French team brings down IE9 at Pwn2Own hacking contest
And Google patches Chrome bugs revealed after $60,000 Pwnium payout
Computerworld - A team from a French security firm hacked Microsoft's Internet Explorer 9 (IE9) yesterday at "Pwn2Own," making it two browsers busted in two days at the annual contest.
Also on Thursday, Google patched Chrome to fix two vulnerabilities that a long-time contributor to its bug bounty program used the day before to win $60,000 at "Pwnium," Google's first-ever hacking event.
The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system.
On Wednesday, Vupen researchers had hacked Chrome, also on Windows 7, by leveraging one zero-day -- Google suspected it was not in the browser's native code -- to execute code and with another, to break out of Chrome's "sandbox."
Chrome uses a sandbox -- essentially an isolating technology -- to prevent malware from leaking out of the browser and infecting the computer's operating system.
HP TippingPoint's Zero Day Initiative (ZDI), Pwn2Own's sponsor, confirmed Vupen's work late Thursday.
Vupen has been virtually unopposed at Pwn2Own. As of early Friday, it had racked up 124 points in the scoring system that will be used to crown cash prize winners later today.
"Their lead looks impossible to beat at this point," said Aaron Portnoy, the leader of TippingPoint's security research team and the organizer of Pwn2Own, in an interview yesterday. The top scoring researcher or team will be awarded $60,000 by ZDI, with second- and third-place winners, if there are any, taking home $30,000 and $15,000.
For its part, Google patched the two zero-days disclosed Wednesday by Sergey Glazunov, who so far has been the only researcher to claim cash from the $1 million pot that Google set aside for its own Pwnium.
Google issued a new edition of Chrome 17 early Thursday, less than 24 hours after a proxy for Glazunov demonstrated the exploits to the company's security team at CanSecWest, the Vancouver, British Columbia conference hosting both Pwn2Own and Pwnium.
Glazunov was awarded $60,000 for his work.
Pwn2Own is in its sixth year at CanSecWest; rival Pwnium debuted this year.
Glazunov demonstrated what Google classified as a "full Chrome exploit." While Google did not release any additional information about the vulnerabilities -- as it always does when it patches Chrome, it blocked public access to its bug-tracking database for the flaws it just fixed -- that label meant Glazunov had to have exploited a code execution flaw as well as a second "sandbox-escape" bug, with both vulnerabilities limited to Google-made code.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts