Google’s Chrome fell to researchers’ exploits Wednesday in both hacking challenges running this week at the CanSecWest security conference.
Yesterday was the first of three days for the “Pwn2Own” contest — now in its fifth year — and for Google’s rival upstart, “Pwnium.”
While Chrome went untouched in the last two years of “Pwn2Own,” it was the first to fall to researchers Wednesday when a French team demonstrated a two-vulnerability attack on the browser running in Windows 7.
Meanwhile, Google announced it had received its first “Pwnium” exploit submission, which the company’s Chrome chief executive said qualified for that event’s top-dollar $60,000 reward.
There are two cash-at-stake hacking events at CanSecWest this year because last week Google withdrew its Pwn2Own sponsorship over objections to the contest’s practice of not requiring researchers to divulge “sandbox-escape” exploits.
Google then announced its own Pwnium, which is not a contest per se, but rather a three-day window during which security researchers can demonstrate their Chrome attacks for the company’s security team. Google had promised it would pay up to $1 million — in $20,000, $40,000 and $60,000 awards — for hacks that exploited unknown, or “zero-day,” vulnerabilities.
At Pwn2Own, which changed this year to a point system, a team from French security company Vupen hacked Chrome about five minutes after the contest’s starting gun. Vupen was awarded 32 points by HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty program, Pwn2Own’s organizer and sponsor.
The top scoring individual or research team will be handed $60,000 on Friday, with second and third places receiving $30,000 and $15,000, respectively.
Vupen’s exploit leveraged two bugs, said ZDI in a tweet Wednesday, including a “sandbox escape” necessary to break out of the anti-malware isolation technology designed to prevent malware from jumping out of the browser to infect the operating system.
“Google Chrome is the first browser to fall at #pwn2own 2012,” said Vupen in a tweet of its own. “We pwned it using an exploit bypassing DEP/ASLR and the sandbox!”
DEP, for data execution prevention, and ASLR, or address space layout randomization, are anti-exploit defenses baked into Windows.
On the Pwnium side of the aisle, Sundar Pichai, the senior vice president of Chrome, used Google+ to announce the first exploit submission.
“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” said Pichai. “Looks like it qualifies as a ‘Full Chrome’ exploit, qualifying for a $60k reward.”
Glazunov has been an active contributor not only to Chromium, the open-source project that feeds code into Chrome proper, but was also last year’s most prolific Chrome bug finder outside Google.
Last year, Google paid Glazunov nearly $59,000 in bug-reporting bounties, beating the No. 2 researcher, who goes only by the nickname “miabiz,” by almost $20,000.
To qualify for a $60,000 Pwnium prize, Glazunov would have had to uncover two zero-days in Chrome, one that allowed code execution in the browser, the other that broke out of the browser’s sandbox. By Google’s Pwnium rules, both vulnerabilities had to have been in Chrome’s code.
Pichai said that Google was working up a patch to push to Chrome users via the browser’s silent update mechanism, but did not reveal a timeline for the fix’s appearance.
Pwn2Own’s ZDI had predicted last week that no one would take Google up on its Pwnium offer , arguing that a sandbox escape exploit — which are rare — was worth much more then $60,000 on the open market.
To claim a Pwnium prize, researchers must reveal all vulnerabilities and exploits they used. Pwn2Own, however, requires contestants to disclose code execution bugs, but not any sandbox escape exploits.