Google Chrome breached at Pwn2Own and Pwnium

Ending a three-year streak coming out unharmed at organized hacking challenges, Google's Chrome browser was breached at "Pwn2Own" and the company's own "Pwnium" event yesterday, both of which are running simultaneously at the CanSecWest security conference in Vancouver.

French security company Vupen was responsible for the first hack and it only took them about five minutes after the contest's kick off. The exploit leveraged two bugs, one to bypass DEP (data execution prevention) and ASLR (address space layout randomization) on Windows, which are designed to prevent malicious code execution even when a vulnerability is found, and a second one to bypass the Chrome sandbox.

The company didn't disclose other details besides saying that the vulnerable component was found in the "default" installation of the Google browser. That detail led several people to speculate that Vupen may have exploited the built-in Adobe Flash plugin to access more sensitive parts of the operating system.

Vupen also developed an attack for version 8 of IE running on Windows XP, Safari 5 on OS X Snow Leopard, and Firefox 3 on Windows XP. The company said it will sell the rights to one of the zero-day vulnerabilities but it won't give up the sandbox escape: "We are keeping that private, keeping it for our customers."

TippingPoint's annual Pwn2Own hacking competition changed some of its rules this year and no longer requires entrants to reveal all the details about exploits used to compromise security. Google called this change "worrisome" and decided to withdraw its support, promoting its Pwnium challenge instead with a prize pool of up to $1 million. Needless to say, security researchers were up for the challenge.

Sergey Glazunov, a Russian university student participating in the Pwnium contest successfully hacked a PC running Chrome to claim a $60,000 prize from Google. Interestingly, Glazunov also used a previously undiscovered exploit specific to Chrome to bypass the browser's sandbox restriction.

Both challenges run for three days so new exploits might surface until Friday.