Russian works around sandbox to pull off Chrome exploit

Share this article:

A security researcher based in Russia pocketed a cool $60,000 from Google on Wednesday after he submitted a a "full exploit" for a vulnerability in the difficult-to-compromise Chrome browser.

The winning entry was part of the inaugural Pwnium contest, in which Google is offering up to $1 million in prizes for bug hunters who can find a way to defeat its browser's much-vaunted sandbox architecture. The competition occurs at the annual CanSecWest security conference in Vancouver, British Columbia and coincides with the well-known Pwn2Own contest, run by HP TippingPoint.

The only Pwnium victor so far has been Sergey Glazunov, a student who is a longtime contributor to Chromium and a winner of multiple bug bounties from the tech giant. He wrote the winning exploit for a fully patched Windows 7 machine that could be remotely executed if a victim simply visits a compromised website.

Google patched the flaw Thursday and was auto-updating users' browsers with a new version.

"This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer," wrote Sundar Pinchai, a Google vice president of products, on his Google+ page. "We look forward to any additional submissions to make Chrome even stronger for our users." 

On Feb. 27, Google announced plans for the new sponsorship program, which awards researchers either $20,000, $40,000 or $60,000, depending on the level of the exploit. The top prize is netted by revealing "Chrome/Win7 (Windows 7) local OS user account persistence using only bugs in Chrome itself," according to a blog post.

A major reason that Google launched the initiative and dropped support for Pwn2Own was so that it could guarantee it would receive details surrounding the exploits. The Pwn2Own contest, which awards participants who demonstrate exploits in the major web browsers, doesn't require researchers submit "sandbox escape" information to affected vendors.

A five-man team from France-based Vupen Security, which sells vulnerabilities to government customers, dominated the first day of Pwn2Own, discovering a zero-day bug in Chrome, and writing exploits for previously known vulnerabilities in Microsoft Internet Explorer, Apple Safari and Mozilla Firefox.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.