msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

14 Mar 12 Chrome, IE and Firefox Hacked


By the end of the Pwn2Own competition held last week Google Chrome, Microsoft Internet Explorer and Mozilla Firefox were all subject to zero day exploits. In the separate Pwnium competition Chrome was a victim twice over. 

VuPen, the French team that felled Chrome within the first five minutes of the contest (see Chrome Hacked Twice at CanSecWest) were the overall winners of Pwn2Own, collecting the $60,000 prize for having the greatest number of points (123). On the final day of the competition VuPen exposed two vulnerabilities in Internet Explorer 9 that are also claimed to go back as far as IE6 and also to affect future generations of Microsoft’s browser.

Relying on work done over the previous six weeks, the VuPen team used an unpatched heap-overflow bug to bypass DEP and ASLR and a separate memory corruption flaw to work around the browser’s “Protected Mode” sandbox, the security feature that’s meant to contain malicious code and prevent it from executing any commands on system.

The second prize awarded at the end of Pwn2Own went to the two-man team of Willem Pinckaers and Vincenzo Iozzo whose zero-day attack on Firefox involved a use-after-free problem which evaded DEP and ASLR protections in Windows 7. The same vulnerability was first used to leak information multiple times and was then used a a conduit through which execute prepared code, again through the same vulnerability. Pinckaers and Iozzo won $30,000 for amassing 66 points.

A second prize ($60,000) was also awarded in Google’s separate Pwnium contest, organized once it became apparent that the new rules for Pwn2Own meant contestants would not have to reveal the full exploits or even the bugs used. A few hours before the contest closed a teenage hacker known as Pinkie Pie chained two, or possibly, three zero day vulnerabilities in Chrome together to break out of the browser’s sandbox and execute code.

Google has already patched both this vulnerability and the earlier one by Russian researcher Sergey Glazunov. 

Google’s Jason Kersey also said the two Pwnium vulnerability submissions are “works of art that deserve wider sharing and recognition” and plans to prepare technical reports on both Pwnium submissions.

 

Related Articles

Chrome Hacked Twice at CanSecWest

Google Offers $1 million for Chrome Hack

 

 

Please enable JavaScript to view the comments powered by Disqus.
blog comments powered by Disqus

 

To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on Google+, Twitter, Linkedin or Facebook or sign up for our weekly newsletter.

 

Banner

 

Article source: http://www.i-programmer.info/news/149-security/3920-chrome-ie-and-firefox-hacked.html

Tags: , , ,

13 Mar 12 Chrome Succumbs to Pwn2Own Contest Hack


Google’s Chrome fell to researchers’ exploits Wednesday in both hacking challenges running this week at the CanSecWest security conference.

Yesterday was the first of three days for the “Pwn2Own” contest — now in its fifth year — and for Google’s rival upstart, “Pwnium.”

While Chrome went untouched in the last two years of “Pwn2Own,” it was the first to fall to researchers Wednesday when a French team demonstrated a two-vulnerability attack on the browser running in Windows 7.

Meanwhile, Google announced it had received its first “Pwnium” exploit submission, which the company’s Chrome chief executive said qualified for that event’s top-dollar $60,000 reward.

There are two cash-at-stake hacking events at CanSecWest this year because last week Google withdrew its Pwn2Own sponsorship over objections to the contest’s practice of not requiring researchers to divulge “sandbox-escape” exploits.

Google then announced its own Pwnium, which is not a contest per se, but rather a three-day window during which security researchers can demonstrate their Chrome attacks for the company’s security team. Google had promised it would pay up to $1 million — in $20,000, $40,000 and $60,000 awards — for hacks that exploited unknown, or “zero-day,” vulnerabilities.

Chrome Succumbs to Pwn2Own Contest HackAt Pwn2Own, which changed this year to a point system, a team from French security company Vupen hacked Chrome about five minutes after the contest’s starting gun. Vupen was awarded 32 points by HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty program, Pwn2Own’s organizer and sponsor.

The top scoring individual or research team will be handed $60,000 on Friday, with second and third places receiving $30,000 and $15,000, respectively.

Vupen’s exploit leveraged two bugs, said ZDI in a tweet Wednesday, including a “sandbox escape” necessary to break out of the anti-malware isolation technology designed to prevent malware from jumping out of the browser to infect the operating system.

