msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

10 Mar 12 Google patches Chrome flaw in 24 hours


Well, that didn’t take long.

The day after Google’s Chrome browser was successfully hacked twice at this year’s CanSecWest security conference in Vancouver, British Columbia, Google pushed out a patch to fix the flaw that made one of the hacks possible — the second Chrome update in three days.

“Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!” wrote Chrome developer Jason Kersey on the official Chrome blog. “Ch-ch-ch-ch-ching!!! $60,000.”

Pwnium is a new Google-hosted contest at CanSecWest that’s giving away up to $1 million in rewards for successful hacks of Chrome. It’s running concurrently at CanSecWest with another hacking contest, the annual Pwn2Own contest, which is in its sixth year.

The French security firm VUPEN cracked Chrome in Pwn2Own yesterday, but unlike Glazunov, the company’s not telling how it did it, other than that it exploited a previously unknown flaw — a “zero day” in security speak — in the “default installation” of Chrome.

VUPEN is one of several security firms in the world that controversially won’t always immediately tell software companies about flaws in their own software.

Instead, as part of its “exclusive vulnerability research intelligence” policy, VUPEN normally informs only its paying, contracted clients about software vulnerabilities, leading some to call the company’s actions “no different from patent trolls.”

On its website, VUPEN states that it “follows a commercial responsible disclosure policy and reports all discovered vulnerabilities to the affected vendors under contract with VUPEN, and works with them to create a timetable pursuant to which the vulnerability information may be publicly disclosed.”

Google created Pwnium this year after Pwn2Own changed its own rules, abolishing the rule that had forced contestants to disclose all the vulnerabilities they exploited.

“Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome,” read a posting last week on the Chrome developer blog.

VUPEN famously cracked Chrome in May 2011, and refused to tell Google what that flaw was as well. The company cracked Apple’s Safari browser at last year’s Pwn2Own contest.

This year was the first time that Chrome, which was released at the end of 2008, had ever been cracked at Pwn2Own.

On Monday, Google patched as many holes in Chrome as it could find ahead of the contests. Clearly, it wasn’t enough.

© 2012 SecurityNewsDaily. All rights reserved

Article source: http://www.msnbc.msn.com/id/46681561/ns/technology_and_science-security/

Tags: , , ,

09 Mar 12 Google patches Chrome flaw in 24 hours


Well, that didn’t take long.

The day after Google’s Chrome browser was successfully hacked twice at this year’s CanSecWest security conference in Vancouver, British Columbia, Google pushed out a patch to fix the flaw that made one of the hacks possible — the second Chrome update in three days.

“Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!” wrote Chrome developer Jason Kersey on the official Chrome blog. “Ch-ch-ch-ch-ching!!! $60,000.”

Pwnium is a new Google-hosted contest at CanSecWest that’s giving away up to $1 million in rewards for successful hacks of Chrome. It’s running concurrently at CanSecWest with another hacking contest, the annual Pwn2Own contest, which is in its sixth year.

The French security firm VUPEN cracked Chrome in Pwn2Own yesterday, but unlike Glazunov, the company’s not telling how it did it, other than that it exploited a previously unknown flaw — a “zero day” in security speak — in the “default installation” of Chrome.

VUPEN is one of several security firms in the world that controversially won’t always immediately tell software companies about flaws in their own software.

Instead, as part of its “exclusive vulnerability research intelligence” policy, VUPEN normally informs only its paying, contracted clients about software vulnerabilities, leading some to call the company’s actions “no different from patent trolls.”

On its website, VUPEN states that it “follows a commercial responsible disclosure policy and reports all discovered vulnerabilities to the affected vendors under contract with VUPEN, and works with them to create a timetable pursuant to which the vulnerability information may be publicly disclosed.”

Google created Pwnium this year after Pwn2Own changed its own rules, abolishing the rule that had forced contestants to disclose all the vulnerabilities they exploited.

“Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome,” read a posting last week on the Chrome developer blog.

VUPEN famously cracked Chrome in May 2011, and refused to tell Google what that flaw was as well. The company cracked Apple’s Safari browser at last year’s Pwn2Own contest.

This year was the first time that Chrome, which was released at the end of 2008, had ever been cracked at Pwn2Own.

On Monday, Google patched as many holes in Chrome as it could find ahead of the contests. Clearly, it wasn’t enough.

© 2012 SecurityNewsDaily. All rights reserved

Article source: http://www.msnbc.msn.com/id/46681561/ns/technology_and_science-security/

Tags: , , ,

09 Mar 12 Google patches Chrome flaw in 24 hours


Well, that didn’t take long.

The day after Google’s Chrome browser was successfully hacked twice at this year’s CanSecWest security conference in Vancouver, British Columbia, Google pushed out a patch to fix the flaw that made one of the hacks possible — the second Chrome update in three days.

“Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!” wrote Chrome developer Jason Kersey on the official Chrome blog. “Ch-ch-ch-ch-ching!!! $60,000.”

Pwnium is a new Google-hosted contest at CanSecWest that’s giving away up to $1 million in rewards for successful hacks of Chrome. It’s running concurrently at CanSecWest with another hacking contest, the annual Pwn2Own contest, which is in its sixth year.

The French security firm VUPEN cracked Chrome in Pwn2Own yesterday, but unlike Glazunov, the company’s not telling how it did it, other than that it exploited a previously unknown flaw — a “zero day” in security speak — in the “default installation” of Chrome.

VUPEN is one of several security firms in the world that controversially won’t always immediately tell software companies about flaws in their own software.

Instead, as part of its “exclusive vulnerability research intelligence” policy, VUPEN normally informs only its paying, contracted clients about software vulnerabilities, leading some to call the company’s actions “no different from patent trolls.”

On its website, VUPEN states that it “follows a commercial responsible disclosure policy and reports all discovered vulnerabilities to the affected vendors under contract with VUPEN, and works with them to create a timetable pursuant to which the vulnerability information may be publicly disclosed.”

Google created Pwnium this year after Pwn2Own changed its own rules, abolishing the rule that had forced contestants to disclose all the vulnerabilities they exploited.

“Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome,” read a posting last week on the Chrome developer blog.

VUPEN famously cracked Chrome in May 2011, and refused to tell Google what that flaw was as well. The company cracked Apple’s Safari browser at last year’s Pwn2Own contest.

This year was the first time that Chrome, which was released at the end of 2008, had ever been cracked at Pwn2Own.

On Monday, Google patched as many holes in Chrome as it could find ahead of the contests. Clearly, it wasn’t enough.

© 2012 SecurityNewsDaily. All rights reserved

Article source: http://www.msnbc.msn.com/id/46681561/ns/technology_and_science-security/

Tags: , , ,

09 Mar 12 Chrome Browser Hit Hard In Hacker Competition


At the 2011 CanSecWest Pwn2Own hacker contest, Google Chrome was the one browser that challengers could not break into. Fast forward to the 2012 challenge, and Chrome was the first to fall, thanks to a team of French hackers who found a previously unknown vulnerability in the software.

VUPEN, a vulnerability management solutions firm that often deals with government agencies, took aim at Chrome this year and made a bold statement once they hacked in: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.

And surprisingly, this was only the first of two attacks made on Google’s Chrome browser in a span of only a few hours on the opening day of the annual contest. Google had sponsored a separate contest at the event, which also saw the browser fail dramatically.

By being the only browser left standing at the 2011 event, a huge bulls-eye was painted on Chrome’s back for hackers to try and hit. In a perfect world, Chrome would have shot down any takers. But this is no perfect world, and hackers proved that yesterday.

The Pwn2Own contest takes place at the annual CanSecWest security conference in Vancouver, British Columbia. The goal of the contest is to exploit browsers and mobile devices to take full control of the system. Hackers who break the system, receive the device they hacked and a cash prize. The contest sponsor, TippingPoint, provides a report of the vulnerabilities to the applicable vendor of the system, detailing how the vulnerability was exploited. The details of the vulnerability are not made public until the vendor has corrected the vulnerability.

