Chrome Hacked In 5 Minutes At Pwn2Own

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

Obviously they were just waiting to start

[msobkow]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

Re:Obviously they were just waiting to start

[SpanglerIsAGod]

I think that's how most of the successful hacks have been going in this contest. Someone finds a few vulnerabilities, hordes them until the contest, and then goes public with them.

I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

Re:Obviously they were just waiting to start

I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.

Re:Obviously they were just waiting to start

Every major sports team comes into the contest with a scouting report and a plan to win.

These guys did their scouting and executed their plan.

Well done !

Re:Obviously they were just waiting to start

[93+Escort+Wagon]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

Re:Obviously they were just waiting to start

It's pretty obvious how the tone of the first handful of up modded posts differs from when IE or Safari are first down.

Re:Obviously they were just waiting to start

That's because when other browsers are cracked first it shows they are insecure, while when it's Chrome it is only an experimental error.

Re:Obviously they were just waiting to start

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

And is that such a bad thing? For the white hats, the money's just a bonus.

But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.

In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.

Win-win situation in my books.

Re:Obviously they were just waiting to start

[GameboyRMH]

I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.

Re:Obviously they were just waiting to start

It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security.

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

I mean I could understand it if there ever once was and now you want to have that again. But there never was. There isn't. There's not going to be. There is only hard work and diligence and learning from experience. Stop acting so shocked you dumb fucks! Seriously.

Re:Obviously they were just waiting to start

[haruchai]

You've clearly never read a press release from a software company

Re:Obviously they were just waiting to start

[hairyfeet]

Can someone please explain which OS it was running, which version, any AV, you know, more details than a fricking tweet? I know we don't generally actually READ TFA but hell this might as well have been "Chrome got pwned by a man doing a thing" for all the lack of details!

Now as for Chrome getting hacked well anything CAN be hacked if you have enough of a reason to go after it and i think Google made themselves a nice juicy target on purpose to get the data before any blackhats so kudos to them and the hackers. i know anecdotes aren't data but at least for myself and my customers and family the combo of Comodo Dragon (Chromium based) with either Avast Free or Comodo IS and Win 7 has been pretty much hack AND idiot proof, no small task. Just for shits and giggles i tried to infect a machine I was gonna wipe anyway, threw it at every topsite and crapsite and junksite I could find and...nothing, nada zip zilch. of course that wasn't just Chromium protecting it it also had Win 7 and low rights mode with DEP and ASLR, it had Comodo SecureDNS filtering known malware dumps, it had the sandboxing that is built into Avast and Comodo IS (tried both to make sure and they seem about equal on everything from protection to RAM usage so its more a taste thing or if you need to protect a business as Comodo is free for business use) and finally ABP blocked many of the ads that are the biggest source of malware, at least from what I've seen.

So a little more info would be nice, I'd like to know if there is something I need to tweak in my system or not.

Re:Obviously they were just waiting to start

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

Not true that there are no silver bullets for anything. There are silver bullets for killing werewolves.

Re:Obviously they were just waiting to start

[Runaway1956]

Well, I'm sure that your imagination is insanely powerful.

Re:Obviously they were just waiting to start

[GigaplexNZ]

There is not and never has been a "silver bullet" for anything much less security.

Except, of course, for an actual bullet made of silver.

Re:Obviously they were just waiting to start

[kcbnac]

Then perhaps they need to start doing them more often than yearly? Do them quarterly?

Re:Obviously they were just waiting to start

I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?

Re:Obviously they were just waiting to start

[rrohbeck]

What, you can't disassemble and grok 60-some MB in 5 minutes? Wimp.

Re:Obviously they were just waiting to start

I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

More importantly, it's something that anyone can point to to demonstrate that browsers have vulnerabilities and how they work. My idiot co-worker (who's himself supposed to be an IT person) kept telling me up and down that people got infected by malware from browsers ONLY when the user gets tricked into downloading and installing software. He shut the hell up relatively quickly when I pointed him towards pwn2own. Some people are dumb enough, and confident enough in their own knowledge that they'll only believe something if you can readily demonstrate it. You can't fix stupid, only distract it.

Re:Obviously they were just waiting to start

$60k is considerably more than my "1st-world" annual income. I imagine you'd have to be rich or a little goofy not to do that, if the opportunity presents itself.

Re:Obviously they were just waiting to start

[lbft]

Don't expect too many details until a patch is out.

Re:Obviously they were just waiting to start

[westyvw]

I agree with the post that I want to know what the expoloit was.
However I must say that you sure work hard to try and keep your computer safe from the internetz. Is windows land really that bad that you have to go to all that effort just to feel free to browse the web?

Re:Obviously they were just waiting to start

Avast 7 has an extremely low detection rate when it was in beta. One youtube video showed it had a 10% detection rate. But was great at domain blocking.

Shields are not everything. Java is one of the most biggest secure holes and for years Sun said it was secure because it is and was sandboxed so well.

Re:Obviously they were just waiting to start

[genik76]

By "little goofy" you mean honest, I guess.

