CORRECTED: Google Chrome hacked in minutes at Pwn2Own

CORRECTED: Google Chrome hacked in minutes at Pwn2Own
CORRECTED: Original article inaccurately stated that Chrome was the only browser that survived Pwn2Own 2011. Mozilla pointed out to us that Firefox had also remained secure at the Pwn2Own 2011 contest.

VUPEN defeats Chrome's sandbox.

The Google browser was first to fall victim at this year's Pwn2Own contest, despite not being hacked at the 2011 contest, along with Mozilla's Firefox browser.



VUPEN researchers used two zero-day flaws in its attack, which saw the Chrome browser defeated in less than five minutes. Chaouki Bekrar, head of research at VUPEN, said the pair of vulnerabilities got them complete control over a patched 64-bit Windows 7 machine.

"We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox." Bekrar said.

He admitted that Chrome was the first to be targeted in order to send a message that no software is completely safe as long as there are people who are determined to find a way to exploit it. The exploit used by VUPEN was against the default installation of Google Chrome, which according to Bekrar, means that whether third party code was targeted or not is irrelevant.

VUPEN showed a video last year where it demonstrated successfully beating the Chrome sandbox, but Google responded quickly to claim that VUPEN actually exploited third party code (Flash) and not the browser itself.

Still, despite successfully hacking Chrome at Pwn2Own this year, Bekrar gave a nod to the security of the browser.

"The Chrome sandbox is the most secure sandbox out there. It?s not an easy task to create a full exploit to bypass all the protections in the sandbox. I can say that Chrome is one of the most secure browsers available."

Written by: James Delahunty @ 7 Mar 2012 23:00
Tags
Google Chrome
Advertisement - News comments available below the ad
  • 5 comments
  • SmaryJerry (unverified)

    Did they get the $1 million dollar prize for that hacking challenge Google put out there?

    8.3.2012 02:09 #1

  • nbfreak2

    Originally posted by SmaryJerry: Did they get the $1 million dollar prize for that hacking challenge Google put out there? I was wondering the same Question?....

    8.3.2012 08:03 #2

  • ediman16

    Originally posted by nbfreak2: Originally posted by SmaryJerry: Did they get the $1 million dollar prize for that hacking challenge Google put out there? I was wondering the same Question?.... Yea me too. I hope they got it...

    8.3.2012 13:08 #3

  • B2D327

    probably not since it wasn't a direct exploitation of Chrome rather than a vulnerability in Windows first.

    I am Jacks medulla oblongata

    8.3.2012 17:23 #4

  • phobet

    Originally posted by SmaryJerry: Did they get the $1 million dollar prize for that hacking challenge Google put out there? Unfortunately, no. While there *is* 1M in the kitty for exploits, they are only paying 60K per.

    8.3.2012 21:15 #5

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud