Google Chrome Falls Twice In Hacking Contest

  /     /     /  
Publicated : 22/11/2024   Category : security


Google Chrome Falls Twice In Hacking Contest


VUPEN Security hacks Google Chrome, Safari, and Internet Explorer to take early lead in Pwn2Own contest.



Anonymous: 10 Facts About The Hacktivist Group (click image for larger view and for slideshow)
In this years annual Pwn2Own battle of browser-hacking prowess, Google Chrome was the first to fall--and in the first five minutes of the competition.
French vulnerability research firm
VUPEN Security
stormed to an early lead in the annual Pwn2Own cracking contest, which is part of this weeks CanSecWest information security conference in Vancouver. VUPEN received 32 points for the Chrome hack from officials at
TippingPoints Zero Day Initiative
, a bug-bounty reward program that sponsors the contest. By days end Vupen was in the lead with 62 points, after also hacking Safari 5 on Mac OS X Snow Leopard and Firefox 3 on Windows XP. The contest continues through Friday.
According to a
tweet
from VUPEN, its Chrome exploit involved code execution and sandbox escape (medium integrity process resulted) against a copy of Chrome running on Windows 7. VUPEN has previously discovered zero-day vulnerabilities that exploited Chrome after bypassing its sandbox, although this is the first time in three years that Chrome has been exploited in the Pwn2Own contest, the lead-up to which typically sees
browser makers furiously issuing patches
.
[ Heres how you can address some of todays greatest security challenges to help keep your companys data safe. See
10 Lessons From RSA Security Conference
. ]
We wanted to show that even Chrome is not unbreakable, VUPEN CEO Chaouki Bekrar
told Ars Technica
.
Also Wednesday, veteran Chrome researcher Sergey Glazunov earned a quick $60,000 for an attack that bypassed the Chrome sandbox using only code native to Chrome and which allowed him to execute an arbitrary exploit, as part of Googles alternative Pwnium contest.
While Google has helped sponsor the Pwn2Own prize in recent years, this year the company announced that it was pulling out, due to a change in contest rules. Originally, our plan was to sponsor as part of this years Pwn2Own competition, said Chris Evans and Justin Schuh, part of the Google Chrome security team, in a
blog post
. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but its an explicit non-requirement in this years contest, and thats worrisome.
Instead, Google created Pwnium, promising to issue up to $1 million in prize money in exchange for
full disclosure
(and Google promising to share all flaws with relevant vendors). We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or winner takes all, said Evans and Schuh.
We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions, and genuinely zero-day--i.e., not known to us or previously shared with third parties. Contestants exploits must be submitted to and judged by Google before being submitted anywhere else, they said.
Beyond the $60,000 prize--awarded for any attack that exploits only
Chrome bugs
--contestants can win $40,000 by combining a Chrome bug with another bug, and $20,000 for
exploiting a bug in third-party code
, such as browser plug-ins, Flash, or Windows. All Pwnium winners also get a
Chromebook
.
Its no longer a matter of if you get hacked, but when. In this special retrospective of news coverage,
Monitoring Tools And Logs Make All The Difference
, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Last News

▸ The Pentagons lesson on insider threats for businesses. ◂
Discovered: 06/01/2025
Category: security

▸ Authorities affirm agencies are on course to adopt CyberScope. ◂
Discovered: 06/01/2025
Category: security

▸ Facebook Apps Share User IDs. ◂
Discovered: 06/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Chrome Falls Twice In Hacking Contest