After managing to remain unscathed for four consecutive years, Google Chrome has finally been breached, and Google is rewarding the hacker with $60,000. Google Chrome’s security features were bypassed successfully by hackers in both Pwn2Own and Pwnium.
Pwn2Own is an annual hacking fest sponsored by HP, which challenges hackers to breach fully patched web browsers and operating systems. Google Chrome was the only browser that couldn’t be hacked for the past four years. This year, it was the first to fall. A team from the French security firm VUPEN, lead by its co-founder and head of research Chaouki Bekrar, managed to take complete control of a fully patched 64-bit Windows 7 (SP1) machine within five minutes by using two zero-day exploits. VUPEN also claims to have zero-day exploits for Internet Explorer, Firefox, and Safari.
This year, Google is also running its own competition called Pwnium, which has a total bounty of $1 million. Google decided against sponsoring Pwn2Own, since its new rules don’t compel hackers to responsibly disclose vulnerabilities to the software developer. VUPEN itself intends on selling the exploits to its clients. Sergey Glazunov, a Russian university student, managed to bypass Google Chrome’s sandbox feature in Pwnium.
The breaches mean that Google will no longer be able to tout its clean record. However, Chrome developers aren’t mourning. While announcing the contest, Chris Evans and Justin Schuh from Chrome’s security team had explained that they have a big learning opportunity when they receive full end-to-end exploits. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing”.
The keyword here is “up to”.
Called Pwnium, contest attendees will be asked to exploit the Google Chrome web browser and in return, will be rewarded as follows:
$60,000 – “Full Chrome exploit”
$40,000 – “Partial Chrome exploit”
$20,000 – “Consolation reward, Flash / Windows / other”
So where does this $1 million reward come from? Well, Google will be giving away money not for the first two or three hackers, but for pretty much everyone, who manages to compromise their web browsers security.
As simple as that.
Pwn2Own, the annual three-day browser hackathon, has already claimed its first two victims: IE8 on Windows 7 64-bit, and Safari 5 on Mac OS X. Google Chrome looks set to survive for its third year in a row.
Internet Explorer 8 was thoroughly destroyed by independent researcher Stephen Fewer. "He used three vulnerabilities to bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before," said Aaron Portnoy, the organizer of Pwn2Own.
Safari 5, running on a MacBook Air, was compromised in just five seconds by French security company Vupen. Both attackers netted $15,000 for successfully compromising a browser.
The contest continues today and tomorrow. Firefox 3.6 is yet to be attacked, and tomorrow will see the very first mobile browser deathmatch. Windows Phone 7, iOS, Android and RIM OS, all with their stock browsers, will be attacked by security researchers to find out just how secure mobile browsing is. Again, $15,000 is available for the first person or team to compromise each of the browsers.
Google, Apple and Mozilla, incidentally, all rolled out updates to their browsers just before Pwn2Own. It was not a coincidence.
Google isn't just bringing the Chrome Browser to Pwn2Own 2011 -- this time, it's also bringing its own hardware. The Cr-48 Chrome OS laptop will be on hand for the browser exploiting hullabaloo, and Google is offering $20,000 and a CR-48 notebook for a successful exploit. According to the event's organizer, the attacker will also need to escape Chrome's sandbox. At last year's event, prominent researcher Charlie Miller said that's no easy task, so we're very curious to see whether someone will succeed this time around.
Offering cash for exposing vulnerabilities isn't anything new for Google, of course. The Big G just paid one developer $7,500 for finding a trio of vulnerabilities in Chrome back in January.