Attacks/Breaches
3/8/2012
01:12 PM
50%
50%

Google Chrome Falls Twice In Hacking Contest

VUPEN Security hacks Google Chrome, Safari, and Internet Explorer to take early lead in Pwn2Own contest.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)

In this year's annual Pwn2Own battle of browser-hacking prowess, Google Chrome was the first to fall--and in the first five minutes of the competition.

French vulnerability research firm VUPEN Security stormed to an early lead in the annual Pwn2Own cracking contest, which is part of this week's CanSecWest information security conference in Vancouver. VUPEN received 32 points for the Chrome hack from officials at TippingPoint's Zero Day Initiative, a bug-bounty reward program that sponsors the contest. By day's end Vupen was in the lead with 62 points, after also hacking Safari 5 on Mac OS X Snow Leopard and Firefox 3 on Windows XP. The contest continues through Friday.

According to a tweet from VUPEN, its Chrome exploit involved "code execution and sandbox escape (medium integrity process resulted)" against a copy of Chrome running on Windows 7. VUPEN has previously discovered zero-day vulnerabilities that exploited Chrome after bypassing its sandbox, although this is the first time in three years that Chrome has been exploited in the Pwn2Own contest, the lead-up to which typically sees browser makers furiously issuing patches.

[ Here's how you can address some of today's greatest security challenges to help keep your company's data safe. See 10 Lessons From RSA Security Conference. ]

"We wanted to show that even Chrome is not unbreakable," VUPEN CEO Chaouki Bekrar told Ars Technica.

Also Wednesday, veteran Chrome researcher Sergey Glazunov earned a quick $60,000 for an attack that bypassed the Chrome sandbox using only code native to Chrome and which allowed him to execute an arbitrary exploit, as part of Google's alternative "Pwnium" contest.

While Google has helped sponsor the Pwn2Own prize in recent years, this year the company announced that it was pulling out, due to a change in contest rules. "Originally, our plan was to sponsor as part of this year's Pwn2Own competition," said Chris Evans and Justin Schuh, part of the Google Chrome security team, in a blog post. "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome."

Instead, Google created Pwnium, promising to issue up to $1 million in prize money in exchange for full disclosure (and Google promising to share all flaws with relevant vendors). "We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or 'winner takes all,'" said Evans and Schuh.

"We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions, and genuinely zero-day--i.e., not known to us or previously shared with third parties. Contestant's exploits must be submitted to and judged by Google before being submitted anywhere else," they said.

Beyond the $60,000 prize--awarded for any attack that exploits only Chrome bugs--contestants can win $40,000 by combining a Chrome bug with another bug, and $20,000 for exploiting a bug in third-party code, such as browser plug-ins, Flash, or Windows. All Pwnium winners also get a Chromebook.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HH000
50%
50%
HH000,
User Rank: Apprentice
3/9/2012 | 11:09:07 AM
re: Google Chrome Falls Twice In Hacking Contest
Does it escaped?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.