Re:Obviously they were just waiting to start

[notb666]

+1 for your sig.

Re:Obviously they were just waiting to start

[wvmarle]

Of course. Finding exploits takes time and dedication (and possibly luck: looking at the correct piece of the code). Not likely a new exploit is discovered within the competition itself.

Re:Obviously they were just waiting to start

[thunderclap]

Good to know that your rooster is capable of pawing. By the way its pronounced own to own.

Re:Obviously they were just waiting to start

[richtaur]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Seems like they found a real-life exploit created by the contest. That seems appropriate!

Re:Obviously they were just waiting to start

[eulernet]

This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

No, it just proves that when you put enough money, professional crackers are attracted.

There is an article where Charlie Miller (winner of past contests) explains why he won't compete:
https://www.zdnet.com/blog/security/charlie-miller-skipping-pwn2own-as-new-rules-change-hacking-game/10554

On the contrary, I think that money attracts professionals, and discourages all other people, who may have interesting hacks but know that they cannot compete against professionals.
In short, it encourages people who came to win, and discourages people who came to participate.

Re:Obviously they were just waiting to start

[MareLooke]

Which seems to be the same thing in today's world. Sadly.

Re:Obviously they were just waiting to start

[ByOhTek]

Yeah, but it's amazing the number of self proclaimed tech experts I've known who think there are.

"I use a Mac, and have worked in the industry for 40 years, I know it's impossible for me to get a virus."

"I use a Mac and Chrome, I'll never get infected with anything."

"I use Linux, my system is impenetrable."

etc. etc.

I haven't had a malware problem on windows in about 13 years. Some of which I used IE (earlier times), some of which I used Firefox. This is a better record than any of those yutzes. The most important factor has and always will be the gray matter between the users ears.

Re:Obviously they were just waiting to start

no, by "little goofy" he means crazy, look around and you will notice you live in capitalism

Re:Obviously they were just waiting to start

[Goaway]

What's not to like about that? It's the entire point of the contest!

Re:Obviously they were just waiting to start

[RivenAleem]

I don't see how anyone can complain. Either way the vulnerability isn't shared with the public. The only downside I see is that between one security resercher finding the vulnerability, and the demonstration of it at the contest, there's a chance of another less noble person finding the same vulnerability and exploiting it for nefarious reasons.

Re:Obviously they were just waiting to start

So how much did Comodo and Avast! pay you to post this`?

Re:Obviously they were just waiting to start

One hopes that half of $60k is not enough to risk your job and any future prospect of employment as a developer, to say nothing of the possibility of criminal and civil damages.

Re:Obviously they were just waiting to start

[Zero__Kelvin]

Are you mad man? Didn't you hear!!??? It exposes bugs!

Re:Obviously they were just waiting to start

[Gavagai80]

Ah, so you're the guy this is about. Stop whining and get back to your luxuries while the rest of us make a tiny fraction of your salary.

Re:Obviously they were just waiting to start

[helix2301]

Pwn2Own is one my favorite events it really opens the eyes of the developers and security people pointing out flaws and insecure code. This was well thought out and executed well congrats to the hackers.

Re:Obviously they were just waiting to start

[TheRaven64]

I use a Mac, but the air of condescension surrounding my computer makes malware slink off and attack someone else's computer.

Re:Obviously they were just waiting to start

Chrome is opensource, how do we know they didn't plant the vulnerabilities? Big prizes like this might will only bring more motivated source hackers.

Re:Obviously they were just waiting to start

[hairyfeet]

Uhhh...what's hard? Win 7 updates itself, both Comodo and Avast (I was using Avast but lately I've gone back to Comodo as i like its tougher sandboxing) have silent installers, frankly the entire system takes less than 15 minutes of actual time to install. And once installed its pretty much walk away as everything is automated, no need for input from the user at all. Frankly its one of the easiest systems ever and certainly easier than constantly doing forum hunts when Linux craps on its own drivers during the 6 month upgrade deathmarch.

I've had machines in the field running this system since Win 7 RTM in the hands of users that usually pick up more bugs than a Bangkok whore and so far they haven't been able to infect their machines so i'd say its probably the best 15 minutes I've ever spent hardening a machine. Some shops believe you should do the absolute minimum, let the users easily infect their machines multiple times for the repeat business but I've found word of mouth and referrals makes up for the lack of repeat business and more than that I can sleep well at night knowing I've done the most I can to ensure that the customer's PC stays clean and running well and knock on wood so far a 98% success rate, and you can't really count the one failure as the guy refused to listen to me and promptly uninstalled his AV when it wouldn't let him have "the new limewire" which of course was just a giant trojan package that dropped over 60 pieces of malware on his system. Some times you just can't stop stupid.

Re:Obviously they were just waiting to start

you know, more details than a fricking tweet?

Yeah, I'm with you. WTF? There's three links for the "story". So I have to debate which one has the details. Finally I decide it's the middle one and before I click on it, I notice it's twitter.com. What is it about Twitter that encourages people to write like a nine-year old boy? I guess it's the character limit, which is stupidity in itself. At least on Facebook people mostly use complete sentences and punctuation.

Re:Obviously they were just waiting to start

[phoenix_rizzen]

And a can of Coors Light, obviously.

Re:Obviously they were just waiting to start

[atlasdropperofworlds]

You made me lol hard.

I wish all mac owners were like you.

5 minutes?

I guess this means they went in knowing exactly what they were going to do. This means that it has been known for a while which means there could be many more people who know and are exploiting this.

Re:5 minutes?

[v1]

Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.

Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.

There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.

It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.

Re:5 minutes?

All the browsers except for IE pay for bug bounties...

It is probably more the fame of winning the event...

Re:5 minutes?

[__aaltlg1547]

And that brings up an even more troubling thought. Are the pwn2own incentives creating a perverse incentive to conceal vulnerabilities?

I think so. If this is how Google will find and fix its flaws, exploiters are basically safe between events.

If you want flaws and exploits identified and fixed fast, pay on a first-to identify basis and never announce what the exploits found were. Just quietly fix them as fast as you can and distribute patches regularly.

Re:5 minutes?

[artor3]

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

Re:5 minutes?

[Brian+Feldman]

You don't understand software. Fixing things quietly is just as good as announcing them for a project that develops in the open.

Re:5 minutes?

Google is known for arrogance, which you may discover if you get to know their employees. If they had smaller prizes, it would go against the very foundation of the company. They pursue a quixotic replication of older software, which makes proof of their achievements a requirement.

Re:5 minutes?

Every month I see the same few guys racking up multiple lots of the 'relatively small' sums. Adds up to quite a bit; comparable to a *very* decent wage, if not better (but not as predictable).

Re:5 minutes?

[westyvw]

A full Chrome exploit will net you $60,000 from Google. They now have 3 pay ranges and offer substantialy more then they used to. I do think they upped this price after they pulled out of pwn2own in February.

Re:5 minutes?

And what about all the other people? The problem with paying small amounts of money for exploits is that it's more profitable to submit the simple ones and sell the more complex ones.

Re:5 minutes?

[St.Creed]

I never knew that until a friend tried to deal with them on changes to the Android API's (he works for a VERY large company and they needed extra abilities). They didn't even deign to reply.

Nokia, Microsoft and Apple not only provided helpful assistance but actively invested to get his solution on their platform. Big difference. Google is going to shoot itself in the foot with that "If you don't work here, you're stupid and can't be taken serious" attitude.

Re:5 minutes?

[Krneki]

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

I fear that the black market pays more for this 0-day exploits.

Re:5 minutes?

"Fixing things quietly is just as good as announcing them."

FTFY. Any time you patch software, somebody will look for what changed, determine whether it was a security flaw, and have an exploit out the next day. This is one of the reasons why MS only patches minor flaws once a month. MS is one of the closest developers there is, yet they still have people developing exploits based solely on patches.

dom

Re:5 minutes?

So 19 to 20 bugs will put you in the same ball park as the contest winnings. If the contest is annual and you can manage two bugs a month you're pulling ahead with the smaller payouts. I guess it depends on how fast you can find the bugs.

If the bugs are that plentiful why not do both saving the really good ones for the contest. However if worthy bugs are scarce enough then I suppose that only the annual contest winners are going to make serious bank.

The other interesting thing about saving bugs for the contest is that there is at least some risk that someone will find and fix the bug before the contest making you wish you'd cashed in for the 3k.

How many 3k rewards has Google given out? More than 60k worth? How likely is it that you can single handedly discover 60k worth of 3k bugs?

Re:5 minutes?

There is plenty of arrogant assholes working for Google, but the Android ones play in an entirely different league. Biggest assholes I've ever seen, from Andy Rubin all the way down. The have their own culture and other than sharing offices with the rest of Google, they are still Android, Inc, for all intents and purposes.

The "the engineers working for other companies are idiots" attitude is one I sadly used to see almost every day at Google. There are some nice guys working there, though.

--
mchurch

Re:5 minutes?

Have you heard of 8 minute abs? Get this... 7 minute abs... if it doesn't work for you, we'll send you the extra minute for no charge!

You always could google pwn2own...

...now it seems you can also pwn2own google!

Re:You always could google pwn2own...

[Torodung]

You forgot "In Soviet Russia..."

Re:You always could google pwn2own...

[allo]

Soviet Russia forgot him!

Re:You always could google pwn2own...

[tomofumi]

google pwns YOU!!

Why even mention the time?

This isn't Swordfish. They had plenty of time to prepare their attack.

It's impressive they exploited Chrome. But the preparation took more than 5 minutes.

Re:Why even mention the time?

[Brad1138]

You mean they weren't getting BJ's as they hacked Chrome? What kind of contest is this anyway?

Re:Why even mention the time?

[binarylarry]

It's not called pwn2groan!

Re:Why even mention the time?

[Billlagr]

pwn2blown! In under 5 minutes no less

Re:Why even mention the time?

[geminidomino]

That comment, on the other hand, would have won if it was.

I cringed a little, too.

Re:Why even mention the time?

[mikael_j]

Well, every year when Safari was the first browser to be targeted and thus also the first to be broken the fandroids and the anti-Apple crowds would scream on and on about how this proved Safari was the shittiest browser in existence and by extension Apple was a horrible horrible company.

I guess it's Google's turn this year.

And no, I don't use Safari, I just find it interesting that when previous stories like this have been about Safari the first dozen or so posts weren't about how the reporting was biased...

Re:Why even mention the time?

Why are you so surprised? Is the /. double standard where Google can do nothing wrong.

Re:Why even mention the time?

[makomk]

Except in this case Google Chrome's being targeted because Google themselves are offering particularly generous payments to hack it, whereas Safari was a favourite target in prior years because according to the contestants it was the easiest to find and exploit holes in.

Re:Why even mention the time?

cept of course it wasn't a favorite, it was just first (as parent stated) to be targeted in the competition

Re:Why even mention the time?

The reason it's that way is because Apple fanboys are. So. Goddamn. Defensive. Of course it's funny to get them all pissed and riled up. It's not really so much about a double standard as it's about watching the pretty boys get flustered.

Re:I like competitions with prizes

me not grok your second comment? Are you suggesting that if BG had done the same thing, it would have embarassed the MS OS into not being the moneymaker it is? I seriously doubt that.

still more cost effective

[Bananasdoom]

Handing out 2mill of prize money is still more cost effective that standard R&D, you get more professionals testing it for the chance of wining some prize money than Google could ever employ and the people they chose not to employ.

Re:still more cost effective

[__aaltlg1547]

No it's not. It's Ann incentive to create and CONCEAL cracks while drawing attention to Ans glorifying crackers.

Re:still more cost effective

[Ambiguous+Coward]

I'm dying to know what (assumedly mobile) OS is autocorrecting you An this way. :)

Re:still more cost effective

[gweihir]

Unfortunately, wrong. First, you get only as much of their vulnerability stock that they need to maximize their profit. Then, you do only get what was easiest to find for them. A real security review looks at architecture, design, coding style and other things as well, which are completely absent at these competitions.

Basically, this is a show with very little actual security benefits.

Re:still more cost effective

[westyvw]

Shirley the next name I am going to use in my next kids book will be Ann Incentive. I can see her leading the way.

Conflated competitions?

The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.

Re:Conflated competitions?

The Pwn2Own twitter account actually talks quite a bit about this.

Additionally, it appears that Vupen has already announced they won't be participating in Google's competition.

Re:Conflated competitions?

> The Pwn2Own twitter account actually talks quite a bit about this.

In 140 character burps

Re:Conflated competitions?

[deroby]

So basically they simply announced that they have found a way to work around chrome's security system; won a competition doing so (including fame & prize money) bringing them lots of media coverage (read: free advertising). And now they simply have to wait for some 'clients' to come up with more than 60k for its source, I'm sure their address is on the pown2own website.

Seriously, they might just as well put it on ebay if you think about it, opening bid of 59.999$.

How does this go

[eyenot]

I haven't used Chrome for months. It was behaving errratically and made me nervous during a yime I was looking for a secure browser out of immediate necessity. I eventually managed to use an old version of firefox portable that settled things. I forgot pwn2own was even happening by the time I noticed Chrome zipped in my archives folder and deleted it as useless just two days ago.

But this stuff has me wondering: suppose this goes on and Chrome eventually has all of the exploits worked out of it. A theoretical possibility. Suppose, then, that some new features are requested. Now it seems to me that if I recall correctly, every time revisions are made to software, new exploits appear. This leads me to my first question: what is getting screwed up, learned, forgotten then screwed up again in the coding process that this always seems to be the case?

My second question is, by extension of the first, what are the major weaknesses of browsers? Their implementation of a half-finished "standard" like dHTML? The coders borrowing classes or libraries that would introduce flaw.X to any programmers including them or using them with the program? Programmers being clumsy and trying to force data types to do things they aren't meant to like fit four bytes through an argument that's two bytes wide, and instead of backtracking both directions and setting them both to te same width in planning, just over-riding some compiler warning and supressing runtime halts and sending it to market?

Re:How does this go

All code libraries etc makes assumptions about what sorts of data they will handle. The problem is that these browsers (and all software larger than Hello World) is so complicate that it is impossible for a developer to anticipate every interaction and use every api exactly as it was intended in all possible cases. In essence in order for there to be no exploits introduced when a new feature is added, that feature and every possible interaction of that feature with every other feature must be vetted.
Saying you want no exploits in a large piece of software is equivalent to saying that you want an incredibly complex system to be constructed perfectly the very first time. This is not feasible to do at the rate that users want new features and at the rate that new more efficient hardware and algorithms are invented/discovered. Bugs can be * incredibly* subtle and may only trigger under very very specific circumstances, they can persist for years/decades with no one ever finding them.

Re:I like competitions with prizes

[bbecker23]

They'd have paid out so much in "bug bounty" that he'd be broke by now. That's what GP is going for, anyway.