“Google Chrome is the first browser to fall at #pwn2own 2012,” said Vupen in a tweet of its own. “We pwned it using an exploit bypassing DEP/ASLR and the sandbox!”

DEP, for data execution prevention, and ASLR, or address space layout randomization, are anti-exploit defenses baked into Windows.

On the Pwnium side of the aisle, Sundar Pichai, the senior vice president of Chrome, used Google+ to announce the first exploit submission.

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” said Pichai. “Looks like it qualifies as a ‘Full Chrome’ exploit, qualifying for a $60k reward.”

Glazunov has been an active contributor not only to Chromium, the open-source project that feeds code into Chrome proper, but was also last year’s most prolific Chrome bug finder outside Google.

Chrome Succumbs to Pwn2Own Contest HackLast year, Google paid Glazunov nearly $59,000 in bug-reporting bounties, beating the No. 2 researcher, who goes only by the nickname “miabiz,” by almost $20,000.

To qualify for a $60,000 Pwnium prize, Glazunov would have had to uncover two zero-days in Chrome, one that allowed code execution in the browser, the other that broke out of the browser’s sandbox. By Google’s Pwnium rules, both vulnerabilities had to have been in Chrome’s code.

Pichai said that Google was working up a patch to push to Chrome users via the browser’s silent update mechanism, but did not reveal a timeline for the fix’s appearance.

Pwn2Own’s ZDI had predicted last week that no one would take Google up on its Pwnium offer, arguing that a sandbox escape exploit — which are rare — was worth much more then $60,000 on the open market.

To claim a Pwnium prize, researchers must reveal all vulnerabilities and exploits they used. Pwn2Own, however, requires contestants to disclose code execution bugs, but not any sandbox escape exploits.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg’s RSS feed. His e-mail address is gkeizer@ix.netcom.com.

Read more about security in Computerworld’s Security Topic Center.

Article source: http://www.pcworld.com/article/251505/chrome_succumbs_to_pwn2own_contest_hack.html

Tags: , , ,

11 Mar 12 Chrome succumbs to Pwn2Own contest hack


Computerworld - Google’s Chrome fell to researchers’ exploits Wednesday in both hacking challenges running this week at the CanSecWest security conference.

Yesterday was the first of three days for the “Pwn2Own” contest — now in its fifth year — and for Google’s rival upstart, “Pwnium.”

While Chrome went untouched in the last two years of “Pwn2Own,” it was the first to fall to researchers Wednesday when a French team demonstrated a two-vulnerability attack on the browser running in Windows 7.

Meanwhile, Google announced it had received its first “Pwnium” exploit submission, which the company’s Chrome chief executive said qualified for that event’s top-dollar $60,000 reward.

There are two cash-at-stake hacking events at CanSecWest this year because last week Google withdrew its Pwn2Own sponsorship over objections to the contest’s practice of not requiring researchers to divulge “sandbox-escape” exploits.

Google then announced its own Pwnium, which is not a contest per se, but rather a three-day window during which security researchers can demonstrate their Chrome attacks for the company’s security team. Google had promised it would pay up to $1 million — in $20,000, $40,000 and $60,000 awards — for hacks that exploited unknown, or “zero-day,” vulnerabilities.

At Pwn2Own, which changed this year to a point system, a team from French security company Vupen hacked Chrome about five minutes after the contest’s starting gun. Vupen was awarded 32 points by HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty program, Pwn2Own’s organizer and sponsor.

The top scoring individual or research team will be handed $60,000 on Friday, with second and third places receiving $30,000 and $15,000, respectively.

Vupen’s exploit leveraged two bugs, said ZDI in a tweet Wednesday, including a “sandbox escape” necessary to break out of the anti-malware isolation technology designed to prevent malware from jumping out of the browser to infect the operating system.

“Google Chrome is the first browser to fall at #pwn2own 2012,” said Vupen in a tweet of its own. “We pwned it using an exploit bypassing DEP/ASLR and the sandbox!”

DEP, for data execution prevention, and ASLR, or address space layout randomization, are anti-exploit defenses baked into Windows.

On the Pwnium side of the aisle, Sundar Pichai, the senior vice president of Chrome, used Google+ to announce the first exploit submission.

