Chrome Hacked In 5 Minutes At Pwn2Own

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

Obviously they were just waiting to start

[msobkow]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

Re:Obviously they were just waiting to start

[SpanglerIsAGod]

I think that's how most of the successful hacks have been going in this contest. Someone finds a few vulnerabilities, hordes them until the contest, and then goes public with them.

I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

Re:Obviously they were just waiting to start

I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.

Re:Obviously they were just waiting to start

Every major sports team comes into the contest with a scouting report and a plan to win.

These guys did their scouting and executed their plan.

Well done !

Re:Obviously they were just waiting to start

[93+Escort+Wagon]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

Re:Obviously they were just waiting to start

It's pretty obvious how the tone of the first handful of up modded posts differs from when IE or Safari are first down.

Re:Obviously they were just waiting to start

That's because when other browsers are cracked first it shows they are insecure, while when it's Chrome it is only an experimental error.

Re:Obviously they were just waiting to start

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

And is that such a bad thing? For the white hats, the money's just a bonus.

But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.

In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.

Win-win situation in my books.

Re:Obviously they were just waiting to start

[GameboyRMH]

I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.

Re:Obviously they were just waiting to start

It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security.

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

I mean I could understand it if there ever once was and now you want to have that again. But there never was. There isn't. There's not going to be. There is only hard work and diligence and learning from experience. Stop acting so shocked you dumb fucks! Seriously.

Re:Obviously they were just waiting to start

[haruchai]

You've clearly never read a press release from a software company

Re:Obviously they were just waiting to start

[hairyfeet]

Can someone please explain which OS it was running, which version, any AV, you know, more details than a fricking tweet? I know we don't generally actually READ TFA but hell this might as well have been "Chrome got pwned by a man doing a thing" for all the lack of details!

Now as for Chrome getting hacked well anything CAN be hacked if you have enough of a reason to go after it and i think Google made themselves a nice juicy target on purpose to get the data before any blackhats so kudos to them and the hackers. i know anecdotes aren't data but at least for myself and my customers and family the combo of Comodo Dragon (Chromium based) with either Avast Free or Comodo IS and Win 7 has been pretty much hack AND idiot proof, no small task. Just for shits and giggles i tried to infect a machine I was gonna wipe anyway, threw it at every topsite and crapsite and junksite I could find and...nothing, nada zip zilch. of course that wasn't just Chromium protecting it it also had Win 7 and low rights mode with DEP and ASLR, it had Comodo SecureDNS filtering known malware dumps, it had the sandboxing that is built into Avast and Comodo IS (tried both to make sure and they seem about equal on everything from protection to RAM usage so its more a taste thing or if you need to protect a business as Comodo is free for business use) and finally ABP blocked many of the ads that are the biggest source of malware, at least from what I've seen.

So a little more info would be nice, I'd like to know if there is something I need to tweak in my system or not.

Re:Obviously they were just waiting to start

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

Not true that there are no silver bullets for anything. There are silver bullets for killing werewolves.

Re:Obviously they were just waiting to start

[Runaway1956]

Well, I'm sure that your imagination is insanely powerful.

Re:Obviously they were just waiting to start

[GigaplexNZ]

There is not and never has been a "silver bullet" for anything much less security.

Except, of course, for an actual bullet made of silver.

Re:Obviously they were just waiting to start

[kcbnac]

Then perhaps they need to start doing them more often than yearly? Do them quarterly?

Re:Obviously they were just waiting to start

I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?

Re:Obviously they were just waiting to start

[rrohbeck]

What, you can't disassemble and grok 60-some MB in 5 minutes? Wimp.

Re:Obviously they were just waiting to start

I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

More importantly, it's something that anyone can point to to demonstrate that browsers have vulnerabilities and how they work. My idiot co-worker (who's himself supposed to be an IT person) kept telling me up and down that people got infected by malware from browsers ONLY when the user gets tricked into downloading and installing software. He shut the hell up relatively quickly when I pointed him towards pwn2own. Some people are dumb enough, and confident enough in their own knowledge that they'll only believe something if you can readily demonstrate it. You can't fix stupid, only distract it.

Re:Obviously they were just waiting to start

$60k is considerably more than my "1st-world" annual income. I imagine you'd have to be rich or a little goofy not to do that, if the opportunity presents itself.

Re:Obviously they were just waiting to start

[westyvw]

I agree with the post that I want to know what the expoloit was.
However I must say that you sure work hard to try and keep your computer safe from the internetz. Is windows land really that bad that you have to go to all that effort just to feel free to browse the web?

Re:Obviously they were just waiting to start

[genik76]

By "little goofy" you mean honest, I guess.

Re:Obviously they were just waiting to start

[wvmarle]

Of course. Finding exploits takes time and dedication (and possibly luck: looking at the correct piece of the code). Not likely a new exploit is discovered within the competition itself.

Re:Obviously they were just waiting to start

[thunderclap]

Good to know that your rooster is capable of pawing. By the way its pronounced own to own.

Re:Obviously they were just waiting to start

[richtaur]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Seems like they found a real-life exploit created by the contest. That seems appropriate!

Re:Obviously they were just waiting to start

[eulernet]

This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

No, it just proves that when you put enough money, professional crackers are attracted.

There is an article where Charlie Miller (winner of past contests) explains why he won't compete:
https://www.zdnet.com/blog/security/charlie-miller-skipping-pwn2own-as-new-rules-change-hacking-game/10554

On the contrary, I think that money attracts professionals, and discourages all other people, who may have interesting hacks but know that they cannot compete against professionals.
In short, it encourages people who came to win, and discourages people who came to participate.

Re:Obviously they were just waiting to start

[MareLooke]

Which seems to be the same thing in today's world. Sadly.

Re:Obviously they were just waiting to start

[ByOhTek]

Yeah, but it's amazing the number of self proclaimed tech experts I've known who think there are.

"I use a Mac, and have worked in the industry for 40 years, I know it's impossible for me to get a virus."

"I use a Mac and Chrome, I'll never get infected with anything."

"I use Linux, my system is impenetrable."

etc. etc.

I haven't had a malware problem on windows in about 13 years. Some of which I used IE (earlier times), some of which I used Firefox. This is a better record than any of those yutzes. The most important factor has and always will be the gray matter between the users ears.

Re:Obviously they were just waiting to start

no, by "little goofy" he means crazy, look around and you will notice you live in capitalism

Re:Obviously they were just waiting to start

[Goaway]

What's not to like about that? It's the entire point of the contest!

Re:Obviously they were just waiting to start

[RivenAleem]

I don't see how anyone can complain. Either way the vulnerability isn't shared with the public. The only downside I see is that between one security resercher finding the vulnerability, and the demonstration of it at the contest, there's a chance of another less noble person finding the same vulnerability and exploiting it for nefarious reasons.

Re:Obviously they were just waiting to start

One hopes that half of $60k is not enough to risk your job and any future prospect of employment as a developer, to say nothing of the possibility of criminal and civil damages.

Re:Obviously they were just waiting to start

[Zero__Kelvin]

Are you mad man? Didn't you hear!!??? It exposes bugs!

Re:Obviously they were just waiting to start

[Gavagai80]

Ah, so you're the guy this is about. Stop whining and get back to your luxuries while the rest of us make a tiny fraction of your salary.

Re:Obviously they were just waiting to start

[helix2301]

Pwn2Own is one my favorite events it really opens the eyes of the developers and security people pointing out flaws and insecure code. This was well thought out and executed well congrats to the hackers.

Re:Obviously they were just waiting to start

[TheRaven64]

I use a Mac, but the air of condescension surrounding my computer makes malware slink off and attack someone else's computer.