No meat to the story

Without vulnerability details there really is no story. Without knowing what exactly is going on here we can't know what precautions to take or whether there is any likelihood of other software (even our own) being affected. Or if there's even a real story here.
I mean, it's nice they're going to win a price an all, but there's nothing here for us that we can act upon. Without knowing any details we can't even really know whether we're any safer if using another browser.

I use Chromium

[cpu6502]

It doesn't have any of those annoying Google spying/tracing code built-in.

Re:I use Chromium

[cpu6502]

LINK

http://www.tucows.com/preview/610631

Re:I use Chromium

[cpu6502]

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml

Re:I use Chromium

[TheInternetGuy]

Using very strict judgement, uncharacteristic to Slashdot, the parent may be off topic, but Score:0, Troll? I guess mods woke up on the wrong side of the bed today.

Re:I use Chromium

[Daniel+Phillips]

Googlers should know that expressing disagreement via mod points is not Googly. Or is it now?

Re:I use Chromium

Oh come on, we all know Google is perfect and can do no wrong and anyone that says anything negative against them is clearly a paid shill.

Re:I use Chromium

[Calos]

Yeah, that truth, that's not why people were modding your post. I think you know that.

And people are probably modding it troll because most of us haven't seen any legitimate proof of these claims. Most of us see a fair amount to the contrary.

By all means, if you know something and can show it or have some links with substantiated evidence - please post them, so people can make the choice to switch if they desire.

Otherwise, all you're doing is raising the noise floor. And moderators are seeking to lower it.

Re:I use Chromium

[causality]

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml

The one time the Slashdot groupthink is actually against Open Source code and privacy and software freedom ... is when it makes a statement against Google.

Since this particular statement cuts to the core of how Google makes its money, namely through acquiring marketing data from mostly hapless and unsuspecting users who have no idea how much information they are "contributing", and wouldn't if they did, it's too fundamental of a comment to be tolerated by the fanboys.

So you're being punished by the more impotent and bed-wetting type of mods for telling the truth. That's a badge of honor.

I mean, it's not like they were going to take you on with facts and explain why you're completely mistaken. They can't. So, like all other cowards, they lash out the only way they can. That's all. Nothing hard to understand about it.

Re:I use Chromium

[Daniel+Phillips]

Googlers should know that expressing disagreement via mod points is not Googly. Or is it now?

Oh right, I forgot, the "don't be evil" already left the building.

Re:I use Chromium

Maybe because you keep linking to third party sites which are about Windows-only builds?

How about next time just linking to the real source?

Re:I use Chromium

Because your post is entirely pointless in this article? Who cares if you're using Chromium? What does it add to this thread? Nothing.

Re:I use Chromium

Have you read the source to ensure that?

Re:I use Chromium

Never mind that it's off topic (which is also a moderation option).

If you want such hate to be moderated positively, it needs to be directed toward Firefox in an article that merely mentions Firefox or Mozilla.

Re:I use Chromium

[cpu6502]

If you haven't seen the reports of Google tracking users, even to the point of hacking Apple Safari and Microsoft Explorer's "private" modes to track them, then you have not been paying attention. It's common knowledge now among tech professionals.

Re:I use Chromium

even to the point of hacking Apple Safari and Microsoft Explorer's "private" modes

Completely ignoring for a second that there was no "hacking" involved, what does this have to do with spying/tracing code in Chrome? Answer, absolutely nothing. You simply stated it because your claim was baseless and you knew it, and were simply hoping people would make the jump from "Google can track your private browsing in Safari/IE" to "Google's Chrome spies on you" without stopping to think "wait, but if Chrome really does spy on me, where has that story been?"

Re:I use Chromium

[Calos]

If it's such common knowledge, surely it will be easy for you to provide a credible link. You could have provided several in the time it took you to write a snarky, arrogant reply. But you didn't.

No, I will not accept your appeal to your ethos and authority as a valid argument.

Because the truth is - I don't ask because I'm wholly ignorant on the subject. I actually pay pretty close attention to this kind of thing. I know there are privacy concerns with Chrome, but I also know that the things that were concerning have been removed, and that you can opt-out of most everything else. Anecdotally, I know I have never seen anything suspicious show up in a packet sniffer, or any unusual connections in my Privoxy logs.

Wikipedia has a decent, and decently sourced, summary (and yes, it's Wiki, and yes, I'm cringing suggesting anyone look for information there). However, Wiki, being the fount of "common knowledge" that it is, and haunted by all kinds of spooks, it's a good rebuttal to your "common knowledge" claim. Not that "common knowledge" means anything anyway.

Google's PHD Coders???

[BoRegardless]

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Re:Google's PHD Coders???

[Daniel+Phillips]

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Not as much as the combined wisdom of the community, a fact that permeates slowly through some of the thicker skulls in the land of Oz.

Re:Google's PHD Coders???

[viperidaenz]

60x more than those at Apple? Since Safari was hacked in 5 seconds at the last pwn2own.

Re:Google's PHD Coders???

[gweihir]

The time is completely irrelevant. These are pre-packaged exploits that run as fast as possible.

Re:Google's PHD Coders???