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” said Pichai. “Looks like it qualifies as a ‘Full Chrome’ exploit, qualifying for a $60k reward.”

Glazunov has been an active contributor not only to Chromium, the open-source project that feeds code into Chrome proper, but was also last year’s most prolific Chrome bug finder outside Google.

Last year, Google paid Glazunov nearly $59,000 in bug-reporting bounties, beating the No. 2 researcher, who goes only by the nickname “miabiz,” by almost $20,000.

To qualify for a $60,000 Pwnium prize, Glazunov would have had to uncover two zero-days in Chrome, one that allowed code execution in the browser, the other that broke out of the browser’s sandbox. By Google’s Pwnium rules, both vulnerabilities had to have been in Chrome’s code.

Pichai said that Google was working up a patch to push to Chrome users via the browser’s silent update mechanism, but did not reveal a timeline for the fix’s appearance.

Pwn2Own’s ZDI had predicted last week that no one would take Google up on its Pwnium offer, arguing that a sandbox escape exploit — which are rare — was worth much more then $60,000 on the open market.

To claim a Pwnium prize, researchers must reveal all vulnerabilities and exploits they used. Pwn2Own, however, requires contestants to disclose code execution bugs, but not any sandbox escape exploits.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter@gkeizer, or subscribe to Gregg’s RSS feed Keizer RSS. His e-mail address is gkeizer@ix.netcom.com.

Read more about Security in Computerworld’s Security Topic Center.

Article source: http://www.computerworld.com/s/article/9225010/Chrome_succumbs_to_Pwn2Own_contest_hack

Tags: , , ,

09 Mar 12 Chrome succumbs to Pwn2Own contest hack


Computerworld - Google’s Chrome fell to researchers’ exploits Wednesday in both hacking challenges running this week at the CanSecWest security conference.

Yesterday was the first of three days for the “Pwn2Own” contest — now in its fifth year — and for Google’s rival upstart, “Pwnium.”

While Chrome went untouched in the last two years of “Pwn2Own,” it was the first to fall to researchers Wednesday when a French team demonstrated a two-vulnerability attack on the browser running in Windows 7.

Meanwhile, Google announced it had received its first “Pwnium” exploit submission, which the company’s Chrome chief executive said qualified for that event’s top-dollar $60,000 reward.

There are two cash-at-stake hacking events at CanSecWest this year because last week Google withdrew its Pwn2Own sponsorship over objections to the contest’s practice of not requiring researchers to divulge “sandbox-escape” exploits.

Google then announced its own Pwnium, which is not a contest per se, but rather a three-day window during which security researchers can demonstrate their Chrome attacks for the company’s security team. Google had promised it would pay up to $1 million — in $20,000, $40,000 and $60,000 awards — for hacks that exploited unknown, or “zero-day,” vulnerabilities.

At Pwn2Own, which changed this year to a point system, a team from French security company Vupen hacked Chrome about five minutes after the contest’s starting gun. Vupen was awarded 32 points by HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty program, Pwn2Own’s organizer and sponsor.

The top scoring individual or research team will be handed $60,000 on Friday, with second and third places receiving $30,000 and $15,000, respectively.

Vupen’s exploit leveraged two bugs, said ZDI in a tweet Wednesday, including a “sandbox escape” necessary to break out of the anti-malware isolation technology designed to prevent malware from jumping out of the browser to infect the operating system.

“Google Chrome is the first browser to fall at #pwn2own 2012,” said Vupen in a tweet of its own. “We pwned it using an exploit bypassing DEP/ASLR and the sandbox!”

DEP, for data execution prevention, and ASLR, or address space layout randomization, are anti-exploit defenses baked into Windows.

On the Pwnium side of the aisle, Sundar Pichai, the senior vice president of Chrome, used Google+ to announce the first exploit submission.

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” said Pichai. “Looks like it qualifies as a ‘Full Chrome’ exploit, qualifying for a $60k reward.”

Glazunov has been an active contributor not only to Chromium, the open-source project that feeds code into Chrome proper, but was also last year’s most prolific Chrome bug finder outside Google.

Last year, Google paid Glazunov nearly $59,000 in bug-reporting bounties, beating the No. 2 researcher, who goes only by the nickname “miabiz,” by almost $20,000.

