msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

24 May 12 Pwnium Chrome hackers exploited 16 zero-day vulnerabilities


Google Chrome hackers used a total of 16 zero-day vulnerabilities to crack the browser at the inaugural “Pwnium” hacking contest and win $120,000.

The number of bugs the two researchers used – six in one case, “roughly” 10 in the other – was dramatically more than the average attack. The Stuxnet worm of 2010, called “groundbreaking” by some analysts, used just four bugs, only three of them previously-unknown “zero-day” vulnerabilities.

Google detailed only the half-dozen deployed by the researcher known as “Pinkie Pie” in a post to the Chromium blog yesterday. Details of the 10 used by Sergey Glazunov will not be disclosed until they are patched in other programs they afflict, said Jorge Lucangeli Obes and Justin Schuh, two Chrome security engineers.

Pinkie Pie and Glazunov were the only prize winners at Pwnium, the March contest Google created after it withdrew from the long-running “Pwn2Own” hacking challenge. Google had pledged to pay up to $1 million, but ended up handing out just $120,000 – $60,000 to each of the men.

In previous P2n2Own contests, Chrome had escaped not only unscathed, but also untested by top-flight security researchers.

Pinkie Pie strung together six vulnerabilities on March 9 to successfully break out of the Chrome “sandbox,” an anti-exploit technology that isolates the browser from the rest of the system.

The vulnerabilities let him exploit Chrome’s pre-rendering – where the browser loads potential pages before a user views them – access the GPU (graphics processor unit) command buffers, write eight bytes of code to a predictable memory address, execute additional code in the GPU and escape the browser’s sandbox.

At the time of Pwnium, one Google program manager called Pinkie Pie’s exploits “works of art.”

Google patched Pinkie Pie’s bugs within 24 hours of his demonstration. Since then, the company has revealed technical details in its Chromium bug database of five of the six vulnerabilities.

Glazunov’s exploits relied on approximately 10 vulnerabilities – they, too, were patched within 24 hours – but Google is keeping information on those secret for now.

“While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies,” said Obes and Schuh. “We won’t be posting that part until we’re comfortable that all affected products have had an adequate time to push fixes to their users.”

Chrome, currently at version 19, had an estimated 18.9% of the browser usage market in April, according to metrics firm Net Applications. Rival StatCounter, however, pegged Chrome’s share for the month at 31.2%.

Article source: http://rss.feedsportal.com/c/270/f/470440/s/1fa9a773/l/0Lnews0Btechworld0N0Csecurity0C33597220Cpwnium0Echrome0Ehackers0Eexploited0E160Ezero0Eday0Evulnerabilities0C0Dolo0Frss/story01.htm

Tags: , , , , ,

23 May 12 Pwnium hacking contest winners exploited 16 Chrome zero-days


Computerworld -

Google yesterday revealed that the two researchers who cracked Chrome in March at the company’s inaugural “Pwnium” hacking contest used a total of 16 zero-day vulnerabilities to win $60,000 each.

The number of bugs each researcher used — six in one case, “roughly” 10 in the other — was dramatically more than the average attack. The Stuxnet worm of 2010, called “groundbreaking” by some analysts, used just four bugs, only three of them previously-unknown “zero-day” vulnerabilities.

Google detailed only the half-dozen deployed by the researcher known as “Pinkie Pie” in a post to the Chromium blog yesterday. Details of the 10 used by Sergey Glazunov will not be disclosed until they are patched in other programs they afflict, said Jorge Lucangeli Obes and Justin Schuh, two Chrome security engineers, in the blog.

Pinkie Pie and Glazunov were the only prize winners at Pwnium, the March contest Google created after it withdrew from the long-running “Pwn2Own” hacking challenge. Google had pledged to pay up to $1 million, but ended up handing out just $120,000 — $60,000 to each of the men.

In previous P2n2Own contests, Chrome had escaped not only unscathed, but also untested by top-flight security researchers.

Pinkie Pie strung together six vulnerabilities on March 9 to successfully break out of the Chrome “sandbox,” an anti-exploit technology that isolates the browser from the rest of the system.

The vulnerabilities let him exploit Chrome’s pre-rendering — where the browser loads potential pages before a user views them — access the GPU (graphics processor unit) command buffers, write eight bytes of code to a predictable memory address, execute additional code in the GPU and escape the browser’s sandbox.

At the time of Pwnium, one Google program manager called Pinkie Pie’s exploits “works of art.”

Google patched Pinkie Pie’s bugs within 24 hours of his demonstration. Since then, the company has revealed technical details in its Chromium bug database of five of the six vulnerabilities.

Glazunov’s exploits relied on approximately 10 vulnerabilities — they, too, were patched within 24 hours — but Google is keeping information on those secret for now.

“While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies,” said Obes and Schuh. “We won’t be posting that part until we’re comfortable that all affected products have had an adequate time to push fixes to their users.”