Tell me that Google couldn't do a better job than that.

Of course Google could do a better job, if they actually cared to. But chrome doesn't make a whole lot of money for Google.

Re:Google's PHD Coders???

I think saying it's "the combined wisdom of the community" is correct but misleading. Google employees have to implement X number of features in Y time while trying to make everything perfect, while hackers' time is limited only by themselves and their task is simply to find imperfections while doing work whose quality only has to be good enough to not fail on its own. I believe Google isn't nearly as bad as Apple in how hard it drives its employees into the ground with unrealistic time frames, but even so it's reasonable assume that the quality of work is at least slightly compromised while having a much higher burden of quality than the work of people looking for exploits. (I am, of course, not addressing whatever in-house hackers Google has, since I don't even know if they exist. If they do, then of course they failed in comparison with the people who found the exploits.)

Re:Google's PHD Coders???

I think saying it's "the combined wisdom of the community" is correct but misleading. Google employees have to implement X number of features in Y time while trying to make everything perfect, while hackers' time is limited only by themselves and their task is simply to find imperfections while doing work whose quality only has to be good enough to not fail on its own. I believe Google isn't nearly as bad as Apple in how hard it drives its employees into the ground with unrealistic time frames, but even so it's reasonable assume that the quality of work is at least slightly compromised while having a much higher burden of quality than the work of people looking for exploits. (I am, of course, not addressing whatever in-house hackers Google has, since I don't even know if they exist. If they do, then of course they failed in comparison with the people who found the exploits.)

Exploits will happen no matter how much time you give your developers.

Think about all the code in a web browser. Parsers for HTML, XML, Javascript, CSS, SGML, etc. Image and video decoders for a dozen formats. Software of that complexity will have bugs. If it is performant, it is written in a language where some of those bugs are exploitable.

If you don't understand why this is hard, try it yourself. Go read the source of a library that decodes an image format, such as libpng or libjpeg-turbo. How long would you have to look at it to be 100% sure it is bug-free?

Chrome's sandbox is a great way to mitigate some of the risk of exploits in the renderer, but the sandbox is a complex beast. The API windows provides for this is SACLs and DACLs on kernel objects, but not all interesting objects enforce the limitations they need. For example, drawing requires HWNDs, and HWNDs under a single desktop object can not be isolated using DACLs. They have to do some heroically complex things to make isolation work. Complex code written against an API not designed to do what they need will have bugs.

The arrogance of some comments here is amazing. Chrome's sandbox team has dramatically raised the bar for browser security. It was done in a general way, and open sourced, so that others could use it. Making snarky comments about this work because a bug was found is silly. Think this stuff is easy? Write a patch for a real bug and I will consider the possibility that you are right.

As an analogy, suppose that a bug in the Linux kernel allowed a process to modify the private memory of another process. Would you conclude that Linux developers are stupid, lazy, or under time pressure from their employer? Would you make snarky comments about how, with bugs like this, UNIX style memory protection is useless, and the DOS/Mac OS 9 style memory management (where every process can read/write every other process's memory) is clearly just as good?

Re:Google's PHD Coders???

[ais523]

Well, it's probably an indication of whether the exploit is deterministic or probabilistic (probabilistic exploits will need more tries on average before they work). Also, if it's a buffer overflow, the size of the buffer it's overflowing (if it needs a lot of data to overflow, the browser will take a while to download it).

Not a good indicator of how difficult the exploit was to find, though.

Re:Google's PHD Coders???

[gweihir]

Indeed. A very simple to find one with a large random component could run forever, while a really hard to find one may simply change one flag by buffer overflow in a microsecond.

Re:Google's PHD Coders???

[AvitarX]

Are you kidding? Chrome makes them millions in saved search royaltys to Mozilla, and profits millions in ad revenue from dinged Ms market share (going to them without paying Mozilla).

Re:Google's PHD Coders???

[Tim+C]

They didn't hack/crack Chrome in 5 minutes, they turned up with a pre-tested bag of tricks and took 5 minutes to run them.

Re:I like competitions with prizes

[TWX]

Essentially. Not broke per se, just not multibillionaires.

Yo Dawg I heard you liked sandboxes

[flappinbooger]

So I run chrome inside of a sandbox so I can be sandboxed while Chrome's sandbox is being hacked.

Nice salary

[Daniel+Phillips]

That's $12 million/hour, more than Larry and Sergey combined :-)

Re:Nice salary

[viperidaenz]

I get paid $26 million/hour. If I only look at the 1 second it takes for my pay to appear in my account every fortnight.

Nice Linking

[rudy_wayne]

5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser.

Thanks for linking to a complete useless, pointless and content-free Twitter post.

Re:Nice Linking

[Voyager529]

Thanks for linking to a complete useless, pointless and content-free Twitter post.

I thought redundancy was picked up by the lameness filter.

details on the exploit?

[xandroid]

Are there any details on the exploit beyond "Code execution and sandbox escape (medium integrity process resulted)"?

repeat exploit gets no prize

If I was sitting on an exploit for a competition, I would practice it many times in advance. There is no award for same exploit done in 6 minutes.

