Chrome cracked at Pwn2Own and Pwnium contests

Google's Chrome browser was the primary to fall on the annual Pwn2Own exploit contest on the CanSecWest conference.

According to media reports, Chrome was compromised by a collection of researchers from French security firm Vupen, after it was earlier compromised as part of Google's own Pwnium contest, earning a $60,000 reward from the corporate. Consistent with Threatpost, Sergey Glazunov was awarded by Google for the 1st exploit.

As reported by SC Magazine, Google is offering cash prizes totalling $1m and a Chromebook to those that successfully exploit its browser after it split off from Pwn2Own and installation its own, Chrome-specific hacking contest this year.

A change inside the rules at Pwn2Own "to make it less like a lottery" and provides all competitors a chance to prove their skills on-site (or remotely) has proved to be controversial.

Google's security team said that it withdrew its sponsorship when it discovered that contestants were permitted to go into Pwn2Own without needing to disclose full exploits (and even all the bugs used) to vendors.

Threatpost claimed that during previous years, contestants had to pre-register and the organisers from TippingPoint's Zero Day Initiative knew what percentage participants there can be. Vupen was the sole team to start the contest this year.

According to The Verge, Vupen's method took good thing about two zero-day exploits and a baited website arrange in the course of the hack. Once the pc visited the positioning, the exploit ran and spread out the Chrome calculator extension outside of the browser's sandbox, demonstrating complete control of the up-to-date 64-bit Windows 7 box. Vupen's team was led by co-founder and head of study Chaouki Bekrar.

Talking to ZDNet, Bekrar said his team worked for approximately six weeks to locate and write the 2 vulnerabilities, one that bypassed DEP and ASLR on Windows and any other to wreck out of the Chrome sandbox.

He declined to mention if any of the exploits targeted third-party code within the browser, saying that it was "a use-after-free vulnerability in the default installation of Chrome".

Bekrar also said that his team came equipped for zero-day flaws for all of the four major browsers â€" Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox â€" but it surely decided to move after Chrome first after it was left uncracked last year.

“We desired to show that Chrome was not unbreakable. Last year, we saw quite a few headlines that nobody could hack Chrome. We would have liked to ensure it was the primary to fall this year,” he said. He also said that it'll sell the rights to the DEP and ASLR Windows bypass, however it won't stop the sandbox escape.

He said: “We are keeping that non-public, keeping it for our customers.”

The conference is happening in Vancouver, Canada.