VUPEN was the first team to successfully hack Apple’s Safari browser last year, so it only seemed fitting that it was the first to break Chrome this year. It set its sights on the browser after first developing a plan of attack for six weeks. Its method took advantage of two zero-day exploits — unknown issues with a shipping product — and a baited website set up during the hack. Once the computer visited the site, the exploit ran and opened up the Chrome calculator extension outside of the browser’s sandbox, demonstrating complete control of the fully patched 64-bit Windows 7 machine.

“We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox,” VUPEN co-founder and head of research Chaouki Bekrar told ZDNet in an interview at the contest.

However, he declined to say if any of the exploits targeted third-party code in the browser. “It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”

VUPEN previously released a video showing them cracking Chrome, but Google rejected it, stating the hackers used exploits found in third-party code, most likely Flash. Though VUPEN declined to say how they gained control of the system, they did note they had hacked a completely default version of the browser. Because Flash is pre-installed as part of Chrome, they could very well have used a similar exploit.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” Bekrar told Ryan Naraine of ZDNet.

Even though Chrome fell this year, Bekrar told ZDNet that “the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox.” Still, if you have the drive, the know-how and a simple booby-trapped webpage at your fingertips, anything is possible, he added.

In Google’s sponsored contest, dubbed “Pwnium,” a contestant was able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. However, Google said the $60,000 reward was not given up, because the contestant didn’t use the required exploit code to bypass the sandbox.

The Pwn2Own contest, now in its sixth year at the CanSecWest conference, has developed a new set of rules for hackers. In the past, TippingPoint paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. This year, competitors score 32 points for zero-day vulnerabilities and an additional 10 points each for exploiting six already patched security flaws. Monetary rewards are given to top point scorers at the event‘s end.

The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. TippingPoint gave hackers a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use their tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.

“It’s really challenging because you don’t only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly,” Bekrar said. “Our team creates exploits every day, every year, so for us it was a nice challenge.”

So far, VUPEN has exploited three of the six eligible vulnerabilities. That left VUPEN with 62 points as day one of the contest wound down. Contestants will have the same chance to exploit vulnerabilities on Thursday and Friday, although the points scored diminish over time.

Bekrar said VUPEN plans to exploit the remaining patched vulnerabilities today.

On the Net:

Article source: http://www.redorbit.com/news/technology/1112489649/chrome-browser-hit-hard-in-hacker-competition/

Tags: , , ,

06 Mar 12 Google patches 14 Chrome bugs, pays $47k in bounties


Google has patched 14 vulnerabilities in Chrome and handed out a record $47,500 in rewards to researchers, including $30,000 for “sustained, extraordinary” contributions to its bug-reporting program.

The record checks were cut just two days before Google will put up to $1 million on the line at CanSecWest, a security conference set to kick off Tuesday and run through Thursday.


Sunday’s security update to Chrome 17 was the second for that version since it launched Feb. 8.

All 14 of the vulnerabilities patched yesterday were labeled “high,” Google’s second-most-serious threat ranking.

Ten of the bugs were tagged as “use-after-free” memory management vulnerabilities, a common type of bug reported by researchers, who continue to use Google’s own memory error detection tool, AddressSanitizer, to sniff out flaws.

While the 14 bugs reported by four outside researchers earned them $17,500 in bounty payments, Google also rewarded three of them with surprise bonuses of $10,000 each for what it said was “sustained, extraordinary” work.

The three bonuses went to researchers Aki Helin and Arthur Gerkis, and to someone identified as “miaubiz.” All three reported vulnerabilities that Google patched Sunday.

They also have been among the most prolific researchers for Google.

In 2011, for example, miaubiz earned more than $40,000 in bounties, while Helin took home $7,500 and Gerkis received $4,000.

“To determine the [$10,000] rewards, we looked at bug finding performance over the past few months,” said Jason Kersey, a Chrome program manager, in a Sunday blog . “We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. We reserve the right to do so again and reserve the right to do so on a more regular basis!”

