Pwnium hacking contest winners exploited 16 Chrome zero-days
'Pinkie Pie' used six, Sergey Glazunov 10, to hack Chrome and win $60,000 each in March
Computerworld - Google yesterday revealed that the two researchers who cracked Chrome in March at the company's inaugural "Pwnium" hacking contest used a total of 16 zero-day vulnerabilities to win $60,000 each.
The number of bugs each researcher used -- six in one case, "roughly" 10 in the other -- was dramatically more than the average attack. The Stuxnet worm of 2010, called "groundbreaking" by some analysts, used just four bugs, only three of them previously-unknown "zero-day" vulnerabilities.
Google detailed only the half-dozen deployed by the researcher known as "Pinkie Pie" in a post to the Chromium blog yesterday. Details of the 10 used by Sergey Glazunov will not be disclosed until they are patched in other programs they afflict, said Jorge Lucangeli Obes and Justin Schuh, two Chrome security engineers, in the blog.
Pinkie Pie and Glazunov were the only prize winners at Pwnium, the March contest Google created after it withdrew from the long-running "Pwn2Own" hacking challenge. Google had pledged to pay up to $1 million, but ended up handing out just $120,000 -- $60,000 to each of the men.
In previous P2n2Own contests, Chrome had escaped not only unscathed, but also untested by top-flight security researchers.
Pinkie Pie strung together six vulnerabilities on March 9 to successfully break out of the Chrome "sandbox," an anti-exploit technology that isolates the browser from the rest of the system.
The vulnerabilities let him exploit Chrome's pre-rendering -- where the browser loads potential pages before a user views them -- access the GPU (graphics processor unit) command buffers, write eight bytes of code to a predictable memory address, execute additional code in the GPU and escape the browser's sandbox.
At the time of Pwnium, one Google program manager called Pinkie Pie's exploits "works of art."
Google patched Pinkie Pie's bugs within 24 hours of his demonstration. Since then, the company has revealed technical details in its Chromium bug database of five of the six vulnerabilities.
Glazunov's exploits relied on approximately 10 vulnerabilities -- they, too, were patched within 24 hours -- but Google is keeping information on those secret for now.
"While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies," said Obes and Schuh. "We won't be posting that part until we're comfortable that all affected products have had an adequate time to push fixes to their users."
Chrome, currently at version 19, had an estimated 18.9% of the browser usage market in April, according to metrics firm Net Applications. Rival StatCounter, however, pegged Chrome's share for the month at 31.2%.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts