French team brings down IE9 at Pwn2Own hacking contest
And Google patches Chrome bugs revealed after $60,000 Pwnium payout
Computerworld - A team from a French security firm hacked Microsoft's Internet Explorer 9 (IE9) yesterday at "Pwn2Own," making it two browsers busted in two days at the annual contest.
Also on Thursday, Google patched Chrome to fix two vulnerabilities that a long-time contributor to its bug bounty program used the day before to win $60,000 at "Pwnium," Google's first-ever hacking event.
The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system.
On Wednesday, Vupen researchers had hacked Chrome, also on Windows 7, by leveraging one zero-day -- Google suspected it was not in the browser's native code -- to execute code and with another, to break out of Chrome's "sandbox."
Chrome uses a sandbox -- essentially an isolating technology -- to prevent malware from leaking out of the browser and infecting the computer's operating system.
HP TippingPoint's Zero Day Initiative (ZDI), Pwn2Own's sponsor, confirmed Vupen's work late Thursday.
Vupen has been virtually unopposed at Pwn2Own. As of early Friday, it had racked up 124 points in the scoring system that will be used to crown cash prize winners later today.
"Their lead looks impossible to beat at this point," said Aaron Portnoy, the leader of TippingPoint's security research team and the organizer of Pwn2Own, in an interview yesterday. The top scoring researcher or team will be awarded $60,000 by ZDI, with second- and third-place winners, if there are any, taking home $30,000 and $15,000.
For its part, Google patched the two zero-days disclosed Wednesday by Sergey Glazunov, who so far has been the only researcher to claim cash from the $1 million pot that Google set aside for its own Pwnium.
Google issued a new edition of Chrome 17 early Thursday, less than 24 hours after a proxy for Glazunov demonstrated the exploits to the company's security team at CanSecWest, the Vancouver, British Columbia conference hosting both Pwn2Own and Pwnium.
Glazunov was awarded $60,000 for his work.
Pwn2Own is in its sixth year at CanSecWest; rival Pwnium debuted this year.
Glazunov demonstrated what Google classified as a "full Chrome exploit." While Google did not release any additional information about the vulnerabilities -- as it always does when it patches Chrome, it blocked public access to its bug-tracking database for the flaws it just fixed -- that label meant Glazunov had to have exploited a code execution flaw as well as a second "sandbox-escape" bug, with both vulnerabilities limited to Google-made code.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts