Google Chrome has become the focus of attention at this year’s CanSecWest conference in Vancouver as security experts uncovered two separate exploits on the previously invincible browser.
In the Hewlett Packard-sponsored Pwn2Own competition it took only five minutes for a team from French security firm Vupen to successfully exploit the browser.
The French team used a ‘use-after-free’ bug which bypassed Chrome’s data execution prevention (DEP) and address space layout randomisation (ASLR) which would normally stop malicious code. Chrome’s sandbox was also bypassed, completing the exploit.
Based on a new scoring system adopted for the contest, the Vupen team scored 32 points for their Chrome zero-day exploit and 30 more for separate exploits on Safari, Firefox and Internet Explorer. For their Chrome achievement HP awarded them $20,000 (£12,600).
The first successful entry to the Pwnium challenge, the parallel Chrome-specific contest set up by Google, came from regular exploit bounty-hunter Sergey Glazunov. As the exploit only used Chrome bugs, he claimed the top prize of $60,000 (£37,800).
Google is currently offering a total of $1 million (£630,000) in tiered prizes for any partial or complete exploits of its browser. Announced in February, the Pwnium competition was spun off from Pwn2Own as the latter did not require contestants to disclose all details about exploits – information Google wanted in order to improve Chrome’s security.
Google had hoped that its high bounties would encourage hackers and experts to focus on Chrome. Last year the search giant offered $20,000 on top of Pwn2Own’s $15,000 (£9,460) but saw no takers due to the difficulty of breaking out of the browser’s security sandbox. Glazunov’s accomplishment shows that the new incentive has worked.
“This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer,” Google’s Sundar Pichai said about the first $60,000 bounty pay-out. “We look forward to any additional submissions to make Chrome even stronger for our users.”
How well do you know your web browsers? To find out, take our quiz.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…