To qualify for a $60,000 Pwnium prize, Glazunov would have had to uncover two zero-days in Chrome, one that allowed code execution in the browser, the other that broke out of the browser’s sandbox. By Google’s Pwnium rules, both vulnerabilities had to have been in Chrome’s code.

Pichai said that Google was working up a patch to push to Chrome users via the browser’s silent update mechanism, but did not reveal a timeline for the fix’s appearance.

Pwn2Own’s ZDI had predicted last week that no one would take Google up on its Pwnium offer, arguing that a sandbox escape exploit — which are rare — was worth much more then $60,000 on the open market.

To claim a Pwnium prize, researchers must reveal all vulnerabilities and exploits they used. Pwn2Own, however, requires contestants to disclose code execution bugs, but not any sandbox escape exploits.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter@gkeizer, or subscribe to Gregg’s RSS feed Keizer RSS. His e-mail address is gkeizer@ix.netcom.com.

Read more about Security in Computerworld’s Security Topic Center.

Article source: http://www.computerworld.com/s/article/9225010/Chrome_succumbs_to_Pwn2Own_contest_hack

Tags: , , ,

09 Mar 12 Google Chrome Falls First in Pwn2Own Hacking Contest


Though Google’s Chrome was the only browser left unscathed at last year’s CanSecWest’s Pwn2Own hacking competition, this year it was the first one to fall.

ZDNet reported that the Google browser was taken down by a group of French hackers called Vupen – the same team that cracked Safari at last year’s contest.

Vupen’s co-founder and research head, Chaouki Bekrar, told ZDNet that the group worked for six weeks to hatch a plan to take on Chrome. They developed two zero-day exploits that were able to take complete control of a fully updated 64-bit Windows 7 machine.

“We had to use two vulnerabilities,” Bekrar told ZDNet. “The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

Bekrar would not share the explicit details of the method Vupen used, nor would he say if either of the exploits used third-party code.

“It was a use-after-free vulnerability in the default installation of Chrome. Our exploit worked against the default installation so it really doesn’t matter if its third-party code anyway,” he said.

In 2011, Vupen released a video in which the group cracked Chrome using Flash, but Google said it didn’t count because of the use of third-party code.

So why did Vupen decide to go after Chrome first? Aside, of course, from the $1 million bounty Google placed on the browser’s head.

“We wanted to show that Chrome was not unbreakable. Last year we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” Bekrar said.

He also noted that Chrome is “one of the most secure browsers available.”

Ahead of the Pwn2Own, Google announced that it would dole out a total of $1 million in prize money for successful Chrome hacks to entice competitors to target the browser and to use the exploits to help bolster the browser’s security.

“We have a big learning opportunity when we receive full end-to-end exploits,” Google said. “Not only can we fix the bugs, but by studying the vulnerability and [exploiting] techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”

For more, see PCMag’s review of Google Chrome 17 and the slideshow below.

For more from Leslie, follow her on Twitter @LesHorn.

For the top stories in tech, follow us on Twitter at @PCMag.


View Slideshow
See all (24) slides


Google Chrome 17


Malware Download Protection


Add New User


Syncing Choices


Article source: http://www.pcmag.com/article2/0,2817,2401305,00.asp?kc=PCRSS03069TX1K0001121

Tags: , , ,

08 Mar 12 Chrome Succumbs to Pwn2Own Contest Hack


Google’s Chrome fell to researchers’ exploits Wednesday in both hacking challenges running this week at the CanSecWest security conference.

Yesterday was the first of three days for the “Pwn2Own” contest — now in its fifth year — and for Google’s rival upstart, “Pwnium.”

While Chrome went untouched in the last two years of “Pwn2Own,” it was the first to fall to researchers Wednesday when a French team demonstrated a two-vulnerability attack on the browser running in Windows 7.

Meanwhile, Google announced it had received its first “Pwnium” exploit submission, which the company’s Chrome chief executive said qualified for that event’s top-dollar $60,000 reward.

There are two cash-at-stake hacking events at CanSecWest this year because last week Google withdrew its Pwn2Own sponsorship over objections to the contest’s practice of not requiring researchers to divulge “sandbox-escape” exploits.

Google then announced its own Pwnium, which is not a contest per se, but rather a three-day window during which security researchers can demonstrate their Chrome attacks for the company’s security team. Google had promised it would pay up to $1 million — in $20,000, $40,000 and $60,000 awards — for hacks that exploited unknown, or “zero-day,” vulnerabilities.

Chrome Succumbs to Pwn2Own Contest HackAt Pwn2Own, which changed this year to a point system, a team from French security company Vupen hacked Chrome about five minutes after the contest’s starting gun. Vupen was awarded 32 points by HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty program, Pwn2Own’s organizer and sponsor.

The top scoring individual or research team will be handed $60,000 on Friday, with second and third places receiving $30,000 and $15,000, respectively.

Vupen’s exploit leveraged two bugs, said ZDI in a tweet Wednesday, including a “sandbox escape” necessary to break out of the anti-malware isolation technology designed to prevent malware from jumping out of the browser to infect the operating system.

“Google Chrome is the first browser to fall at #pwn2own 2012,” said Vupen in a tweet of its own. “We pwned it using an exploit bypassing DEP/ASLR and the sandbox!”

DEP, for data execution prevention, and ASLR, or address space layout randomization, are anti-exploit defenses baked into Windows.

On the Pwnium side of the aisle, Sundar Pichai, the senior vice president of Chrome, used Google+ to announce the first exploit submission.

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” said Pichai. “Looks like it qualifies as a ‘Full Chrome’ exploit, qualifying for a $60k reward.”

Glazunov has been an active contributor not only to Chromium, the open-source project that feeds code into Chrome proper, but was also last year’s most prolific Chrome bug finder outside Google.

Chrome Succumbs to Pwn2Own Contest HackLast year, Google paid Glazunov nearly $59,000 in bug-reporting bounties, beating the No. 2 researcher, who goes only by the nickname “miabiz,” by almost $20,000.

To qualify for a $60,000 Pwnium prize, Glazunov would have had to uncover two zero-days in Chrome, one that allowed code execution in the browser, the other that broke out of the browser’s sandbox. By Google’s Pwnium rules, both vulnerabilities had to have been in Chrome’s code.

Pichai said that Google was working up a patch to push to Chrome users via the browser’s silent update mechanism, but did not reveal a timeline for the fix’s appearance.

Pwn2Own’s ZDI had predicted last week that no one would take Google up on its Pwnium offer, arguing that a sandbox escape exploit — which are rare — was worth much more then $60,000 on the open market.

To claim a Pwnium prize, researchers must reveal all vulnerabilities and exploits they used. Pwn2Own, however, requires contestants to disclose code execution bugs, but not any sandbox escape exploits.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg’s RSS feed. His e-mail address is gkeizer@ix.netcom.com.

Read more about security in Computerworld’s Security Topic Center.

Article source: http://www.pcworld.com/article/251505/chrome_succumbs_to_pwn2own_contest_hack.html

Tags: , , ,

08 Mar 12 Google Chrome's winning streak fades at annual hacking contest


As day one of the annual Pwn2Own hacker contest wound down on Wednesday, no browser suffered more abuse than Google Chrome, which was felled by an attack exploiting a previously unknown vulnerability in the most up-to-date version. Combined with a separate contest Google sponsored a few feet away, it was the second zero-day attack visited on Chrome in a span of a few hours.

It was a rare event. To date, there are no known reports of a zero-day attack ever hitting Chrome in the wild, and at the previous three years’ contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software. The chief reason: Chrome’s security sandbox—which isolates web content inside a highly restricted perimeter that’s separated from the rest of the operating system—makes it harder to write reliable attacks.

“We pwned Chrome to make things clear to everyone,” said Chaouki Bekrar, CEO of Vupen Security, which wielded the Chrome zero-day an hour or so after the contest began on Wednesday. “We wanted to show that even Chrome is not unbreakable.”

A contestant in the second contest, which Google has dubbed “Pwnium,” was also able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. Sergey Glazunov wasn’t on site to discuss the hack. Google has said only that for him to win the top $60,000 reward, his exploit was required to bypass the sandbox using code native to Chrome.