Re:Obviously they were just waiting to start

[hairyfeet]

Uhhh...what's hard? Win 7 updates itself, both Comodo and Avast (I was using Avast but lately I've gone back to Comodo as i like its tougher sandboxing) have silent installers, frankly the entire system takes less than 15 minutes of actual time to install. And once installed its pretty much walk away as everything is automated, no need for input from the user at all. Frankly its one of the easiest systems ever and certainly easier than constantly doing forum hunts when Linux craps on its own drivers during the 6 month upgrade deathmarch.

I've had machines in the field running this system since Win 7 RTM in the hands of users that usually pick up more bugs than a Bangkok whore and so far they haven't been able to infect their machines so i'd say its probably the best 15 minutes I've ever spent hardening a machine. Some shops believe you should do the absolute minimum, let the users easily infect their machines multiple times for the repeat business but I've found word of mouth and referrals makes up for the lack of repeat business and more than that I can sleep well at night knowing I've done the most I can to ensure that the customer's PC stays clean and running well and knock on wood so far a 98% success rate, and you can't really count the one failure as the guy refused to listen to me and promptly uninstalled his AV when it wouldn't let him have "the new limewire" which of course was just a giant trojan package that dropped over 60 pieces of malware on his system. Some times you just can't stop stupid.

Re:Obviously they were just waiting to start

[phoenix_rizzen]

And a can of Coors Light, obviously.

Re:Obviously they were just waiting to start

[atlasdropperofworlds]

You made me lol hard.

I wish all mac owners were like you.

5 minutes?

I guess this means they went in knowing exactly what they were going to do. This means that it has been known for a while which means there could be many more people who know and are exploiting this.

Re:5 minutes?

[v1]

Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.

Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.

There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.

It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.

Re:5 minutes?

All the browsers except for IE pay for bug bounties...

It is probably more the fame of winning the event...

Re:5 minutes?

[__aaltlg1547]

And that brings up an even more troubling thought. Are the pwn2own incentives creating a perverse incentive to conceal vulnerabilities?

I think so. If this is how Google will find and fix its flaws, exploiters are basically safe between events.

If you want flaws and exploits identified and fixed fast, pay on a first-to identify basis and never announce what the exploits found were. Just quietly fix them as fast as you can and distribute patches regularly.

Re:5 minutes?

[artor3]

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

Re:5 minutes?

[Brian+Feldman]

You don't understand software. Fixing things quietly is just as good as announcing them for a project that develops in the open.

Re:5 minutes?

[westyvw]

A full Chrome exploit will net you $60,000 from Google. They now have 3 pay ranges and offer substantialy more then they used to. I do think they upped this price after they pulled out of pwn2own in February.

Re:5 minutes?

[St.Creed]

I never knew that until a friend tried to deal with them on changes to the Android API's (he works for a VERY large company and they needed extra abilities). They didn't even deign to reply.

Nokia, Microsoft and Apple not only provided helpful assistance but actively invested to get his solution on their platform. Big difference. Google is going to shoot itself in the foot with that "If you don't work here, you're stupid and can't be taken serious" attitude.

Re:5 minutes?

[Krneki]

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

I fear that the black market pays more for this 0-day exploits.

You always could google pwn2own...

...now it seems you can also pwn2own google!

Re:You always could google pwn2own...

[Torodung]

You forgot "In Soviet Russia..."

Re:You always could google pwn2own...

[allo]

Soviet Russia forgot him!

Re:You always could google pwn2own...

[tomofumi]

google pwns YOU!!

Why even mention the time?

This isn't Swordfish. They had plenty of time to prepare their attack.

It's impressive they exploited Chrome. But the preparation took more than 5 minutes.

Re:Why even mention the time?

[Brad1138]

You mean they weren't getting BJ's as they hacked Chrome? What kind of contest is this anyway?

Re:Why even mention the time?

[binarylarry]

It's not called pwn2groan!

Re:Why even mention the time?

[Billlagr]

pwn2blown! In under 5 minutes no less

Re:Why even mention the time?

[geminidomino]

That comment, on the other hand, would have won if it was.

I cringed a little, too.

Re:Why even mention the time?

[mikael_j]

Well, every year when Safari was the first browser to be targeted and thus also the first to be broken the fandroids and the anti-Apple crowds would scream on and on about how this proved Safari was the shittiest browser in existence and by extension Apple was a horrible horrible company.

I guess it's Google's turn this year.

And no, I don't use Safari, I just find it interesting that when previous stories like this have been about Safari the first dozen or so posts weren't about how the reporting was biased...

Re:Why even mention the time?

[makomk]

Except in this case Google Chrome's being targeted because Google themselves are offering particularly generous payments to hack it, whereas Safari was a favourite target in prior years because according to the contestants it was the easiest to find and exploit holes in.

still more cost effective

[Bananasdoom]

Handing out 2mill of prize money is still more cost effective that standard R&D, you get more professionals testing it for the chance of wining some prize money than Google could ever employ and the people they chose not to employ.

Re:still more cost effective

[__aaltlg1547]

No it's not. It's Ann incentive to create and CONCEAL cracks while drawing attention to Ans glorifying crackers.

Re:still more cost effective

[Ambiguous+Coward]

I'm dying to know what (assumedly mobile) OS is autocorrecting you An this way. :)

Re:still more cost effective

[gweihir]

Unfortunately, wrong. First, you get only as much of their vulnerability stock that they need to maximize their profit. Then, you do only get what was easiest to find for them. A real security review looks at architecture, design, coding style and other things as well, which are completely absent at these competitions.

Basically, this is a show with very little actual security benefits.

Re:still more cost effective

[westyvw]

Shirley the next name I am going to use in my next kids book will be Ann Incentive. I can see her leading the way.

Conflated competitions?

The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.

Re:Conflated competitions?

The Pwn2Own twitter account actually talks quite a bit about this.

Additionally, it appears that Vupen has already announced they won't be participating in Google's competition.

Re:Conflated competitions?

[deroby]

So basically they simply announced that they have found a way to work around chrome's security system; won a competition doing so (including fame & prize money) bringing them lots of media coverage (read: free advertising). And now they simply have to wait for some 'clients' to come up with more than 60k for its source, I'm sure their address is on the pown2own website.

Seriously, they might just as well put it on ebay if you think about it, opening bid of 59.999$.

How does this go

[eyenot]

I haven't used Chrome for months. It was behaving errratically and made me nervous during a yime I was looking for a secure browser out of immediate necessity. I eventually managed to use an old version of firefox portable that settled things. I forgot pwn2own was even happening by the time I noticed Chrome zipped in my archives folder and deleted it as useless just two days ago.

But this stuff has me wondering: suppose this goes on and Chrome eventually has all of the exploits worked out of it. A theoretical possibility. Suppose, then, that some new features are requested. Now it seems to me that if I recall correctly, every time revisions are made to software, new exploits appear. This leads me to my first question: what is getting screwed up, learned, forgotten then screwed up again in the coding process that this always seems to be the case?

My second question is, by extension of the first, what are the major weaknesses of browsers? Their implementation of a half-finished "standard" like dHTML? The coders borrowing classes or libraries that would introduce flaw.X to any programmers including them or using them with the program? Programmers being clumsy and trying to force data types to do things they aren't meant to like fit four bytes through an argument that's two bytes wide, and instead of backtracking both directions and setting them both to te same width in planning, just over-riding some compiler warning and supressing runtime halts and sending it to market?

