AfterDawn: Tech news

CORRECTED: Google Chrome hacked in minutes at Pwn2Own

Written by James Delahunty @ 07 Mar 2012 11:00 User comments (5)

CORRECTED: Google Chrome hacked in minutes at Pwn2Own CORRECTED: Original article inaccurately stated that Chrome was the only browser that survived Pwn2Own 2011. Mozilla pointed out to us that Firefox had also remained secure at the Pwn2Own 2011 contest.

VUPEN defeats Chrome's sandbox.
The Google browser was first to fall victim at this year's Pwn2Own contest, despite not being hacked at the 2011 contest, along with Mozilla's Firefox browser.

VUPEN researchers used two zero-day flaws in its attack, which saw the Chrome browser defeated in less than five minutes. Chaouki Bekrar, head of research at VUPEN, said the pair of vulnerabilities got them complete control over a patched 64-bit Windows 7 machine.

"We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox." Bekrar said.

He admitted that Chrome was the first to be targeted in order to send a message that no software is completely safe as long as there are people who are determined to find a way to exploit it. The exploit used by VUPEN was against the default installation of Google Chrome, which according to Bekrar, means that whether third party code was targeted or not is irrelevant.



VUPEN showed a video last year where it demonstrated successfully beating the Chrome sandbox, but Google responded quickly to claim that VUPEN actually exploited third party code (Flash) and not the browser itself.

Still, despite successfully hacking Chrome at Pwn2Own this year, Bekrar gave a nod to the security of the browser.

"The Chrome sandbox is the most secure sandbox out there. It?s not an easy task to create a full exploit to bypass all the protections in the sandbox. I can say that Chrome is one of the most secure browsers available."

Previous Next  

5 user comments

18.3.2012 02:09
SmaryJerry
Unverified new user

Did they get the $1 million dollar prize for that hacking challenge Google put out there?

28.3.2012 08:03

Originally posted by SmaryJerry:
Did they get the $1 million dollar prize for that hacking challenge Google put out there?
I was wondering the same Question?....

38.3.2012 13:08

Originally posted by nbfreak2:
Originally posted by SmaryJerry:
Did they get the $1 million dollar prize for that hacking challenge Google put out there?
I was wondering the same Question?....
Yea me too. I hope they got it...

48.3.2012 17:23

probably not since it wasn't a direct exploitation of Chrome rather than a vulnerability in Windows first.

58.3.2012 21:15

Originally posted by SmaryJerry:
Did they get the $1 million dollar prize for that hacking challenge Google put out there?
Unfortunately, no. While there *is* 1M in the kitty for exploits, they are only paying 60K per.

Comments have been disabled for this article.

News archive