Kudos to Google

The prize isn't a lot of money by Google standards, but it's a lot of money by most people's. Kudos to Google for putting up enough money to get some serious hack attempts to come out of the woodwork.

Re:Kudos to Google

Mod me troll, but it is probably cheaper to give some money away and get some positive publicity than to employ lots of people to find these holes. And while the holes are found, google is data mining the contestants for all they are worth. So, no Kudos to Google...

Re:Kudos to Google

[Pi+Is+A+Rational]

:D

Awarding this the most apologetic post of the day

saying "I know anecdotes aren't date" followed by "but insert anecdote here" doesn't excuse you from confirmation bias. There is no evidence presented by you that your practises wouldn't keep you just as safe with Opera or Gecko-based browsers.

A Market for Bugs?

[BenJCarter]

What if Google set up a market protocol to buy Chrome bugs? $1k each, with strict disclosure and delivery terms. We might just deplete the entire Chinese exploit arsenal in 3 months... Or at least boost the knowledge-base of Chrome using CS students everywhere.

Re:A Market for Bugs?

Why would Google's market work any better than the actual market which existed several years ago, where hackers could sell their vulnerabilities to the highest bidder?

http://wslabi.com/

If anything, a fixed price is a much worse idea, because you can make considerably more money for good exploits on the black market. Not only can you get better prices, you can make multiple sales.

Re:A Market for Bugs?

Vupen (and others) make far more than this selling their 0-day packs. This is just sacrificing a few of their exploits for some free advertising and prize-money.

Yes you can break it. Can you build it?

[russbutton]

For all the bad dudes out there who can do this, remember that it's a lot easier to break something than to build it.

Re:But what very did they try to exploit?

[anubi]

I just saw some stuff on youtube that, well for me, was quite scary.

http://www.youtube.com/watch?v=fxri6DDYAdM

It was about dangerous sites on the internet. Youtube has lots of links to other similar postings.

A question for fellow slashdotters... how much truth is in this? Or are they playing games with me to scare the hell out of me?

Comments invited.

Re:Yes you can break it. Can you build it?

Writing exploits for a modern browser like Firefox, where they have a good process and use static analysis tools to eliminate most possible exploitable bugs, or a browser like Chrome that has decent engineering but a hardware-assisted sandbox, is probably the hardest thing in all of computer science. Only a tiny few can do it these days. Building a browser just takes time and effort, exploiting it takes doing the 'impossible'.

Re:But what very did they try to exploit?

[Billly+Gates]

Common sense. With 100 million users there are many bad sites and these are not games. It is a dangerous place.

Yes there are many bad websites and legit ones that have been compromised with ads or hacked to serve javascript exploits. Wordpress seems to be a popular legit series of sites that hackers keep injecting bad ads and malware to infect users who browse.

Go Google Norton Safe web and click the top 10? It changes everyday.

If you are really freaked out use an anti virus package that has cloud updates that blocklists bad sites and prevents them from opening. Avast Free is a popular one which updates every 8 minutes and blocks any browser. Commodo Dragon is a Chromium/Chrome based browser that has built in website blocking from bad domains as they make Commodo IS (haven't used it but has good ratings, though slows down your computer).

If you go to www.openDNS.com you can use the IP addresses in your DNS settings and it will provide filtering too (not as quick to block as other AV products I listed above).

Use a great Anti Virus product and do not got wierd unknown sites. Do not listen to the slashdot geeks who claim you do not need AV products and that they are not infected. 90% are and all it takes is one bad or flash exploit ... keep flash up to date too by going to Adobe or www.filehippo.com. The new one will auto update. Good luck keeping secure

Re:Does this exploit sandbox in other programs

Does this exploit sandbox in other programs? Or was Google just arrogant in setting forth this challenge figuring it would take them several hours or days to crack it?
5-minutes or under is is funny, but does this also mean that the "sandbox" idea is a waste of time in other programs!

It is funny Google claimed they wanted to find out how Chrome could be cracked so they can fix the problems, only to find out they are no where near being a "secure" browser..

Re:Yes you can break it. Can you build it?

Haha, no.

Won't help

[dutchwhizzman]

The whole concept of PWNing is that someone comes up with a way to circumvent the security built into that system. Sure, multiple layers like you describe will hopefully catch the intruder at some other point, where they try to do something that triggers an alarm. However, there is nothing you can do against zero-day vulnerabilities, other than multilayer your security and set up proper alerting.

People smart enough to find a zero day in a common and well tested browser, tend to be smart enough to write "payload code" that will not be detected by your virus scanner as well. Most likely, they will disable your local (windows) firewall (the payload would have to be OS specific anyway) and get the information they are after back to themselves some way.

Like others already said, you won't get to hear details on how they got through until after the patch has been rolled out and you can download a fixed version. If you want to learn how to defend yourself against zero-days in general, read what the leak was, do that for as many other zero-day vulnerabilities as you can spend time on and come up with generic defenses that will help against as much of those as possible. Just concentrating on this one won't do you any good.

no benefits?