Chrome, currently at version 19, had an estimated 18.9% of the browser usage market in April, according to metrics firm Net Applications. Rival StatCounter, however, pegged Chrome’s share for the month at 31.2%.

covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer, on Google+ or subscribe to Gregg’s RSS feed Keizer RSS. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about Malware and Vulnerabilities in Computerworld’s Malware and Vulnerabilities Topic Center.

Article source: http://www.computerworld.com/s/article/9227404/Pwnium_hacking_contest_winners_exploited_16_Chrome_zero_days?source=rss_keyword_edpicks

Tags: , , , , ,

14 Mar 12 Google sets trap for Flash exploiters, crashes Chrome for users


Last month, Google patched a critical Flash-based vulnerability which could allow hackers to circumvent Chrome’s often trumpeted sandbox security feature. The update capped the maximum number of Flash JIT (just-in-time) pages to a level that which would exclude foreseeable exploits. After the update rolled out on February 23 though, some Adobe Flash applications began inexplicably crashing with “0xABAD1DEA”. Yep, that’s “a bad idea” spelled with hexadecimal values.

Thanks to Justin Schuh, a Google software engineer, we know that he was responsible for adding the 0xABAD1DEA bread crumb, a humorous error code intended to mock would-be hackers for exploiting the newly patched Flash vulnerability. The message may have been intended for a particular group of security researchers though, but more on that later.

What makes this more interesting than just another “patch gone wrong” story though, is the timing, history and intent of the update. With Pwnium and Pwn2Own just around the corner — contests which award prizes to resourceful hackers who defeat security measures in software like Chrome — the timing was indeed right.

Last May, a French security firm named Vupen found a way to beat Chrome’s sandbox. After some mild (and possibly deserved) video gloating, Google dismissed the technique as a mere technicality since the exploit targeted Chrome’s integrated Flash module and not the browser itself. Vupen believed Google’s counterargument was irrelevant however, because Flash is bundled with the default installation of Chrome. Essentially, to end users, compromising Chrome through Flash is no different than doing it directly. 

Fast forward to just last week and Chrome made headlines once again. As it turns out, two separate hacking teams finally defeated Chrome’s revered sandbox at both Pwnium and Pwn2Own. It’s thought that the Pwn2Own hackers used a Flash-based vulnerability and interestingly enough, the Pwn2Own contestants were none other than Vupen’s own exploit team — possibly using the same flash exploit demonstrated last year.

The update Google released a couple weeks ago was intended to address a Flash-based vulnerability however, so what happened? 

Although the method used at Pwnium was revealed and patched by Google the following day, the exploit used by Vupen at Pwn2Own remains at large and mysterious. According to ZDNet, Vupen actually sells these types of hacks exclusively to government bidders.

Regardless of how Vupen did it, they managed to bypass Google’s clever trap. Unfortunately, that very same trap inadvertently crashed Chrome for some legitimate users.

Article source: http://www.techspot.com/news/47759-google-sets-trap-for-flash-exploiters-crashes-chrome-for-users.html

Tags: ,

13 Mar 12 Google's Trap for Chrome Exploit Writers Leads to Crashes for Users


A limitation built recently into Google Chrome to detect and block Flash Player exploits ended up breaking certain Flash-based applications and games for some users.

Suspecting that someone would try to hack Chrome via a Flash exploit at this year’s Pwn2Own contest, the browser’s developers decided to restrict the maximum allowed size of Flash JIT (just-in-time) pages to a value that such exploits would likely exceed.

The restriction was written in such a way that when the new limit would be reached the browser would throw an “access violation” exception that referenced memory address “0xABAD1DEA,” a hexadecimal value spelling out “a bad idea.”

According to Chrome’s development tracker, the limit was introduced on February 23 and was first tested out in the browser’s Canary (nightly build) version. The limit was later tweaked because of a considerable number of crash reports and landed in Chrome stable version 17.0.963.66 on March 6.

Some of the Pwn2Own contestants did stumble over the Flash JIT page restriction. Nicolas Joly, a member of the VUPEN Security team, which eventually won the hacking contest, said on Twitter that he encountered 0xABAD1DEA exceptions during his tests.

Google Chrome security engineer Justin Schuh revealed that he was the one who put it there in order to detect Flash exploits. “0xABAD1DEA was a breadcrumb I added that’s unique to Flash,” he said on Twitter.

Schuh later clarified that it wasn’t just a trap, but also a mitigation, although he admitted that it was a weak one. The VUPEN Team eventually managed to work their way around the restriction and hacked Chrome during the contest.

However, Google’s half-mitigation, half-trap code caused more problems than it solved, because it ended up interfering with the normal operation of some legitimate Flash-based applications and games, like Sims Social, Audiotool and Paychex Online.

According to reports on the Google Chrome support forum, users started experiencing Flash Player crashes referencing 0xABAD1DEA after they upgraded to Chrome version 17.0.963.66.