Bekrar told Ars that his team’s attack exploited what’s known as a use-after-free bug to bypass DEP, or data execution prevention, and ASLR, or address space layout randomization. Both mitigations are designed to prevent hackers from executing malicious code even when they locate vulnerabilities. He said it exploited a second vulnerability that allows code to break out of the sandbox. He declined to detail the vulnerable component, except to say it was found in the “default” installation of the Google browser.

That detail led several observers to speculate that an Adobe Flash plugin was the means Vupen used to access more sensitive parts of the operating system. While Chrome runs the media player add-on in its own sandbox, the perimeter is considerably more porous than it is with other components, security researchers say. Core functionality in Flash, for instance, requires the app be able to control web cams and microphones, access system state, and connect to display monitors and other connected devices.

Now in its sixth year at the CanSecWest security conference in Vancouver, the contest rules this time around have been significantly reworked. In the past, organizer Tipping Point paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. Competitors on Wednesday scored 32 points for zero-day vulnerabilities, and they received 10 points each for exploiting already patched security flaws.

The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. Tipping Point gave them a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use debuggers, disassemblers and other tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.

“It’s really challenging because you don’t only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly,” Bekrar said. “Our team creates exploits every day, every year, so for us it was a nice challenge.”

So far, his team has exploited three of the six eligible vulnerabilities. It took 20 minutes to develop an attack for version 8 of IE running on Windows XP, an hour to write one that pwned Safari 5 on OS X Snow Leopard, and two hours for one that compromised Firefox 3 on Windows XP. That left Vupen with 62 points as day one was winding down. A separate contestant that had entered had no points, but it was still possible for members to submit entries until midnight. The contestants will also have a shot at the same vulnerabilities on Thursday and Friday, although the points scored diminish over time.

Vupen plans to exploit the remaining patched vulnerabilities on Thursday. But Bekrar, who said his team spent six months developing multiple zero-days for all four of the eligible browsers, said people shouldn’t be surprised if Vupen drops another one in the coming day.

“I think tomorrow we will go for another browser, just for fun,” he said.

Article source: http://arstechnica.com/business/news/2012/03/google-chromes-winning-streak-fades-at-annual-hacking-contest.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

Tags: , , ,

08 Mar 12 Pwn2Own 2012: Google Chrome browser sandbox first to fall


VANCOUVER — At last year’s CanSecWest Pwn2Own hacker contest, Google Chrome was the only browser left standing.  This year, Chrome was the first to fall, thanks to an impressive exploit from a team of French hackers.

VUPEN, the controversial company that sells vulnerabilities and exploits to government customers, deliberately took aim at Chrome this year to send a simple message: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.follow Ryan Naraine on twitter

VUPEN co-founder and head of research Chaouki Bekrar and his team used a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine.   As part of the new competition format, VUPEN will earn 32 points for the successful Chrome exploit.

[ SEE: Charlie Miller skipping Pwn2Own as new rules change hacking game ]

In an interview, Bekrar said his team worked for about six weeks to find the vulnerabilities and write the exploits.  ”We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

Bekrar declined to say if any of the exploits targeted third-party code in the browser.  ”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”

Last year, VUPEN released a video to demonstrate a successful sandbox escape against Chrome but Google challenged the validity of that hack, claiming it exploited third-party code, believed to be the Adobe Flash plugin.

[ SEE: CanSecWest Pwnium: Google Chrome hacked with sandbox bypass ]

At Pwn2Own this year, Bekrar’s team came equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — but he said the decision to go after Chrome first was a deliberate tactic.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome.  We wanted to make sure it was the first to fall this year,” he said.

During the hack,  Bekrar created a web page booby-trapped with his exploit.  Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox.”

“There was no user interaction, no extra clicks.  Visit the site, popped the box.”

VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won’t give up the sandbox escape. “We are keeping that private, keeping it for our customers.”

Even as he basked in the glory of defeating the highly touted Chrome sandbox, Bekrar was very complimentary of the work done by Google’s security team to add anti-exploit mechanisms into the browser.

“The Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox.   I can say that Chrome is one of the most secure browsers available.”

“This just shows that any browser, or any software, can be hacked if there is enough motivation and skill,” he added.

Article source: http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588

Tags: , , ,

08 Mar 12 Pwn2Own 2012: Google Chrome browser sandbox first to fall


VANCOUVER — At last year’s CanSecWest Pwn2Own hacker contest, Google Chrome was the only browser left standing.  This year, Chrome was the first to fall, thanks to an impressive exploit from a team of French hackers.

