The annual CanSecWest conference opened on Wednesday in Vancouver, and before the first session even started, Google’s Chrome was exploited successfully not once, but twice.
The first hit was made by Russian university student and security researcher Sergey Glazunov, who managed to hack into a fully patched Windows 7 machine by exploiting a remote code execution vulnerability in Google’s Chrome browser.
It seems that Glazunov will definitely be receiving the $60,000 prize Google awards for a full exploit, as he effectively avoided Crome’s lauded sandbox and managed to execute code with full permission of the logged on user.
“It was an impressive exploit,” commented Justin Schuh, a member of the Chrome security team, for ZDNet. “It required a deep understanding of how Chrome works.”
“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” commented Sundar Pichai, senior vice president of Chrome at Google, and added that the company will be working fast on a fix that will be pushed out via Chrome’s automatic update mechanism.
Glazunov competed in the newly instituted Pwnium contest, as Google has chosen to withdraw their sponsorship from the conference’s popular Pwn2Own contest and institute a competition of their own.
The reason behind this can be found in this year’s changed rules for the Pwn2Own contest, which don’t require researchers to share with the developers how they managed to break the sandbox – in short, they would be getting information about the bugs, but not the exploits used. As Google is determined to learn and improve Chrome, this was obviously a deal-breaker.
Glazunov is the first, but will perhaps not be the last who managed a win in the Pwnium contest – Google offers multiple rewards across three categories, so other might step up to the plate and prove successful.
In addition to this – mere hours after Glazunov – a team of researchers from French security firm VUPEN, which specializes in vulnerability research, managed to compromise Chrome as well via a new vulnerability.
So far, they have won no prize, as they did so within the Pwn2Own contest and under the new rules they get awarded only points that can propel them towards victory, but do not guarantee it.
Also, according to ThreatPost, the VUPEN team is the only one who tried their hand so far. “I wouldn’t be surprised if no one else showed up, though,” said TippingPoint’s Aaron Portnoy. “If they heard that VUPEN was showing up with 0-days for every single browser, and this all the do, all day, every day, that might discourage them.”
This speculation seems to be confirmed by Charlie Miller, a multiple winner of the contest who often concentrated his efforts on breaking Apple’s offerings.
“I understand why they switched, they wanted to remove the whole “random draw’ from the equation, which I [thought] was a necessary move,” he commented on the new rules. “”However, the new structure doesn’t really suit me. By making you write exploits there, it turns it into more of a capture-the-flag (CTF) style competition. There is no way by myself I can compete against a team of 5 or 6 Vupen guys. It really rewards larger teams/groups.”