French team brings down IE9 at Pwn2Own hacking contest
And Google patches Chrome bugs revealed after $60,000 Pwnium payout
Computerworld - A team from a French security firm hacked Microsoft's Internet Explorer 9 (IE9) yesterday at "Pwn2Own," making it two browsers busted in two days at the annual contest.
Also on Thursday, Google patched Chrome to fix two vulnerabilities that a long-time contributor to its bug bounty program used the day before to win $60,000 at "Pwnium," Google's first-ever hacking event.
The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system.
On Wednesday, Vupen researchers had hacked Chrome, also on Windows 7, by leveraging one zero-day -- Google suspected it was not in the browser's native code -- to execute code and with another, to break out of Chrome's "sandbox."
Chrome uses a sandbox -- essentially an isolating technology -- to prevent malware from leaking out of the browser and infecting the computer's operating system.
HP TippingPoint's Zero Day Initiative (ZDI), Pwn2Own's sponsor, confirmed Vupen's work late Thursday.
Vupen has been virtually unopposed at Pwn2Own. As of early Friday, it had racked up 124 points in the scoring system that will be used to crown cash prize winners later today.
"Their lead looks impossible to beat at this point," said Aaron Portnoy, the leader of TippingPoint's security research team and the organizer of Pwn2Own, in an interview yesterday. The top scoring researcher or team will be awarded $60,000 by ZDI, with second- and third-place winners, if there are any, taking home $30,000 and $15,000.
For its part, Google patched the two zero-days disclosed Wednesday by Sergey Glazunov, who so far has been the only researcher to claim cash from the $1 million pot that Google set aside for its own Pwnium.
Google issued a new edition of Chrome 17 early Thursday, less than 24 hours after a proxy for Glazunov demonstrated the exploits to the company's security team at CanSecWest, the Vancouver, British Columbia conference hosting both Pwn2Own and Pwnium.
Glazunov was awarded $60,000 for his work.
Pwn2Own is in its sixth year at CanSecWest; rival Pwnium debuted this year.
Glazunov demonstrated what Google classified as a "full Chrome exploit." While Google did not release any additional information about the vulnerabilities -- as it always does when it patches Chrome, it blocked public access to its bug-tracking database for the flaws it just fixed -- that label meant Glazunov had to have exploited a code execution flaw as well as a second "sandbox-escape" bug, with both vulnerabilities limited to Google-made code.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!