Google Pays Out As Two Zero-Day Exploits Found In Chrome

Google’s browser exploited twice in hacking contests at CanSecWest conference

Google Chrome has become the focus of attention at this year’s CanSecWest conference in Vancouver as security experts uncovered two separate exploits on the previously invincible browser.

In the Hewlett Packard-sponsored Pwn2Own competition it took only five minutes for a team from French security firm Vupen to successfully exploit the browser.

Complete pwnage

“We pwned Chrome to make things clear to everyone,” Chaouki Bekrar, CEO of Vupen, told Ars Technica. “We wanted to show that even Chrome is not unbreakable.”

The French team used a ‘use-after-free’ bug which bypassed Chrome’s data execution prevention (DEP) and address space layout randomisation (ASLR) which would normally stop malicious code. Chrome’s sandbox was also bypassed, completing the exploit.

Based on a new scoring system adopted for the contest, the Vupen team scored 32 points for their Chrome zero-day exploit and 30 more for separate exploits on Safari, Firefox and Internet Explorer. For their Chrome achievement HP awarded them $20,000 (£12,600).

The first successful entry to the Pwnium challenge, the parallel Chrome-specific contest set up by Google, came from regular exploit bounty-hunter Sergey Glazunov. As the exploit only used Chrome bugs, he claimed the top prize of $60,000 (£37,800).

Google is currently offering a total of $1 million (£630,000) in tiered prizes for any partial or complete exploits of its browser. Announced in February, the Pwnium competition was spun off from Pwn2Own as the latter did not require contestants to disclose all details about exploits – information Google wanted in order to improve Chrome’s security.

Google had hoped that its high bounties would encourage hackers and experts to focus on Chrome. Last year the search giant offered $20,000 on top of Pwn2Own’s $15,000 (£9,460) but saw no takers due to the difficulty of breaking out of the browser’s security sandbox. Glazunov’s accomplishment shows that the new incentive has worked.

“This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer,” Google’s Sundar Pichai said about the first $60,000 bounty pay-out. “We look forward to any additional submissions to make Chrome even stronger for our users.”

How well do you know your web browsers? To find out, take our quiz.