Google Pays Out As Two Zero-Day Exploits Found In Chrome

Google Chrome has become the focus of attention at this year’s CanSecWest conference in Vancouver as security experts uncovered two separate exploits on the previously invincible browser.

In the Hewlett Packard-sponsored Pwn2Own competition it took only five minutes for a team from French security firm Vupen to successfully exploit the browser.

Complete pwnage

“We pwned Chrome to make things clear to everyone,” Chaouki Bekrar, CEO of Vupen, told Ars Technica. “We wanted to show that even Chrome is not unbreakable.”

The French team used a ‘use-after-free’ bug which bypassed Chrome’s data execution prevention (DEP) and address space layout randomisation (ASLR) which would normally stop malicious code. Chrome’s sandbox was also bypassed, completing the exploit.

Based on a new scoring system adopted for the contest, the Vupen team scored 32 points for their Chrome zero-day exploit and 30 more for separate exploits on Safari, Firefox and Internet Explorer. For their Chrome achievement HP awarded them $20,000 (£12,600).

The first successful entry to the Pwnium challenge, the parallel Chrome-specific contest set up by Google, came from regular exploit bounty-hunter Sergey Glazunov. As the exploit only used Chrome bugs, he claimed the top prize of $60,000 (£37,800).

Google is currently offering a total of $1 million (£630,000) in tiered prizes for any partial or complete exploits of its browser. Announced in February, the Pwnium competition was spun off from Pwn2Own as the latter did not require contestants to disclose all details about exploits – information Google wanted in order to improve Chrome’s security.

Google had hoped that its high bounties would encourage hackers and experts to focus on Chrome. Last year the search giant offered $20,000 on top of Pwn2Own’s $15,000 (£9,460) but saw no takers due to the difficulty of breaking out of the browser’s security sandbox. Glazunov’s accomplishment shows that the new incentive has worked.

“This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer,” Google’s Sundar Pichai said about the first $60,000 bounty pay-out. “We look forward to any additional submissions to make Chrome even stronger for our users.”

How well do you know your web browsers? To find out, take our quiz.

Jiten Karia

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago