Google raised eyebrows last month when it announced it was dropping sponsorship of the Pwn2Own hacking contest held every year at the CanWestSec conference in Vancouver, British Columbia, opting instead to offer up to $1 million for fully-disclosed viable exploits against its browser. However, instead of sponsoring Pwn2Own, Google hosted its own “Pwnium” contest with a $60,000 top prize — the message is that Google is happy to pay top dollar for viable exploits against Chrome, but it wants the details of those attacks so it can lock down its browser.
Throughout previous Pwn2Own contests, Chrome has been the only browser left standing, with Internet Explorer, Firefox, and Safari all falling to hackers. This year, however, Chrome was the first to fall, with Russian university student Sergey Glazunov collecting a top prize for demonstrating a successful zero-day exploit against the browser. But Glazunov was not alone: within a few minutes, over at the official Pwn2Own contest, French security firm Vupen also broke out of Chrome’s sandbox. However, Vupen won’t be getting any prize money from Google, since the company is unwilling to disclose the details of its exploit. Instead, Vupen gets 32 points for its exploit in the Pwn2Own competition’s new scoring system.
Both attacks reportedly used a pair of exploits to break out of Chrome’s security. Glazunov’s attack did not break out of Google’s sandbox entirely, but is able to execute arbitrary code on the machine running the browser. Glazunov is a well-known member of the Chromium security community, and has previously collected Chrome bug bounties. Although full details of Glazunov’s attack weren’t revealed to the public, they were disclosed in full to Google; the company is reportedly now working on a patch.
Vupen’s attack was also two-pronged. First, it bypassed Windows’ data execution prevention (DEP) and address space layout randomization (ASLR) technologies using a use-after-free bug. Basically, Vupen convinced the operating system to execute code still floating around in memory after it had nominatively been thrown away. Then, they used a flaw in Chrome that broke out of the sandbox: using a specially crafted Web page, Vupen was able to force Chrome to launch Windows calculator without any user interaction required.
Vupen’s lead researcher Chaouki Bekrar told ZDNet that his team spent about six weeks working out the exploit. While complimenting the security work Google has done on Chrome, Bekrar emphasized that any software can be broken if the attackers have enough motivation and skill — and part of the reason Vupen focused on Chrome was the publicity surrounding its survival at previous Pwn2Own competitions.
Last year, Vupen posted a video of a successful exploit against Chrome, but Google disallowed the attack, saying it exploited a loophole in Adobe’s Flash plugin, not Chrome itself.