Security contests prove to be useful.
Just as some might have thought that Google’s Chrome sandboxing feature is bullet proof, Sergey Glazunov, a security researcher who have found quite a few vulnerabilities in the fast, has enriched his life with a $60k reward, received for a “Full Chrome” exploit, which bypassed the sandbox feature. Although Google Chrome was previously known to withstand various attacks in Pwn2Own and similar contests, this time it was the first to fail.
Justin Schuh, Chrome’s security team member said, “It was an impressive exploit. It required a deep understanding of how Chrome works. This is not a trivial thing to do. It’s a very difficult and that’s why we’re paying $60,000.”
The second exploit was executed by a team from VuPen Security, which took about 6 weeks to write and test. According to Chaouki Bekrar, the co-founder of VuPen Security, they wanted to demonstrate that Chrome not as unbreakable as some might have though.
While details about exploits were not revealed, he said, “We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox. It was a use-after-free vulnerability in the default installation of Chrome [which] worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”
About a week ago, Google has started a unique charity project that converts opened Google Chrome user tabs into various goods:
10 tabs = 1 tree planted
10 tabs = 1 book published and donated
25 tabs = 1 vaccination treatment provided
100 tabs = 1 square foot of shelter built
200 tabs = 1 person’s clean water for a year
Today, it was revealed that 60,599,541 tabs were raised for charity ($1 million) and will be used to:
Plant trees ($245,278)
Provide clean water ($232.791)
Build shelters ($112.078)
Administer vaccinations ($267.336)
Publish books by local writers and illustrators ($142.518).