Google Chrome breached at Pwn2Own and Pwnium

By on March 8, 2012, 10:05 AM

Ending a three-year streak coming out unharmed at organized hacking challenges, Google's Chrome browser was breached at "Pwn2Own" and the company's own "Pwnium" event yesterday, both of which are running simultaneously at the CanSecWest security conference in Vancouver.

French security company Vupen was responsible for the first hack and it only took them about five minutes after the contest's kick off. The exploit leveraged two bugs, one to bypass DEP (data execution prevention) and ASLR (address space layout randomization) on Windows, which are designed to prevent malicious code execution even when a vulnerability is found, and a second one to bypass the Chrome sandbox.

The company didn't disclose other details besides saying that the vulnerable component was found in the "default" installation of the Google browser. That detail led several people to speculate that Vupen may have exploited the built-in Adobe Flash plugin to access more sensitive parts of the operating system.

Vupen also developed an attack for version 8 of IE running on Windows XP, Safari 5 on OS X Snow Leopard, and Firefox 3 on Windows XP. The company said it will sell the rights to one of the zero-day vulnerabilities but it won’t give up the sandbox escape: "We are keeping that private, keeping it for our customers."

TippingPoint's annual Pwn2Own hacking competition changed some of its rules this year and no longer requires entrants to reveal all the details about exploits used to compromise security. Google called this change "worrisome" and decided to withdraw its support, promoting its Pwnium challenge instead with a prize pool of up to $1 million. Needless to say, security researchers were up for the challenge.

Sergey Glazunov, a Russian university student participating in the Pwnium contest successfully hacked a PC running Chrome to claim a $60,000 prize from Google. Interestingly, Glazunov also used a previously undiscovered exploit specific to Chrome to bypass the browser's sandbox restriction.

Both challenges run for three days so new exploits might surface until Friday.




User Comments: 14

Got something to say? Post a comment
3DCGMODELER 3DCGMODELER said:

cool....

If they Smart, They would Hire the Hackers...

Lurker101 said:

This sounds like a big win for Google.

Guest said:

"The exploit leveraged two bugs, one to bypass DEP (data execution prevention)"

I'm confused here. Does Chrome have the ability to bypass DEP by itself??

Guest said:

Why hire them? This is so much cheaper for Google.

anguis said:

Firefox 3 on Windows XP...why so old?

lipe123 said:

Meanwhile in the real world the #1 threat is the giant banner at the top that goes "Congratulations you won *insert gigantic BS prize here*, click here and accept the agreement!!!" or "You qualified to win an iPad3! click continue on the next screen to claim your prize"

Instead of targeting these high level exploits that only occur in very controlled environments and almost never under normal circumstances they should set up a prize reward for every site that has a misleading banner that results in a malware installation.

Guest said:

Because Windows XP still has more market share then any other Windows OS.

Guest said:

The company said it will sell the rights to one of the zero-day vulnerabilities but it won't give up the sandbox escape: "We are keeping that private, keeping it for our customers."

Would those customers be a number of three letter acronyms? And maybe a few internet frauds just to add some color to the mix?

This is one of those companies that deserves getting sued.

Guest said:

After discovering the browser Maxthon, Chrome is pretty much history in my book. It is amazing how little appreciation Maxthon receives; best browser I have ever tried.

Guest said:

I hope the student who got the $60,000 used the same exploit of the sandbox, making their discovery useless or at least less valuable. Even if it was not the same, Google now knows that it exists and will probably find it themselves.

Guest said:

It does not appear Maxthon has downloads for iOS or Linux. Too bad, it looks pretty nice.

SNGX1275 SNGX1275, TS Forces Special, said:

After discovering the browser Maxthon, Chrome is pretty much history in my book. It is amazing how little appreciation Maxthon receives; best browser I have ever tried.

Probably didn't help that its history began with IE.

I know how you feel though, I'm an Opera user. It gets only slightly more attention than Maxthon. Nearly all benchmarks include: IE, FF, Chrome. IE is probably only included now in benchmarks 'for the lulz'.

PinothyJ said:

3dcgmodeler said:

cool....

If they Smart, They would Hire the Hackers...

I do not even need to comment on this lovely piece of insight ^^...

jester376 said:

3dcgmodeler said:

cool....

If they Smart, They would Hire the Hackers...

You know there's no doubt in my mind that they do hire these guys. On the Pwnium Constest, however, they probably wont hire the Russian student since he is still attending college. However, I am willing to bet that they are gonna offer him a Part-Time or Full-Time Internship.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.