Computerworld - A team from a French security firm hacked Microsoft's Internet Explorer 9 (IE9) yesterday at "Pwn2Own," making it two browsers busted in two days at the annual contest.
Also on Thursday, Google patched Chrome to fix two vulnerabilities that a long-time contributor to its bug bounty program used the day before to win $60,000 at "Pwnium," Google's first-ever hacking event.
The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system.
On Wednesday, Vupen researchers had hacked Chrome, also on Windows 7, by leveraging one zero-day -- Google suspected it was not in the browser's native code -- to execute code and with another, to break out of Chrome's "sandbox."
Chrome uses a sandbox -- essentially an isolating technology -- to prevent malware from leaking out of the browser and infecting the computer's operating system.
HP TippingPoint's Zero Day Initiative (ZDI), Pwn2Own's sponsor, confirmed Vupen's work late Thursday.
Vupen has been virtually unopposed at Pwn2Own. As of early Friday, it had racked up 124 points in the scoring system that will be used to crown cash prize winners later today.
"Their lead looks impossible to beat at this point," said Aaron Portnoy, the leader of TippingPoint's security research team and the organizer of Pwn2Own, in an interview yesterday. The top scoring researcher or team will be awarded $60,000 by ZDI, with second- and third-place winners, if there are any, taking home $30,000 and $15,000.
For its part, Google patched the two zero-days disclosed Wednesday by Sergey Glazunov, who so far has been the only researcher to claim cash from the $1 million pot that Google set aside for its own Pwnium.
Google issued a new edition of Chrome 17 early Thursday, less than 24 hours after a proxy for Glazunov demonstrated the exploits to the company's security team at CanSecWest, the Vancouver, British Columbia conference hosting both Pwn2Own and Pwnium.
Glazunov was awarded $60,000 for his work.
Pwn2Own is in its sixth year at CanSecWest; rival Pwnium debuted this year.
Glazunov demonstrated what Google classified as a "full Chrome exploit." While Google did not release any additional information about the vulnerabilities -- as it always does when it patches Chrome, it blocked public access to its bug-tracking database for the flaws it just fixed -- that label meant Glazunov had to have exploited a code execution flaw as well as a second "sandbox-escape" bug, with both vulnerabilities limited to Google-made code.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
