Russian works around sandbox to pull off Chrome exploit

Share this article:

A security researcher based in Russia pocketed a cool $60,000 from Google on Wednesday after he submitted a a "full exploit" for a vulnerability in the difficult-to-compromise Chrome browser.

The winning entry was part of the inaugural Pwnium contest, in which Google is offering up to $1 million in prizes for bug hunters who can find a way to defeat its browser's much-vaunted sandbox architecture. The competition occurs at the annual CanSecWest security conference in Vancouver, British Columbia and coincides with the well-known Pwn2Own contest, run by HP TippingPoint.

The only Pwnium victor so far has been Sergey Glazunov, a student who is a longtime contributor to Chromium and a winner of multiple bug bounties from the tech giant. He wrote the winning exploit for a fully patched Windows 7 machine that could be remotely executed if a victim simply visits a compromised website.

Google patched the flaw Thursday and was auto-updating users' browsers with a new version.

"This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer," wrote Sundar Pinchai, a Google vice president of products, on his Google+ page. "We look forward to any additional submissions to make Chrome even stronger for our users." 

On Feb. 27, Google announced plans for the new sponsorship program, which awards researchers either $20,000, $40,000 or $60,000, depending on the level of the exploit. The top prize is netted by revealing "Chrome/Win7 (Windows 7) local OS user account persistence using only bugs in Chrome itself," according to a blog post.

A major reason that Google launched the initiative and dropped support for Pwn2Own was so that it could guarantee it would receive details surrounding the exploits. The Pwn2Own contest, which awards participants who demonstrate exploits in the major web browsers, doesn't require researchers submit "sandbox escape" information to affected vendors.

A five-man team from France-based Vupen Security, which sells vulnerabilities to government customers, dominated the first day of Pwn2Own, discovering a zero-day bug in Chrome, and writing exploits for previously known vulnerabilities in Microsoft Internet Explorer, Apple Safari and Mozilla Firefox.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.