[dutchwhizzman]

sixty thousand clones of George Washington disagree with you on that.

Show us the money!

Where's the $1M for a/the hack?

Re:OMFGBBQWTFROTFMAO

Well, as long as you ain't Laughing your ass off...

Re:Does this exploit sandbox in other programs

[Goaway]

What's "funny" about five minutes? The point of the competition is that you show up with your exploit, and run it. Five minutes is a pretty long time to do that in.

Re:Yes you can break it. Can you build it?

[ledow]

But breaking something in a way that no-one has ever done before is a lot HARDER than either.

Re:Does this exploit sandbox in other programs

Five minutes is a pretty long time to do that in.

the target systems musta been running vista and still booting on the word 'go'.

No shit, Sherlock

[smooth+wombat]

It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

When I made a comment a few weeks back that the fact that Chrome could be installed without admin privileges is a huge security hole, I was told by the "experts" on here that because Chrome was sandboxed, my comment was completely without merit.

Repeat after me: there is no such thing as a secure application. Given enough time, someone, somewhere, will find a way to circumvent any security you may have in your software.

So yeah, fuckers, allowing Chrome to be installed without admin privileges IS a gaping security hole waiting to happen. And here it is.

Re:No shit, Sherlock

When I made a comment a few weeks back that the fact that Chrome could be installed without admin privileges is a huge security hole

Indeed it is. Any OS that allows an application to be installed without admin rights has a huge security hole.

Whatever OS you're talking about should be fixed.

OP - here's WHY you were "down-modded"

So GOOGLE keeps a lot of paid shills around here then, eh? That's what I am gathering from your statements. Slashdot's "groupthink" also? However - in case they are NOT "paid for trolling downmodding shills"?? Don't you really mean 'sheep-think', instead???

I state that, because a good 90% of the fools around here don't know a DAMNED THING about computing other than @ user level (perhaps @ the network admin level, & that's only a user with a BETTER PASSWORD!).

Re:OP - here's WHY you were "down-modded"

[TheVelvetFlamebait]

I state that, because a good 90% of the fools around here don't know a DAMNED THING about computing other than @ user level

That's probably because it's news for nerds, not news for computer engineers. The days when there was a natural bias on the internet towards computer geeks is over. Nerds on the internet come in all flavours now.

The only successful security

Is encryption on everything so that even the FBI or the NSA will not be able to hack.

That is not going to happen

Re:Does this exploit sandbox in other programs

[TheRaven64]

And, another question: Which sandbox did it exploit? Chromium has a chroot-based sandbox, an SELinux sandbox, a Capsicum sandbox, and a Windows sandbox and a Mac sandbox. Was the compromise something specific to one of these implementations, or was it in the platform-agnostic code?

Re:Does this exploit sandbox in other programs

[V+for+Vendetta]

The point of the competition is that you show up with your exploit, and run it.

This article linked in another post above disagrees:

Miller, a Pwn2Own regular who makes headlines every year for his work breaking into fully patched Mac OS X machines, says he is skipping the contest this year because of the new rules that require on-the-spot writing of exploits.

Really?

For all the bad dudes out there who can do this, remember that it's a lot easier to break something than to build it.

In general, I'd say it's a lot easier to build insecure software than it is to find and exploit bugs in software.

Chrome on Windows Hacked In 5 Minutes

[dgharmon]

Corrected headline .. :)

Obligatory

[cmburns69]

"I'm gonna write myself a new minivan this afternoon!"

http://dilbert.com/strips/comic/1995-11-13/

Also:

http://thedailywtf.com/Comments/The-Defect-Black-Market.aspx

Google Fanboys Revealed!

For all the commenters who remark that Vupen had their exploits ready to go--and to the moderator who thinks those comments are just so d@mn interesting--look back at previous Pwn2owns and you'll see the same thing--but with other browsers. You've all merely revealed yourselves as either ignoramuses (probably just a few) or completely pwned by Google (most likely). What's actually interesting about the contest this year is that Chrome hadn't been pwned in any previous year, and this year Google claims to put up millions of dollars, and (surprise!) they do get pwned. All you Chrome users have been living in a dream world. What's even more interesting is that Vupen isn't apparently to receive a million dollar prize. And that's false advertising.

Chrome exploited with 0day in 5 minutes

[jmerlin]

Actual corrected headline. Please stop with the sensationalist headlines about hacking. The only number that matters is how long it took to find the exploits and to package them into an attack vector versus the reward from Google.

There are virtually no applications that will survive for more than a few minutes against a 0day when the attacker is given sufficient capability to execute an attack.

Re:Does this exploit sandbox in other programs

[Goaway]

Well, that would explain why it took so long, if he had to type it out from memory.

60K is not 1 million

FUNNY they get 60K NOT 1 MILL....not worth helping corporate america sorry..give me 100 million ill show ya a few bugs and hacks....other wise piss off.

Re:Does this exploit sandbox in other programs

[Harik]

If only there were a -1 WRONG button.

That's for Pwn2Own, which google is also not particpating in. Pwnium (what this is about) allows pre-written exploits.