msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

09 Mar 12 Chrome Browser Hit Hard In Hacker Competition


At the 2011 CanSecWest Pwn2Own hacker contest, Google Chrome was the one browser that challengers could not break into. Fast forward to the 2012 challenge, and Chrome was the first to fall, thanks to a team of French hackers who found a previously unknown vulnerability in the software.

VUPEN, a vulnerability management solutions firm that often deals with government agencies, took aim at Chrome this year and made a bold statement once they hacked in: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.

And surprisingly, this was only the first of two attacks made on Google’s Chrome browser in a span of only a few hours on the opening day of the annual contest. Google had sponsored a separate contest at the event, which also saw the browser fail dramatically.

By being the only browser left standing at the 2011 event, a huge bulls-eye was painted on Chrome’s back for hackers to try and hit. In a perfect world, Chrome would have shot down any takers. But this is no perfect world, and hackers proved that yesterday.

The Pwn2Own contest takes place at the annual CanSecWest security conference in Vancouver, British Columbia. The goal of the contest is to exploit browsers and mobile devices to take full control of the system. Hackers who break the system, receive the device they hacked and a cash prize. The contest sponsor, TippingPoint, provides a report of the vulnerabilities to the applicable vendor of the system, detailing how the vulnerability was exploited. The details of the vulnerability are not made public until the vendor has corrected the vulnerability.

VUPEN was the first team to successfully hack Apple’s Safari browser last year, so it only seemed fitting that it was the first to break Chrome this year. It set its sights on the browser after first developing a plan of attack for six weeks. Its method took advantage of two zero-day exploits — unknown issues with a shipping product — and a baited website set up during the hack. Once the computer visited the site, the exploit ran and opened up the Chrome calculator extension outside of the browser’s sandbox, demonstrating complete control of the fully patched 64-bit Windows 7 machine.

“We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox,” VUPEN co-founder and head of research Chaouki Bekrar told ZDNet in an interview at the contest.

However, he declined to say if any of the exploits targeted third-party code in the browser. “It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”

VUPEN previously released a video showing them cracking Chrome, but Google rejected it, stating the hackers used exploits found in third-party code, most likely Flash. Though VUPEN declined to say how they gained control of the system, they did note they had hacked a completely default version of the browser. Because Flash is pre-installed as part of Chrome, they could very well have used a similar exploit.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” Bekrar told Ryan Naraine of ZDNet.

Even though Chrome fell this year, Bekrar told ZDNet that “the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox.” Still, if you have the drive, the know-how and a simple booby-trapped webpage at your fingertips, anything is possible, he added.

In Google’s sponsored contest, dubbed “Pwnium,” a contestant was able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. However, Google said the $60,000 reward was not given up, because the contestant didn’t use the required exploit code to bypass the sandbox.

The Pwn2Own contest, now in its sixth year at the CanSecWest conference, has developed a new set of rules for hackers. In the past, TippingPoint paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. This year, competitors score 32 points for zero-day vulnerabilities and an additional 10 points each for exploiting six already patched security flaws. Monetary rewards are given to top point scorers at the event‘s end.

The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. TippingPoint gave hackers a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use their tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.

“It’s really challenging because you don’t only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly,” Bekrar said. “Our team creates exploits every day, every year, so for us it was a nice challenge.”

So far, VUPEN has exploited three of the six eligible vulnerabilities. That left VUPEN with 62 points as day one of the contest wound down. Contestants will have the same chance to exploit vulnerabilities on Thursday and Friday, although the points scored diminish over time.

Bekrar said VUPEN plans to exploit the remaining patched vulnerabilities today.

On the Net:

Article source: http://www.redorbit.com/news/technology/1112489649/chrome-browser-hit-hard-in-hacker-competition/

Tags: , , ,

09 Mar 12 Google Chrome Falls First in Pwn2Own Hacking Contest


Though Google’s Chrome was the only browser left unscathed at last year’s CanSecWest’s Pwn2Own hacking competition, this year it was the first one to fall.

ZDNet reported that the Google browser was taken down by a group of French hackers called Vupen – the same team that cracked Safari at last year’s contest.

Vupen’s co-founder and research head, Chaouki Bekrar, told ZDNet that the group worked for six weeks to hatch a plan to take on Chrome. They developed two zero-day exploits that were able to take complete control of a fully updated 64-bit Windows 7 machine.

“We had to use two vulnerabilities,” Bekrar told ZDNet. “The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

Bekrar would not share the explicit details of the method Vupen used, nor would he say if either of the exploits used third-party code.

“It was a use-after-free vulnerability in the default installation of Chrome. Our exploit worked against the default installation so it really doesn’t matter if its third-party code anyway,” he said.

In 2011, Vupen released a video in which the group cracked Chrome using Flash, but Google said it didn’t count because of the use of third-party code.

So why did Vupen decide to go after Chrome first? Aside, of course, from the $1 million bounty Google placed on the browser’s head.

“We wanted to show that Chrome was not unbreakable. Last year we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” Bekrar said.

He also noted that Chrome is “one of the most secure browsers available.”

Ahead of the Pwn2Own, Google announced that it would dole out a total of $1 million in prize money for successful Chrome hacks to entice competitors to target the browser and to use the exploits to help bolster the browser’s security.

“We have a big learning opportunity when we receive full end-to-end exploits,” Google said. “Not only can we fix the bugs, but by studying the vulnerability and [exploiting] techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”

For more, see PCMag’s review of Google Chrome 17 and the slideshow below.

For more from Leslie, follow her on Twitter @LesHorn.

For the top stories in tech, follow us on Twitter at @PCMag.


View Slideshow
See all (24) slides


Google Chrome 17


Malware Download Protection


Add New User


Syncing Choices


Article source: http://www.pcmag.com/article2/0,2817,2401305,00.asp?kc=PCRSS03069TX1K0001121

Tags: , , ,

08 Mar 12 Google Chrome's winning streak fades at annual hacking contest


As day one of the annual Pwn2Own hacker contest wound down on Wednesday, no browser suffered more abuse than Google Chrome, which was felled by an attack exploiting a previously unknown vulnerability in the most up-to-date version. Combined with a separate contest Google sponsored a few feet away, it was the second zero-day attack visited on Chrome in a span of a few hours.

It was a rare event. To date, there are no known reports of a zero-day attack ever hitting Chrome in the wild, and at the previous three years’ contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software. The chief reason: Chrome’s security sandbox—which isolates web content inside a highly restricted perimeter that’s separated from the rest of the operating system—makes it harder to write reliable attacks.

“We pwned Chrome to make things clear to everyone,” said Chaouki Bekrar, CEO of Vupen Security, which wielded the Chrome zero-day an hour or so after the contest began on Wednesday. “We wanted to show that even Chrome is not unbreakable.”

A contestant in the second contest, which Google has dubbed “Pwnium,” was also able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. Sergey Glazunov wasn’t on site to discuss the hack. Google has said only that for him to win the top $60,000 reward, his exploit was required to bypass the sandbox using code native to Chrome.

Bekrar told Ars that his team’s attack exploited what’s known as a use-after-free bug to bypass DEP, or data execution prevention, and ASLR, or address space layout randomization. Both mitigations are designed to prevent hackers from executing malicious code even when they locate vulnerabilities. He said it exploited a second vulnerability that allows code to break out of the sandbox. He declined to detail the vulnerable component, except to say it was found in the “default” installation of the Google browser.

That detail led several observers to speculate that an Adobe Flash plugin was the means Vupen used to access more sensitive parts of the operating system. While Chrome runs the media player add-on in its own sandbox, the perimeter is considerably more porous than it is with other components, security researchers say. Core functionality in Flash, for instance, requires the app be able to control web cams and microphones, access system state, and connect to display monitors and other connected devices.

Now in its sixth year at the CanSecWest security conference in Vancouver, the contest rules this time around have been significantly reworked. In the past, organizer Tipping Point paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. Competitors on Wednesday scored 32 points for zero-day vulnerabilities, and they received 10 points each for exploiting already patched security flaws.

The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. Tipping Point gave them a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use debuggers, disassemblers and other tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.

“It’s really challenging because you don’t only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly,” Bekrar said. “Our team creates exploits every day, every year, so for us it was a nice challenge.”

So far, his team has exploited three of the six eligible vulnerabilities. It took 20 minutes to develop an attack for version 8 of IE running on Windows XP, an hour to write one that pwned Safari 5 on OS X Snow Leopard, and two hours for one that compromised Firefox 3 on Windows XP. That left Vupen with 62 points as day one was winding down. A separate contestant that had entered had no points, but it was still possible for members to submit entries until midnight. The contestants will also have a shot at the same vulnerabilities on Thursday and Friday, although the points scored diminish over time.

Vupen plans to exploit the remaining patched vulnerabilities on Thursday. But Bekrar, who said his team spent six months developing multiple zero-days for all four of the eligible browsers, said people shouldn’t be surprised if Vupen drops another one in the coming day.

“I think tomorrow we will go for another browser, just for fun,” he said.

Article source: http://arstechnica.com/business/news/2012/03/google-chromes-winning-streak-fades-at-annual-hacking-contest.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

Tags: , , ,

08 Mar 12 Pwn2Own 2012: Google Chrome browser sandbox first to fall


VANCOUVER — At last year’s CanSecWest Pwn2Own hacker contest, Google Chrome was the only browser left standing.  This year, Chrome was the first to fall, thanks to an impressive exploit from a team of French hackers.

VUPEN, the controversial company that sells vulnerabilities and exploits to government customers, deliberately took aim at Chrome this year to send a simple message: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.follow Ryan Naraine on twitter

VUPEN co-founder and head of research Chaouki Bekrar and his team used a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine.   As part of the new competition format, VUPEN will earn 32 points for the successful Chrome exploit.

[ SEE: Charlie Miller skipping Pwn2Own as new rules change hacking game ]

In an interview, Bekrar said his team worked for about six weeks to find the vulnerabilities and write the exploits.  ”We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

Bekrar declined to say if any of the exploits targeted third-party code in the browser.  ”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”

Last year, VUPEN released a video to demonstrate a successful sandbox escape against Chrome but Google challenged the validity of that hack, claiming it exploited third-party code, believed to be the Adobe Flash plugin.

[ SEE: CanSecWest Pwnium: Google Chrome hacked with sandbox bypass ]

At Pwn2Own this year, Bekrar’s team came equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — but he said the decision to go after Chrome first was a deliberate tactic.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome.  We wanted to make sure it was the first to fall this year,” he said.

During the hack,  Bekrar created a web page booby-trapped with his exploit.  Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox.”

“There was no user interaction, no extra clicks.  Visit the site, popped the box.”

VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won’t give up the sandbox escape. “We are keeping that private, keeping it for our customers.”

Even as he basked in the glory of defeating the highly touted Chrome sandbox, Bekrar was very complimentary of the work done by Google’s security team to add anti-exploit mechanisms into the browser.

“The Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox.   I can say that Chrome is one of the most secure browsers available.”

“This just shows that any browser, or any software, can be hacked if there is enough motivation and skill,” he added.

Article source: http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588

Tags: , , ,

08 Mar 12 Pwn2Own 2012: Google Chrome browser sandbox first to fall


VANCOUVER — At last year’s CanSecWest Pwn2Own hacker contest, Google Chrome was the only browser left standing.  This year, Chrome was the first to fall, thanks to an impressive exploit from a team of French hackers.

VUPEN, the controversial company that sells vulnerabilities and exploits to government customers, deliberately took aim at Chrome this year to send a simple message: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.follow Ryan Naraine on twitter

VUPEN co-founder and head of research Chaouki Bekrar and his team used a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine.   As part of the new competition format, VUPEN will earn 32 points for the successful Chrome exploit.

[ SEE: Charlie Miller skipping Pwn2Own as new rules change hacking game ]

In an interview, Bekrar said his team worked for about six weeks to find the vulnerabilities and write the exploits.  ”We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

Bekrar declined to say if any of the exploits targeted third-party code in the browser.  ”It was a use-after-free vulnerability in the default installation of a Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”

Last year, VUPEN released a video to demonstrate a successful sandbox escape against Chrome but Google challenged the validity of that hack, claiming it exploited third-party code, believed to be the Adobe Flash plugin.

[ SEE: CanSecWest Pwnium: Google Chrome hacked with sandbox bypass ]

At Pwn2Own this year, Bekrar’s team came equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — but he said the decision to go after Chrome first was a deliberate tactic.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome.  We wanted to make sure it was the first to fall this year,” he said.

During the hack,  Bekrar created a web page booby-trapped with his exploit.  Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox.”

“There was no user interaction, no extra clicks.  Visit the site, popped the box.”

VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won’t give up the sandbox escape. “We are keeping that private, keeping it for our customers.”

Even as he basked in the glory of defeating the highly touted Chrome sandbox, Bekrar was very complimentary of the work done by Google’s security team to add anti-exploit mechanisms into the browser.

“The Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox.   I can say that Chrome is one of the most secure browsers available.”

“This just shows that any browser, or any software, can be hacked if there is enough motivation and skill,” he added.

Article source: http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588

Tags: , , ,