Google Chrome has become the focus of attention at this year’s CanSecWest conference in Vancouver as security experts uncovered two separate exploits on the previously invincible browser.
In the Hewlett Packard-sponsored Pwn2Own competition it took only five minutes for a team from French security firm Vupen to successfully exploit the browser.
The French team used a ‘use-after-free’ bug which bypassed Chrome’s data execution prevention (DEP) and address space layout randomisation (ASLR) which would normally stop malicious code. Chrome’s sandbox was also bypassed, completing the exploit.
Based on a new scoring system adopted for the contest, the Vupen team scored 32 points for their Chrome zero-day exploit and 30 more for separate exploits on Safari, Firefox and Internet Explorer. For their Chrome achievement HP awarded them $20,000 (£12,600).
The first successful entry to the Pwnium challenge, the parallel Chrome-specific contest set up by Google, came from regular exploit bounty-hunter Sergey Glazunov. As the exploit only used Chrome bugs, he claimed the top prize of $60,000 (£37,800).
Google is currently offering a total of $1 million (£630,000) in tiered prizes for any partial or complete exploits of its browser. Announced in February, the Pwnium competition was spun off from Pwn2Own as the latter did not require contestants to disclose all details about exploits – information Google wanted in order to improve Chrome’s security.
Google had hoped that its high bounties would encourage hackers and experts to focus on Chrome. Last year the search giant offered $20,000 on top of Pwn2Own’s $15,000 (£9,460) but saw no takers due to the difficulty of breaking out of the browser’s security sandbox. Glazunov’s accomplishment shows that the new incentive has worked.
“This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer,” Google’s Sundar Pichai said about the first $60,000 bounty pay-out. “We look forward to any additional submissions to make Chrome even stronger for our users.”
How well do you know your web browsers? To find out, take our quiz.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…