msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

12 Mar 12 Google patches Chrome vulnerability following Pwnium hack


Google has patched a critical Chrome vulnerability disclosed last week at the CanSecWest security conference in Vancouver that can be exploited to escape from a browser’s secure sandbox.

Russian security researcher Sergey Glazunov demonstrated a remote code-execution (RCE) exploit against a fully patched version of Chrome on Windows 7 as part of Google’s Pwnium contest held at the conference..

Glazunov’s exploit leveraged two Chrome vulnerabilities – one that allows the execution of arbitrary code and one that bypasses the browser’s much-touted security sandbox, which normally restricts such exploits.

Remote code-execution vulnerabilities, while very serious, are relatively common in all software products. However, the sandbox escape ones are extremely rare and, according to TippingPoint, which runs the separate Pwn2Own contest at CanSecWest, are worth much more than the $60,000 Glazunov earned from Google for reporting it.

Both vulnerabilities leveraged by Glazunov’s exploit were fixed in Google Chrome 17.0.963.78, which was released on March 8.

“We had the first successful exploit at Pwnium, and today we’ve already rolling out an update to protect our users,” said Sundar Pichai, Google’s senior vice president for Chrome, on his Google+ account. “The team took less than 24 hours from initial report to verification to fix development to getting a fix out.”

Because of the Chrome’s auto-update feature, users just need to restart their browsers in order to deploy the security fix. Organisations can deploy the important update by using the Google Update for enterprise policy.

Glazunov’s was not the only Chrome sandbox escape exploit demoed at CanSecWest. A team of researchers from French security vendor VUPEN presented a similar attack as part of TippingPoint’ Pwn2Own contest.

However, the Pwn2Own rules don’t require researchers to disclose sandbox-escape vulnerabilities to vendors, primarily because the prize money wouldn’t justify their disclosure. This means that there is still one highly critical Chrome vulnerability out there that remains unpatched.

The Chrome security team suspects that it’s located in the Flash Player plug-in bundled with the browser by default and not in Chrome’s own code. There is no confirmation from VUPEN regarding this theory, but if true, the task of patching the vulnerability would fall with Adobe Systems.

Article source: http://rss.feedsportal.com/c/270/f/470440/s/1d5ac28c/l/0Lnews0Btechworld0N0Csecurity0C33436790Cgoogle0Epatches0Echrome0Evulnerability0Efollowing0Epwnium0Ehack0C0Dolo0Frss/story01.htm

Tags: , , ,

10 Mar 12 Google Patches Rare Critical Vulnerability in Chrome


Google has patched a critical Chrome vulnerability disclosed Wednesday at the CanSecWest security conference in Vancouver that can be exploited to escape from a browser’s secure sandbox.

Russian security researcher Sergey Glazunov demonstrated a remote code-execution (RCE) exploit against a fully patched version of Chrome on Windows 7 as part of Google’s Pwnium contest held at the conference..

Glazunov’s exploit leveraged two Chrome vulnerabilities — one that allows the execution of arbitrary code and one that bypasses the browser’s much-touted security sandbox, which normally restricts such exploits.

Remote code-execution vulnerabilities, while very serious, are relatively common in all software products. However, the sandbox escape ones are extremely rare and, according to TippingPoint, which runs the separate Pwn2Own contest at CanSecWest, are worth much more than the US$60,000 Glazunov earned from Google for reporting it.

Both vulnerabilities leveraged by Glazunov’s exploit were fixed in Google Chrome 17.0.963.78, which was released on Thursday.

“We had the first successful exploit at Pwnium yesterday, and today we’ve already rolling out an update to protect our users,” said Sundar Pichai, Google’s senior vice president for Chrome, on Thursday via his Google+ account. “The team took less than 24 hours from initial report to verification to fix development to getting a fix out.”

Because of the Chrome’s auto-update feature, users just need to restart their browsers in order to deploy the security fix. Organizations can deploy the important update by using the Google Update for enterprise policy.

Glazunov’s was not the only Chrome sandbox escape exploit demoed at CanSecWest. A team of researchers from French security vendor VUPEN presented a similar attack as part of TippingPoint’ Pwn2Own contest.

However, the Pwn2Own rules don’t require researchers to disclose sandbox-escape vulnerabilities to vendors, primarily because the prize money wouldn’t justify their disclosure. This means that there is still one highly critical Chrome vulnerability out there that remains unpatched.

The Chrome security team suspects that it’s located in the Flash Player plug-in bundled with the browser by default and not in Chrome’s own code. There is no confirmation from VUPEN regarding this theory, but if true, the task of patching the vulnerability would fall with Adobe Systems.

Article source: http://www.pcworld.com/article/251566/google_patches_rare_critical_vulnerability_in_chrome.html

Tags: , , ,

09 Mar 12 Chrome hacker wins $60,000 for finding 'full' exploit


The winner, Sergey Glazunov, was the first to submit an entry in Google’s Pwnium competition to find security exploits in Chrome.

Less than two weeks after Google launched Pwnium, a competition for hackers to find security exploits in Chrome, the search giant has announced its first winner.

Google’s Sundar Pichai announced on his Google+ page yesterday that Chromium contributor Sergey Glazunov submitted the first successful entry to the Pwnium contest, revealing a “Full Chrome Exploit” that bypassed the browser’s sandboxing security. The exploit makes it possible for a malicious hacker to do just about anything they want on an infected machine.

In an interview published yesterday by CNET sister site ZDNet, Justin Schuh of the Chrome security team said that Glazunov was able to execute “code with full permission of the logged-on user.” Schuh called the feat “impressive,” and said that it deserved the $60,000 bounty.

Glazunov is the first person to win cash from Google’s Pwnium competition. The company launched the contest in late February with promises of awarding up to $1 million to those who can find security holes in Chrome. The highest $60,000 prize is given only to those who can obtain “Chrome/Windows 7 local OS user account persistence using only bugs in Chrome itself.” A $40,000 prize will be awarded to individuals who can target Chrome with one of its own bugs, plus others found in the operating system. Google’s $20,000 award is given to those who can find issues without using bugs in Chrome.

“We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties,” Google wrote in its blog announcing the contest. “Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else.”

Now that Glazunov’s discovery has been verified, Google is “working fast on a fix,” Pichai wrote on his Google+ page. The company says that it’ll push the fix out in an auto-update.

“This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer,” Pichai wrote. “We look forward to any additional submissions to make Chrome even stronger for our users.”

Article source: http://news.cnet.com/8301-13506_3-57393337-17/chrome-hacker-wins-$60000-for-finding-full-exploit/?part=rss&subj=software&tag=title

Tags: , , ,