So far this year, Google has paid nearly $73,000 to outside researchers.

It could lay out a lot more than that this week at CanSecWest, the Vancouver, British Columbia, security conference that opens tomorrow.

Last week, Google withdrew its sponsorship of the annual Pwn2Own hacking contest at CanSecWest, and instead said it would offer up to $1 million in cash prizes to researchers who demonstrate exploits of unknown Chrome vulnerabilities.

Google will pay $60,000 for what it called a “full Chrome exploit” — one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself — $40,000 for every partial exploit that uses one bug within Chrome and one or more in other software, and $20,000 for “consolation” exploits that hack Chrome without using any vulnerabilities in the browser.

The company has promised to pay out as much as $1 million, assuming it has that many takers.

Also included with Sunday’s Chrome 17 was an update to Adobe Flash Player. Google again beat Adobe to the punch on delivering a Flash upgrade; Adobe is issuing a security update today that fixes two critical flaws in the popular media software.

Adobe credited two members of Google’s security team, Tavis Ormandy and Fermin Serna, with reporting the Flash bugs.

Sunday’s update to Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google’s website. Users running the browser will be updated automatically through its silent service.

Article source: http://www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=3342258

Tags: , , ,

06 Mar 12 Google patches 14 Chrome bugs, pays record $47K in bounties and bonuses


Google yesterday patched 14 vulnerabilities in Chrome and handed out a record $47,500 in rewards to researchers, including
$30,000 for “sustained, extraordinary” contributions to its bug-reporting program.

The record checks were cut just two days before Google will put up to $1 million on the line at CanSecWest, a security conference
set to kick off Tuesday and run through Thursday.

Sunday’s security update to Chrome 17 was the second for that version since it launched Feb. 8 .

All 14 of the vulnerabilities patched yesterday were labeled “high,” Google’s second-most-serious threat ranking.

Ten of the bugs were tagged as “use-after-free” memory management vulnerabilities, a common type of bug reported by researchers,
who continue to use Google’s own memory error detection tool, AddressSanitizer, to sniff out flaws.

While the 14 bugs reported by four outside researchers earned them $17,500 in bounty payments, Google also rewarded three
of them with surprise bonuses of $10,000 each for what it said was “sustained, extraordinary” work.

The three bonuses went to researchers Aki Helin and Arthur Gerkis, and to someone identified as “miaubiz.” All three reported
vulnerabilities that Google patched Sunday.

They also have been among the most prolific researchers for Google.

In 2011, for example, miaubiz earned more than $40,000 in bounties, while Helin took home $7,500 and Gerkis received $4,000.

“To determine the [$10,000] rewards, we looked at bug finding performance over the past few months,” said Jason Kersey, a
Chrome program manager, in a Sunday blog . “We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. We reserve the right to
do so again and reserve the right to do so on a more regular basis!”

So far this year, Google has paid nearly $73,000 to outside researchers.

It could lay out a lot more than that this week at CanSecWest, the Vancouver, British Columbia, security conference that opens
tomorrow.

Last week, Google withdrew its sponsorship of the annual Pwn2Own hacking contest at CanSecWest, and instead said it would
offer up to $1 million in cash prizes to researchers who demonstrate exploits of unknown Chrome vulnerabilities.

Google will pay $60,000 for what it called a “full Chrome exploit” — one that successfully hacks Chrome on Windows 7 using
only vulnerabilities in Chrome itself — $40,000 for every partial exploit that uses one bug within Chrome and one or more
in other software, and $20,000 for “consolation” exploits that hack Chrome without using any vulnerabilities in the browser.

The company has promised to pay out as much as $1 million, assuming it has that many takers.

Also included with Sunday’s Chrome 17 was an update to Adobe Flash Player. Google again beat Adobe to the punch on delivering
a Flash upgrade; Adobe is issuing a security update today that fixes two critical flaws in the popular media software.

Adobe credited two members of Google’s security team, Tavis Ormandy and Fermin Serna, with reporting the Flash bugs.