Re:How does this go

All code libraries etc makes assumptions about what sorts of data they will handle. The problem is that these browsers (and all software larger than Hello World) is so complicate that it is impossible for a developer to anticipate every interaction and use every api exactly as it was intended in all possible cases. In essence in order for there to be no exploits introduced when a new feature is added, that feature and every possible interaction of that feature with every other feature must be vetted.
Saying you want no exploits in a large piece of software is equivalent to saying that you want an incredibly complex system to be constructed perfectly the very first time. This is not feasible to do at the rate that users want new features and at the rate that new more efficient hardware and algorithms are invented/discovered. Bugs can be * incredibly* subtle and may only trigger under very very specific circumstances, they can persist for years/decades with no one ever finding them.

I use Chromium

[cpu6502]

It doesn't have any of those annoying Google spying/tracing code built-in.

Re:I use Chromium

[cpu6502]

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml

Re:I use Chromium

Oh come on, we all know Google is perfect and can do no wrong and anyone that says anything negative against them is clearly a paid shill.

Re:I use Chromium

[Calos]

Yeah, that truth, that's not why people were modding your post. I think you know that.

And people are probably modding it troll because most of us haven't seen any legitimate proof of these claims. Most of us see a fair amount to the contrary.

By all means, if you know something and can show it or have some links with substantiated evidence - please post them, so people can make the choice to switch if they desire.

Otherwise, all you're doing is raising the noise floor. And moderators are seeking to lower it.

Re:I use Chromium

[causality]

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml

The one time the Slashdot groupthink is actually against Open Source code and privacy and software freedom ... is when it makes a statement against Google.

Since this particular statement cuts to the core of how Google makes its money, namely through acquiring marketing data from mostly hapless and unsuspecting users who have no idea how much information they are "contributing", and wouldn't if they did, it's too fundamental of a comment to be tolerated by the fanboys.

So you're being punished by the more impotent and bed-wetting type of mods for telling the truth. That's a badge of honor.

I mean, it's not like they were going to take you on with facts and explain why you're completely mistaken. They can't. So, like all other cowards, they lash out the only way they can. That's all. Nothing hard to understand about it.

Re:I use Chromium

[Daniel+Phillips]

Googlers should know that expressing disagreement via mod points is not Googly. Or is it now?

Oh right, I forgot, the "don't be evil" already left the building.

Re:I use Chromium

[cpu6502]

If you haven't seen the reports of Google tracking users, even to the point of hacking Apple Safari and Microsoft Explorer's "private" modes to track them, then you have not been paying attention. It's common knowledge now among tech professionals.

Re:I use Chromium

[Calos]

If it's such common knowledge, surely it will be easy for you to provide a credible link. You could have provided several in the time it took you to write a snarky, arrogant reply. But you didn't.

No, I will not accept your appeal to your ethos and authority as a valid argument.

Because the truth is - I don't ask because I'm wholly ignorant on the subject. I actually pay pretty close attention to this kind of thing. I know there are privacy concerns with Chrome, but I also know that the things that were concerning have been removed, and that you can opt-out of most everything else. Anecdotally, I know I have never seen anything suspicious show up in a packet sniffer, or any unusual connections in my Privoxy logs.

Wikipedia has a decent, and decently sourced, summary (and yes, it's Wiki, and yes, I'm cringing suggesting anyone look for information there). However, Wiki, being the fount of "common knowledge" that it is, and haunted by all kinds of spooks, it's a good rebuttal to your "common knowledge" claim. Not that "common knowledge" means anything anyway.

Google's PHD Coders???

[BoRegardless]

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Re:Google's PHD Coders???

[Daniel+Phillips]

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Not as much as the combined wisdom of the community, a fact that permeates slowly through some of the thicker skulls in the land of Oz.

Re:Google's PHD Coders???

[gweihir]

The time is completely irrelevant. These are pre-packaged exploits that run as fast as possible.

Re:Google's PHD Coders???

I think saying it's "the combined wisdom of the community" is correct but misleading. Google employees have to implement X number of features in Y time while trying to make everything perfect, while hackers' time is limited only by themselves and their task is simply to find imperfections while doing work whose quality only has to be good enough to not fail on its own. I believe Google isn't nearly as bad as Apple in how hard it drives its employees into the ground with unrealistic time frames, but even so it's reasonable assume that the quality of work is at least slightly compromised while having a much higher burden of quality than the work of people looking for exploits. (I am, of course, not addressing whatever in-house hackers Google has, since I don't even know if they exist. If they do, then of course they failed in comparison with the people who found the exploits.)

Exploits will happen no matter how much time you give your developers.

Think about all the code in a web browser. Parsers for HTML, XML, Javascript, CSS, SGML, etc. Image and video decoders for a dozen formats. Software of that complexity will have bugs. If it is performant, it is written in a language where some of those bugs are exploitable.

If you don't understand why this is hard, try it yourself. Go read the source of a library that decodes an image format, such as libpng or libjpeg-turbo. How long would you have to look at it to be 100% sure it is bug-free?

Chrome's sandbox is a great way to mitigate some of the risk of exploits in the renderer, but the sandbox is a complex beast. The API windows provides for this is SACLs and DACLs on kernel objects, but not all interesting objects enforce the limitations they need. For example, drawing requires HWNDs, and HWNDs under a single desktop object can not be isolated using DACLs. They have to do some heroically complex things to make isolation work. Complex code written against an API not designed to do what they need will have bugs.

The arrogance of some comments here is amazing. Chrome's sandbox team has dramatically raised the bar for browser security. It was done in a general way, and open sourced, so that others could use it. Making snarky comments about this work because a bug was found is silly. Think this stuff is easy? Write a patch for a real bug and I will consider the possibility that you are right.

As an analogy, suppose that a bug in the Linux kernel allowed a process to modify the private memory of another process. Would you conclude that Linux developers are stupid, lazy, or under time pressure from their employer? Would you make snarky comments about how, with bugs like this, UNIX style memory protection is useless, and the DOS/Mac OS 9 style memory management (where every process can read/write every other process's memory) is clearly just as good?

Re:Google's PHD Coders???

[ais523]

Well, it's probably an indication of whether the exploit is deterministic or probabilistic (probabilistic exploits will need more tries on average before they work). Also, if it's a buffer overflow, the size of the buffer it's overflowing (if it needs a lot of data to overflow, the browser will take a while to download it).

Not a good indicator of how difficult the exploit was to find, though.

Re:Google's PHD Coders???

[gweihir]

Indeed. A very simple to find one with a large random component could run forever, while a really hard to find one may simply change one flag by buffer overflow in a microsecond.

Re:Google's PHD Coders???

[AvitarX]

Are you kidding? Chrome makes them millions in saved search royaltys to Mozilla, and profits millions in ad revenue from dinged Ms market share (going to them without paying Mozilla).

Re:Google's PHD Coders???

[Tim+C]

They didn't hack/crack Chrome in 5 minutes, they turned up with a pre-tested bag of tricks and took 5 minutes to run them.

Re:I like competitions with prizes

[TWX]

Essentially. Not broke per se, just not multibillionaires.

Yo Dawg I heard you liked sandboxes

[flappinbooger]

So I run chrome inside of a sandbox so I can be sandboxed while Chrome's sandbox is being hacked.

Nice salary

[Daniel+Phillips]

That's $12 million/hour, more than Larry and Sergey combined :-)

Re:Nice salary

[viperidaenz]

I get paid $26 million/hour. If I only look at the 1 second it takes for my pay to appear in my account every fortnight.

Nice Linking

[rudy_wayne]

5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser.

Thanks for linking to a complete useless, pointless and content-free Twitter post.

Re:Nice Linking

[Voyager529]

Thanks for linking to a complete useless, pointless and content-free Twitter post.

I thought redundancy was picked up by the lameness filter.

details on the exploit?

[xandroid]

Are there any details on the exploit beyond "Code execution and sandbox escape (medium integrity process resulted)"?

