The first of the Zero-Day Exploits used is nothing new; it is a heap overflow (this is the one that is a core IE fault) that allows the malicious code to create a memory leak. With a memory leak you can bypass address space layout randomization and compromise the OS. ASLR and DEP (Data Execution Prevention) are two of the main ways that Windows 7 protects itself from malicious code, while the protected mode puts code executed in the browser into a contained memory and execution space.
The exploit used by Vupen to get past this is the one that they are not going to disclose to anyone but their paying customers. On the other hand the Heap Overflow they discovered in IE will be passed onto HP TippingPoint’s Zero Day Initiative. This means that Microsoft could have access to both exploits, one as a freely distributed item and the other they would pay for from Vupen.
It is this last item (the lack of a requirement to pass on sandbox/protected mode break outs) that caused Google to pull its sponsorship from this year’s competition. Instead they put on their own competition called Pwnium which has yielded two exploits for Chrome (which they claim are fixed). Vupen (the people that also cracked open IE 9) also found two exploits for Google’s Chrome. We are betting that Google has already passed on a big check for the sandbox breakout that Vupen used, but as of this writing Google has not made any public statements on it.
Discuss this in our Forum