's Chrome fell to researchers' exploits Wednesday in both hacking challenges running this week at the CanSecWest security conference.
Yesterday was the first of three days for the "Pwn2Own" contest -- now in its fifth year -- and for Google's rival upstart, "Pwnium."
While Chrome went untouched in the last two years of "Pwn2Own," it was the first to fall to researchers Wednesday when a French team demonstrated a two-vulnerability attack on the browser running in Windows 7.
Meanwhile, Google announced it had received its first "Pwnium" exploit submission, which the company's Chrome chief executive said qualified for that event's top-dollar $60,000 reward.
There are two cash-at-stake hacking events at CanSecWest this year because last week Google withdrew its Pwn2Own sponsorship over objections to the contest's practice of not requiring researchers to divulge "sandbox-escape" exploits.
Google then announced its own Pwnium, which is not a contest per se, but rather a three-day window during which security researchers can demonstrate their Chrome attacks for the company's security team. Google had promised it would pay up to $1 million -- in $20,000, $40,000 and $60,000 awards -- for hacks that exploited unknown, or "zero-day," vulnerabilities.
At Pwn2Own, which changed this year to a point system, a team from French security company Vupen hacked Chrome about five minutes after the contest's starting gun. Vupen was awarded 32 points by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, Pwn2Own's organizer and sponsor.
The top scoring individual or research team will be handed $60,000 on Friday, with second and third places receiving $30,000 and $15,000, respectively.
Vupen's exploit leveraged two bugs, said ZDI in a tweet Wednesday, including a "sandbox escape" necessary to break out of the anti-malware isolation technology designed to prevent malware from jumping out of the browser to infect the operating system.
"Google Chrome is the first browser to fall at #pwn2own 2012," said Vupen in a tweet of its own. "We pwned it using an exploit bypassing DEP/ASLR and the sandbox!"
DEP, for data execution prevention, and ASLR, or address space layout randomization, are anti-exploit defenses baked into Windows.
On the Pwnium side of the aisle, Sundar Pichai, the senior vice president of Chrome, used Google+ to announce the first exploit submission.
"Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry," said Pichai. "Looks like it qualifies as a 'Full Chrome' exploit, qualifying for a $60k reward."
Glazunov has been an active contributor not only to Chromium, the open-source project that feeds code into Chrome proper, but was also last year's most prolific Chrome bug finder outside Google.
Last year, Google paid Glazunov nearly $59,000 in bug-reporting bounties, beating the No. 2 researcher, who goes only by the nickname "miabiz," by almost $20,000.
To qualify for a $60,000 Pwnium prize, Glazunov would have had to uncover two zero-days in Chrome, one that allowed code execution in the browser, the other that broke out of the browser's sandbox. By Google's Pwnium rules, both vulnerabilities had to have been in Chrome's code.
Pichai said that Google was working up a patch to push to Chrome users via the browser's silent update mechanism, but did not reveal a timeline for the fix's appearance.
Pwn2Own's ZDI had predicted last week that no one would take Google up on its Pwnium offer, arguing that a sandbox escape exploit -- which are rare -- was worth much more then $60,000 on the open market.
To claim a Pwnium prize, researchers must reveal all vulnerabilities and exploits they used. Pwn2Own, however, requires contestants to disclose code execution bugs, but not any sandbox escape exploits.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts