Thursday, 08 March 2012 11:51

Google's Chrome falls first at Pwn2Own

Written by

Reading time is around minutes.

News_manstealingdataThe Pwn2Own completion is in full swing and this year we find that Google’s Chrome web browser is the first to fall. Google has claimed in the past that Chrome is the most secure browser (in addition to claiming it is faster). Meanwhile many IT and security experts had questioned this and are concerned about things that Chrome does when installed on an operating system. Still this is the first time the browser has fallen during the infamous competition.

Interestingly the Pwn2Own exploit was not the only one reported. For the Pwn2Own hack the exploit was a two part attack that used a combination of a Sandbox Escape and a DEP/ASLR (Data Execution Prevention / Address Space Layout Randomization) exploit to infect Windows 7 (which was what the browser was installed on). This was accomplished by the French security company Vupen.

At the same time Google was open for their own exploit submissions under the Pwnium program. Pwnium is a program that gives security researchers or groups a chance to win bounties on exploits found in Chrome. The top prize is $60,000 for a single submission, which was actually won this year with an exploit submitted by Sergey Glazunov.  Glazunov is one of the leading bug hunters for Chrome and also works on the open source project that is tied directly into the Chrome program.

Google started Pwnium after breaking away from ZDI (the organizers of Pwn2Own). The split was over the submittal requirements. Under ZDI researchers only have to submit Zero-Day code execution exploits and not any code or bugs that allow for breaking out of the sandbox that protects the OS from malicious running in the browser. Under Pwnium the submittal must include both Zero-Day code execution exploits and sandbox escapes. Any exploits (including Sandbox Escapes) must exist in the Chrome codebase to qualify also.

Still this plays into what we have said all along; there is no such thing as a secure OS, browser, application, web server etc. Not matter how much you secure it, someone will find a hole and exploit it.

Discuss this in our Forum

Read 1946 times Last modified on Thursday, 08 March 2012 11:56

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.