Russian works around sandbox to pull off Chrome exploit
A security researcher based in Russia pocketed a cool $60,000 from Google on Wednesday after he submitted a a "full exploit" for a vulnerability in the difficult-to-compromise Chrome browser.
The winning entry was part of the inaugural Pwnium contest, in which Google is offering up to $1 million in prizes for bug hunters who can find a way to defeat its browser's much-vaunted sandbox architecture. The competition occurs at the annual CanSecWest security conference in Vancouver, British Columbia and coincides with the well-known Pwn2Own contest, run by HP TippingPoint.
The only Pwnium victor so far has been Sergey Glazunov, a student who is a longtime contributor to Chromium and a winner of multiple bug bounties from the tech giant. He wrote the winning exploit for a fully patched Windows 7 machine that could be remotely executed if a victim simply visits a compromised website.
Google patched the flaw Thursday and was auto-updating users' browsers with a new version.
"This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer," wrote Sundar Pinchai, a Google vice president of products, on his Google+ page. "We look forward to any additional submissions to make Chrome even stronger for our users."
On Feb. 27, Google announced plans for the new sponsorship program, which awards researchers either $20,000, $40,000 or $60,000, depending on the level of the exploit. The top prize is netted by revealing "Chrome/Win7 (Windows 7) local OS user account persistence using only bugs in Chrome itself," according to a blog post.
A major reason that Google launched the initiative and dropped support for Pwn2Own was so that it could guarantee it would receive details surrounding the exploits. The Pwn2Own contest, which awards participants who demonstrate exploits in the major web browsers, doesn't require researchers submit "sandbox escape" information to affected vendors.
A five-man team from France-based Vupen Security, which sells vulnerabilities to government customers, dominated the first day of Pwn2Own, discovering a zero-day bug in Chrome, and writing exploits for previously known vulnerabilities in Microsoft Internet Explorer, Apple Safari and Mozilla Firefox.