Skip the navigation

French team brings down IE9 at Pwn2Own hacking contest

And Google patches Chrome bugs revealed after $60,000 Pwnium payout

March 9, 2012 12:56 PM ET

Computerworld - A team from a French security firm hacked Microsoft's Internet Explorer 9 (IE9) yesterday at "Pwn2Own," making it two browsers busted in two days at the annual contest.

Also on Thursday, Google patched Chrome to fix two vulnerabilities that a long-time contributor to its bug bounty program used the day before to win $60,000 at "Pwnium," Google's first-ever hacking event.

The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system.

On Wednesday, Vupen researchers had hacked Chrome, also on Windows 7, by leveraging one zero-day -- Google suspected it was not in the browser's native code -- to execute code and with another, to break out of Chrome's "sandbox."

Chrome uses a sandbox -- essentially an isolating technology -- to prevent malware from leaking out of the browser and infecting the computer's operating system.

HP TippingPoint's Zero Day Initiative (ZDI), Pwn2Own's sponsor, confirmed Vupen's work late Thursday.

Vupen has been virtually unopposed at Pwn2Own. As of early Friday, it had racked up 124 points in the scoring system that will be used to crown cash prize winners later today.

"Their lead looks impossible to beat at this point," said Aaron Portnoy, the leader of TippingPoint's security research team and the organizer of Pwn2Own, in an interview yesterday. The top scoring researcher or team will be awarded $60,000 by ZDI, with second- and third-place winners, if there are any, taking home $30,000 and $15,000.

For its part, Google patched the two zero-days disclosed Wednesday by Sergey Glazunov, who so far has been the only researcher to claim cash from the $1 million pot that Google set aside for its own Pwnium.

Google issued a new edition of Chrome 17 early Thursday, less than 24 hours after a proxy for Glazunov demonstrated the exploits to the company's security team at CanSecWest, the Vancouver, British Columbia conference hosting both Pwn2Own and Pwnium.

Glazunov was awarded $60,000 for his work.

Pwn2Own is in its sixth year at CanSecWest; rival Pwnium debuted this year.

Glazunov demonstrated what Google classified as a "full Chrome exploit." While Google did not release any additional information about the vulnerabilities -- as it always does when it patches Chrome, it blocked public access to its bug-tracking database for the flaws it just fixed -- that label meant Glazunov had to have exploited a code execution flaw as well as a second "sandbox-escape" bug, with both vulnerabilities limited to Google-made code.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!