Chrome hackers strike Pwnium
Google's Chrome fell to two separate zero-day attacks at the CanSecWest conference, as researchers took on the browser in the Pwn2Own competition and in Google's own vulnerability hunt, Pwnium. Historically, Chrome has passed through the Pwn2Own competition unscathed, but this year the attention was on it after Google spun out its own independent competition offering a million dollars in rewards for researchers who break its browser's security.
Chrome first fell in Google's Pwnium competition, when Sergey Glazunov bypassed Chrome's sandbox using only native Chrome code, netting him $60,000 for a "Full Chrome Pwn". Glazunov, a regular reporter of Chrome security holes who was represented on site by Aaron Sigel, exploited two distinct bugs which reportedly avoided the sandbox rather than attempting to break out of it; a member of the Chrome security team confirmed that the "very impressive" attack executed code with the full permissions of the user running the browser. There is still $940,000 left in the prize fund. Google started their own Pwnium competition after noting that Pwn2Own rule changes meant vulnerabilities were not required to be disclosed to ZDI, the event's organisers, or to browser vendors.
The fall of Chrome in the Pwnium contest was followed by a fall in the Pwn2Own contest. This time, a team from Vupen Security, who are believed to have leveraged the embedded Adobe Flash Plugin in their exploit, broke out of the Chrome sandbox. Vupen says it will be retaining the rights to one of the vulnerabilities, the sandbox escape; the company demonstrated a similar vulnerability in May 2011. According to Vupen Security CEO, Chaoruki Bekrar, the company exploited a use-after-free bug to work around ASLR and DEP protection on a Windows 7 system and then used a second vulnerability to get out of the sandbox. "Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year" said Bekrar.
The Vupen team have arrived at the competition with exploits for all four target browsers; Google Chrome, Microsoft Internet Explorer, Apple's Safari and Mozilla's Firefox. This year's Pwn2Own rules involve accumulating points by exploiting those browsers, with the winner being whoever has demonstrated at least one zero day vulnerability and has the most points on the final day. The Pwn2Own first prize is $60,000.
(djwm)