Article source: http://www.networkworld.com/news/2012/030512-google-patches-14-chrome-bugs-256942.html

Tags: , , ,

29 Feb 12 Google offers $1 million bounty for Chrome exploits


Google has withdrawn as a sponsor of next month’s Pwn2Own hacking contest, and will instead put as much as $1 million (£630,000) up for grabs if researchers can exploit Chrome.

The company will run its own exploit challenge at the CanSecWest security conference, the venue for Pwn2Own, because it objected to what it said was a change in the rules by contest organizer and prime sponsor, HP TippingPoint’s bug-bounty program, Zero Day Initiative (ZDI).

“We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors,” said Chris Evans and Justin Schuh, two members of the Chrome security team. “Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”

Pwn2Own’s rules say nothing about not handing over complete exploits or all bugs to vendors at the close of the contest, but a January 23 tweet by ZDI said: “To clarify, if a team demonstrates 0day at Pwn2Own 2012, but doesn’t end up as a winner, the vuln[nerability] is still theirs and will not be reported.”

Previously, Google had promised to pay $20,000 to any researcher who managed to exploit Chrome by leveraging browser-only flaws, and $10,000 for a “partial” exploit that relies on a bug in Chrome in addition to a bug in the operating system.

‘Sandboxing’

Because Chrome is “sandboxed” – an anti-exploit technology that isolates malware – a hack of the browser typically requires two or more exploits. The first is necessary to get attack code out of the sandbox, and the second is needed to actually exploit a Chrome vulnerability and plant malware on the machine.

But Google is ditching that $20,000 maximum scheme, and will put up to $1 million on the line at CanSecWest, said Evans and Schuh.

“We’ve upped the ante,” said the engineers.

For what they called a “full Chrome exploit” – one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself – Google will pay $60,000, which is equivalent to Pwn2Own’s top prize for that three-day contest.

A partial exploit that uses one bug within Chrome and one or more others – perhaps in Windows – earns a researcher $40,000. Finally, Google will pay $20,000 for “consolation” exploits that hack Chrome without using any vulnerabilities in the browser itself.

The only limit Google has put on the challenge is a maximum total payout of $1 million. “We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis,” said Evans and Schuh.

Zero-days

For the bigger rewards, Google will require more from researchers, who must demonstrate that the bug(s) are reliably exploitable, of critical impact and true “zero-days” that are unknown to Google and have not been shared with any third parties. Both the vulnerabilities used as well as the full exploit must be handed over to Google so that it can, as Evans and Schuh said, “Enhance our mitigations, automated testing, and sandboxing.”

Google’s rules also effectively eliminate that few if any working Chrome exploits will be used in Pwn2Own. “Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else,” said Evans and Schuh.

Although HP TippingPoint was not available for comment on Google’s departure from Pwn2Own, a Twitter exchange sounded like the split was amicable.

“Nice to see over that after 5 years of Pwn2Own vendors are finally stepping up and offering big $ for vuln[erabilities],” said Aaron Portnoy , the leader of TippingPoint’s security research team and the organizer of Pwn2Own.

The difference in TippingPoint’s and Google’s goals – the former seeks vulnerabilities it can add to its intrusion prevention system appliances, the latter wants exploits it can examine – appeared to be behind the latter’s decision to bail out of Pwn2Own.

“We want to study full end-to-end exploits, not just the bugs but also the techniques,” said Evans, also on Twitter .

Ante up

Google tacitly acknowledged that the money it has offered at previous Pwn2Owns – $20,000 last year, $10,000 in 2010 – had not been enough to shake Chrome bugs and exploits from the researcher tree.

“While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Evans and Schuh in blog post on February 27.

Chrome’s record at Pwn2Own has been impressive: No researcher has been awarded prize money for exploiting Google’s browser at the contest. Apple’s Safari, Microsoft’s Internet Explorer and Mozilla’s Firefox – the other browser targets – have all been hacked one or more times.

It’s possible that that may change this year.

