Chrome succumbs to Pwn2Own contest hack
Plus, Google's 'Pwnium' snares a Chrome sandbox-escape exploit with $60K bait
Computerworld - Google's Chrome fell to researchers' exploits Wednesday in both hacking challenges running this week at the CanSecWest security conference.
Yesterday was the first of three days for the "Pwn2Own" contest -- now in its fifth year -- and for Google's rival upstart, "Pwnium."
While Chrome went untouched in the last two years of "Pwn2Own," it was the first to fall to researchers Wednesday when a French team demonstrated a two-vulnerability attack on the browser running in Windows 7.
Meanwhile, Google announced it had received its first "Pwnium" exploit submission, which the company's Chrome chief executive said qualified for that event's top-dollar $60,000 reward.
There are two cash-at-stake hacking events at CanSecWest this year because last week Google withdrew its Pwn2Own sponsorship over objections to the contest's practice of not requiring researchers to divulge "sandbox-escape" exploits.
Google then announced its own Pwnium, which is not a contest per se, but rather a three-day window during which security researchers can demonstrate their Chrome attacks for the company's security team. Google had promised it would pay up to $1 million -- in $20,000, $40,000 and $60,000 awards -- for hacks that exploited unknown, or "zero-day," vulnerabilities.
At Pwn2Own, which changed this year to a point system, a team from French security company Vupen hacked Chrome about five minutes after the contest's starting gun. Vupen was awarded 32 points by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, Pwn2Own's organizer and sponsor.
The top scoring individual or research team will be handed $60,000 on Friday, with second and third places receiving $30,000 and $15,000, respectively.
Vupen's exploit leveraged two bugs, said ZDI in a tweet Wednesday, including a "sandbox escape" necessary to break out of the anti-malware isolation technology designed to prevent malware from jumping out of the browser to infect the operating system.
"Google Chrome is the first browser to fall at #pwn2own 2012," said Vupen in a tweet of its own. "We pwned it using an exploit bypassing DEP/ASLR and the sandbox!"
DEP, for data execution prevention, and ASLR, or address space layout randomization, are anti-exploit defenses baked into Windows.
On the Pwnium side of the aisle, Sundar Pichai, the senior vice president of Chrome, used Google+ to announce the first exploit submission.
"Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry," said Pichai. "Looks like it qualifies as a 'Full Chrome' exploit, qualifying for a $60k reward."
Glazunov has been an active contributor not only to Chromium, the open-source project that feeds code into Chrome proper, but was also last year's most prolific Chrome bug finder outside Google.
Last year, Google paid Glazunov nearly $59,000 in bug-reporting bounties, beating the No. 2 researcher, who goes only by the nickname "miabiz," by almost $20,000.
To qualify for a $60,000 Pwnium prize, Glazunov would have had to uncover two zero-days in Chrome, one that allowed code execution in the browser, the other that broke out of the browser's sandbox. By Google's Pwnium rules, both vulnerabilities had to have been in Chrome's code.
Pichai said that Google was working up a patch to push to Chrome users via the browser's silent update mechanism, but did not reveal a timeline for the fix's appearance.
Pwn2Own's ZDI had predicted last week that no one would take Google up on its Pwnium offer, arguing that a sandbox escape exploit -- which are rare -- was worth much more then $60,000 on the open market.
To claim a Pwnium prize, researchers must reveal all vulnerabilities and exploits they used. Pwn2Own, however, requires contestants to disclose code execution bugs, but not any sandbox escape exploits.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!