VUPEN, the controversial company that sells vulnerabilities and exploits to government customers, deliberately took aim at Chrome this year to send a simple message: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.follow Ryan Naraine on twitter

VUPEN co-founder and head of research Chaouki Bekrar and his team used a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine.   As part of the new competition format, VUPEN will earn 32 points for the successful Chrome exploit.

[ SEE: Charlie Miller skipping Pwn2Own as new rules change hacking game ]

In an interview, Bekrar said his team worked for about six weeks to find the vulnerabilities and write the exploits.  ”We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

Bekrar declined to say if any of the exploits targeted third-party code in the browser.  ”It was a use-after-free vulnerability in the default installation of a Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”

Last year, VUPEN released a video to demonstrate a successful sandbox escape against Chrome but Google challenged the validity of that hack, claiming it exploited third-party code, believed to be the Adobe Flash plugin.

[ SEE: CanSecWest Pwnium: Google Chrome hacked with sandbox bypass ]

At Pwn2Own this year, Bekrar’s team came equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — but he said the decision to go after Chrome first was a deliberate tactic.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome.  We wanted to make sure it was the first to fall this year,” he said.

During the hack,  Bekrar created a web page booby-trapped with his exploit.  Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox.”

“There was no user interaction, no extra clicks.  Visit the site, popped the box.”

VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won’t give up the sandbox escape. “We are keeping that private, keeping it for our customers.”

Even as he basked in the glory of defeating the highly touted Chrome sandbox, Bekrar was very complimentary of the work done by Google’s security team to add anti-exploit mechanisms into the browser.

“The Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox.   I can say that Chrome is one of the most secure browsers available.”

“This just shows that any browser, or any software, can be hacked if there is enough motivation and skill,” he added.

Article source: http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588

Tags: , , ,

14 Dec 11 Google fixes 15 vulnerabilities in Chrome browser




The company releases Chrome 16 and pays researchers $6,000 for high and medium-risk security flaws found and fixed in the new Web browser

Google has released Chrome 16, a new stable version of its Web browser that addresses 15 high- and medium-risk vulnerabilities.

Four of the security flaws patched in this release stem from errors in Chrome’s built-in PDF parser, which is based on Foxit’s PDF SDK (software development kit).

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

Two of them have a medium severity rating and allow attackers to access parts of the system memory that weren’t allocated to the program. This can result in the exposure of sensitive information.

The other two allow attackers to execute arbitrary code by tricking victims into opening maliciously crafted PDF files and have a high severity rating.

Other high-risk arbitrary code execution vulnerabilities were identified and fixed in the SVG, range, bidi and internationalized JavaScript handling components. One bug in the view-source feature allows for the address displayed in the URL bar to be spoofed.

In total, there were six high-risk, seven medium-risk and two low-risk vulnerabilities patched in Chrome 16. Seven of them were discovered by Chromium developers and members of the Chrome and Google Security Teams, while the rest were found by external researchers who earned $6,000 through the Chromium Security Reward program for their reports.

Six vulnerabilities were discovered with the help of an open-source tool called AddressSanitizer, Google Chrome engineer Anthony Laforge said in a blog post.

However, while the arbitrary code execution and unauthorized memory access flaws pose a serious risk in theory, their actual impact is severely reduced by Google Chrome’s sandbox.

Sandboxing is an anti-exploitation technology that isolates potentially vulnerable components, like those used for content parsing, from the operating system. These components gain access to system resources through a special brokering process that’s easier to keep free of bugs.

As a result, if an attacker exploits, for example, a Chrome PDF handling vulnerability, their actions are restricted to the sandboxed environment and they can’t execute arbitrary code on the actual system.

A recent Google-funded study conducted by security consultancy firm Accuvant, determined that Chrome is the most secure browser when compared to Internet Explorer and Firefox. Accuvant’s researchers analyzed the anti-exploitation technologies implemented in the three browsers, including process sandboxing, plug-in security, JIT hardening techniques, ASLR, DEP and stack cookies (GS).

Article source: http://www.infoworld.com/d/applications/google-fixes-15-vulnerabilities-in-chrome-browser-181723

Tags: , , ,