French security firm Vupen, which took home $15,000 at last year’s Pwn2Own for exploiting Safari, plans to bring at least one Chrome zero-day to CanSecWest. Last week, Chaouki Bekar, Vupen’s CEO and head of research, said that a team from his company would be at Pwn2Own; earlier he had claimed Vupen had zero-days for not only Chrome, but also Firefox, IE and Safari.

Vupen’s appearance at Google’s CanSecWest table could be awkward: Last May, the French company boasted it had figured out a way to hack Chrome by sidestepping the browser’s sandbox and evading Windows 7′s own anti-exploit technologies.

Google was unable to verify the claim because Vupen does not report flaw to vendors.

Any vulnerabilities in non-Chrome code revealed by money winners will be turned over to the appropriate vendor, Evans and Schuh promised.

CanSecWest, Pwn2Own and Google’s exploit-reward program will take place in Vancouver, British Columbia, March 7-9.

Article source: http://rss.feedsportal.com/c/270/f/470440/s/1d06f42d/l/0Lnews0Btechworld0N0Csecurity0C3340A9750Cgoogle0Eoffers0E10Emillion0Ebounty0Efor0Echrome0Eexploits0C0Dolo0Frss/story01.htm

Tags: , , ,

24 Jan 12 Google ups ante for Chrome hack at revamped Pwn2Own


The sponsor of the annual Pwn2Own hacking contest has dramatically revamped the challenge and will be awarding a first prize of $60,000 this year, four times 2011′s top reward.

Google will also significantly increase the money it potentially will pay to people able to hack its Chrome browser.

Pwn2Own will take place over a three-day stretch in early March at the Vancouver, British Columbia-based CanSecWest security conference.

Four desktop browsers — the most up-to-date editions of Chrome, Apple’s Safari, Microsoft’s Internet Explorer and Mozilla’s Firefox — will feature as this year’s targets, said Aaron Portnoy, the leader of TippingPoint’s security research team and the organizer of Pwn2Own.

Rather than take a target off the table when the first researcher manages an to exploit — as has been done at past Pwn2Owns — this year the contest will use a point schedule that lets everyone try their hand.

More importantly, researchers will be challenged to devise exploits on the spot.

“The first morning of the contest we’ll announce two vulnerabilities per target that have been patched and give [researchers] a basic proof-of-concept,” said Portnoy. “Until now, Pwn2Own has never been much of spectator sport.”

The on-site exploit writing should change that, as researchers or teams of researchers will be awarded 10 points per hack on the first day, nine points on the second and eight points on the third.

While those scores will be much less than the 32 points awarded for each new browser “zero-day” — or previously unpatched — vulnerability revealed and exploited at Pwn2Own, they make it possible, said Portnoy, for someone to win the big money by adding one or more on-site exploits to the zero-day(s) they bring with them.

The on-site exploits will take aim at older versions of the four browsers that were available during 2011. Microsoft’s Internet Explorer 8 (IE8) will likely be one of the targets. for instance.

The top-scoring researcher or team will take home $60,000, triple the maximum Pwn2Own has given in the past. The second-place prize will be $30,000, and third place will collect $15,000.

Last year, the biggest cash prize was $15,000, which went to the first researcher able to hack one of the desktop or mobile browsers put in the spotlight.

Among the other changes, said Portnoy, is the elimination of the random drawing that decided the order in which researchers took on targets.

“That really wasn’t fair to competitors,” said Portnoy, noting that the first in line had a decided advantage because once exploited, a browser was removed from the contest.

“We won’t have any winners until end the end of the third day,” Portnoy added.

Stretching out the contest and offering points for on-the-scene exploits will also distance Pwn2Own from headlines that Portnoy called “sensationalist.”

Because researchers came armed with zero-day vulnerabilities they had found earlier, along with exploits created before the contest, media reports — including those by Computerworld often focused on the short time it took a hacker to break a browser.

Google will also reprise its promise to pay $20,000 for Chrome exploits, said Portnoy.

Last year, Google said it would pay that amount to the first researcher who successfully exploited Chrome using vulnerabilities in Google’s own code. In 2011, it also said it would pay $10,000 to any researchers who employed a non-Chrome bug, say one in Windows, to break out of the browser’s sandbox.

This year, Google will pony up $20,000 to any researcher who manages to exploit Chrome by leveraging Google-only flaws. “Google will pay $20,000 each to any researchers who demonstrate vulnerabilities in Google’s code,” said Portnoy.

In other words, if six different researchers hack Chrome using six different sets of Google-exposed vulnerabilities, the search giant will be on the hook for $120,000.

What Portnoy called a “partial” exploit will earn a researcher $10,000. “A partial Chrome hack uses a bug in Chrome in addition to a bug in the operating system,” said Portnoy.

Because Chrome is “sandboxed” — the label for an anti-exploit technology that isolates malware — a hack of the browser typically requires two or more exploits. The first is necessary to get attack code out of the sandbox, and the second is needed to actually exploit a Chrome vulnerability and plant malware on the machine.

Any money paid out by Google will be above and beyond the three cash prizes given by TippingPoint.

Google’s money may be safe: Chrome has never been exploited at Pwn2Own .

No other browser maker has stepped forward with a similar offer for this year’s contest, Portnoy confirmed.

TippingPoint today posted the revised contest rules on its website, and will release news during the challenge from a special Twitter account .

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg’s RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld’s Cybercrime and Hacking Topic Center.

Article source: http://www.computerworld.com.au/article/413189/google_ups_ante_chrome_hack_revamped_pwn2own/?utm_medium=rss&utm_source=sectionfeed

Tags: , , ,

24 Jan 12 Google ups ante for Chrome hack at revamped Pwn2Own


Computerworld - HP TippingPoint, the long-time sponsor of the annual Pwn2Own hacking contest, has dramatically revamped the challenge and will be awarding a first prize of $60,000 this year, four times 2011′s top reward.

Google will also significantly increase the money it potentially will pay to people able to hack its Chrome browser at the contest.

Pwn2Own will take place over a three-day stretch in early March at the Vancouver, British Columbia-based CanSecWest security conference.

Four desktop browsers — the most up-to-date editions of Chrome, Apple’s Safari, Microsoft’s Internet Explorer and Mozilla’s Firefox — will feature as this year’s targets, said Aaron Portnoy, the leader of HP TippingPoint’s security research team and the organizer of Pwn2Own.

Rather than take a target off the table when the first researcher manages an to exploit — as has been done at past Pwn2Owns — this year the contest will use a point schedule that lets everyone try their hand.

More importantly, researchers will be challenged to devise exploits on the spot.

“The first morning of the contest we’ll announce two vulnerabilities per target that have been patched and give [researchers] a basic proof-of-concept,” said Portnoy. “Until now, Pwn2Own has never been much of spectator sport.”

The on-site exploit writing should change that, as researchers or teams of researchers will be awarded 10 points per hack on the first day, nine points on the second and eight points on the third.

While those scores will be much less than the 32 points awarded for each new browser “zero-day” — or previously unpatched — vulnerability revealed and exploited at Pwn2Own, they make it possible, said Portnoy, for someone to win the big money by adding one or more on-site exploits to the zero-day(s) they bring with them.

The on-site exploits will take aim at older versions of the four browsers that were available during 2011. Microsoft’s Internet Explorer 8 (IE8) will likely be one of the targets. for instance.

The top-scoring researcher or team will take home $60,000, triple the maximum Pwn2Own has given in the past. The second-place prize will be $30,000, and third place will collect $15,000.

Last year, the biggest cash prize was $15,000, which went to the first researcher able to hack one of the desktop or mobile browsers put in the spotlight.

Among the other changes, said Portnoy, is the elimination of the random drawing that decided the order in which researchers took on targets.

“That really wasn’t fair to competitors,” said Portnoy, noting that the first in line had a decided advantage because once exploited, a browser was removed from the contest.

“We won’t have any winners until end the end of the third day,” Portnoy added.

Article source: http://www.computerworld.com/s/article/9223643/Google_ups_ante_for_Chrome_hack_at_revamped_Pwn2Own?source=rss_keyword_edpicks

Tags: , , ,