Changes aimed at addressing the problem were made in Chrome version 17.0.963.79, which was released on Saturday, a Google employee said in response to the reports. However, some users still experienced 0xABAD1DEA-related crashes after upgrading to it.

Article source: http://www.pcworld.com/businesscenter/article/251669/googles_trap_for_chrome_exploit_writers_leads_to_crashes_for_users.html

Tags: , , ,

12 Mar 12 Google’s Trap for Chrome Exploit Writers Leads to Crashes for Users


A limitation built recently into Google Chrome to detect and block Flash Player exploits ended up breaking certain Flash-based applications and games for some users.

Suspecting that someone would try to hack Chrome via a Flash exploit at this year’s Pwn2Own contest, the browser’s developers decided to restrict the maximum allowed size of Flash JIT (just-in-time) pages to a value that such exploits would likely exceed.

The restriction was written in such a way that when the new limit would be reached the browser would throw an “access violation” exception that referenced memory address “0xABAD1DEA,” a hexadecimal value spelling out “a bad idea.”

According to Chrome’s development tracker, the limit was introduced on February 23 and was first tested out in the browser’s Canary (nightly build) version. The limit was later tweaked because of a considerable number of crash reports and landed in Chrome stable version 17.0.963.66 on March 6.

Some of the Pwn2Own contestants did stumble over the Flash JIT page restriction. Nicolas Joly, a member of the VUPEN Security team, which eventually won the hacking contest, said on Twitter that he encountered 0xABAD1DEA exceptions during his tests.

Google Chrome security engineer Justin Schuh revealed that he was the one who put it there in order to detect Flash exploits. “0xABAD1DEA was a breadcrumb I added that’s unique to Flash,” he said on Twitter.

Schuh later clarified that it wasn’t just a trap, but also a mitigation, although he admitted that it was a weak one. The VUPEN Team eventually managed to work their way around the restriction and hacked Chrome during the contest.

However, Google’s half-mitigation, half-trap code caused more problems than it solved, because it ended up interfering with the normal operation of some legitimate Flash-based applications and games, like Sims Social, Audiotool and Paychex Online.

According to reports on the Google Chrome support forum, users started experiencing Flash Player crashes referencing 0xABAD1DEA after they upgraded to Chrome version 17.0.963.66.

Changes aimed at addressing the problem were made in Chrome version 17.0.963.79, which was released on Saturday, a Google employee said in response to the reports. However, some users still experienced 0xABAD1DEA-related crashes after upgrading to it.

Article source: http://www.pcworld.com/article/251669/googles_trap_for_chrome_exploit_writers_leads_to_crashes_for_users.html

Tags: , , ,

08 Mar 12 With $1 Million On The Line, Chrome Finally Cracked In Hacking Competition


It took four years and possibly the biggest reward a software company has ever offered for information about its own security flaws, but Google finally found what it was looking for: A few hackers willing and able to dismantle its browser in public.

In the first day of Google’s Pwnium competition at the CanSecWest security conference in Vancouver, Sergey Glazunov, a Russian university student, successfully hacked a PC running Google’s Chrome browser to claim a $60,000 prize. According to ZDNet, Glazunov’s exploit used a previously undiscovered exploit specific to Chrome to bypass the browser’s “sandbox” restriction, which is designed to prevent a hacker who compromises the browser from accessing the rest of a user’s machine. Google security team member Justin Schuh confirmed the hack on Twitter.

In the simultaneous Pwn2Own contest run by Hewlett Packard’s Zero Day Initiative, a team of security researchers from the security firm VUPEN also took down Chrome in the first five minutes of that competition. The team has said that it has new exploits it plans to demonstrate on Internet Explorer, Safari, and Firefox, too.

This marks the first year that Google’s browser has been exploited in a public hacking competition, despite appearing for the three previous years as a target in the Pwn2Own competition. But Google has been progressively raising the stakes. Last year, it co-sponsored the Pwn2Own competition and offered an extra $20,000 bonus for anyone who could hack its browser–a prize that went unclaimed. This year it split off from the HP-sponsored competition to host Pwnium, which is offering up to a million dollars in prizes for exploits that affect Chrome.

Chrome’s defeat in the Vancouver hacking competitions may seem like a loss for Google’s marketing execs, who can no longer tout the browser’s record of withstanding the competitions’ hackers year after year. But Google’s security team has argued that it participates in the competitions not to show off Chrome’s infallibility, but rather to find and excise the program’s bugs in a safe setting.

Any hacker claiming a prize in its competition is required to divulge all the details of his or her exploit to Google so that the bugs it takes advantage of can be patched. ”Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing,” Chrome security engineers Chris Evans and Justin Schuh wrote in their blog post announcing Pwnium last month. “This enables us to better protect our users.”

The ongoing  results for the Pwnium competition can be tracked here.

 

Article source: http://www.forbes.com/sites/andygreenberg/2012/03/07/with-1-million-on-the-line-chrome-finally-cracked-in-hacking-competition/?feed=rss_home

Tags: , , ,