Awarding this the most apologetic post of the day

saying "I know anecdotes aren't date" followed by "but insert anecdote here" doesn't excuse you from confirmation bias. There is no evidence presented by you that your practises wouldn't keep you just as safe with Opera or Gecko-based browsers.

A Market for Bugs?

[BenJCarter]

What if Google set up a market protocol to buy Chrome bugs? $1k each, with strict disclosure and delivery terms. We might just deplete the entire Chinese exploit arsenal in 3 months... Or at least boost the knowledge-base of Chrome using CS students everywhere.

Re:Kudos to Google

[Pi+Is+A+Rational]

:D

Yes you can break it. Can you build it?

[russbutton]

For all the bad dudes out there who can do this, remember that it's a lot easier to break something than to build it.

Re:But what very did they try to exploit?

[anubi]

I just saw some stuff on youtube that, well for me, was quite scary.

http://www.youtube.com/watch?v=fxri6DDYAdM

It was about dangerous sites on the internet. Youtube has lots of links to other similar postings.

A question for fellow slashdotters... how much truth is in this? Or are they playing games with me to scare the hell out of me?

Comments invited.

Re:But what very did they try to exploit?

[Billly+Gates]

Common sense. With 100 million users there are many bad sites and these are not games. It is a dangerous place.

Yes there are many bad websites and legit ones that have been compromised with ads or hacked to serve javascript exploits. Wordpress seems to be a popular legit series of sites that hackers keep injecting bad ads and malware to infect users who browse.

Go Google Norton Safe web and click the top 10? It changes everyday.

If you are really freaked out use an anti virus package that has cloud updates that blocklists bad sites and prevents them from opening. Avast Free is a popular one which updates every 8 minutes and blocks any browser. Commodo Dragon is a Chromium/Chrome based browser that has built in website blocking from bad domains as they make Commodo IS (haven't used it but has good ratings, though slows down your computer).

If you go to www.openDNS.com you can use the IP addresses in your DNS settings and it will provide filtering too (not as quick to block as other AV products I listed above).

Use a great Anti Virus product and do not got wierd unknown sites. Do not listen to the slashdot geeks who claim you do not need AV products and that they are not infected. 90% are and all it takes is one bad or flash exploit ... keep flash up to date too by going to Adobe or www.filehippo.com. The new one will auto update. Good luck keeping secure

Won't help

[dutchwhizzman]

The whole concept of PWNing is that someone comes up with a way to circumvent the security built into that system. Sure, multiple layers like you describe will hopefully catch the intruder at some other point, where they try to do something that triggers an alarm. However, there is nothing you can do against zero-day vulnerabilities, other than multilayer your security and set up proper alerting.

People smart enough to find a zero day in a common and well tested browser, tend to be smart enough to write "payload code" that will not be detected by your virus scanner as well. Most likely, they will disable your local (windows) firewall (the payload would have to be OS specific anyway) and get the information they are after back to themselves some way.

Like others already said, you won't get to hear details on how they got through until after the patch has been rolled out and you can download a fixed version. If you want to learn how to defend yourself against zero-days in general, read what the leak was, do that for as many other zero-day vulnerabilities as you can spend time on and come up with generic defenses that will help against as much of those as possible. Just concentrating on this one won't do you any good.

no benefits?

[dutchwhizzman]

sixty thousand clones of George Washington disagree with you on that.

Re:Does this exploit sandbox in other programs

[Goaway]

What's "funny" about five minutes? The point of the competition is that you show up with your exploit, and run it. Five minutes is a pretty long time to do that in.

Re:Yes you can break it. Can you build it?

[ledow]

But breaking something in a way that no-one has ever done before is a lot HARDER than either.

No shit, Sherlock

[smooth+wombat]

It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

When I made a comment a few weeks back that the fact that Chrome could be installed without admin privileges is a huge security hole, I was told by the "experts" on here that because Chrome was sandboxed, my comment was completely without merit.

Repeat after me: there is no such thing as a secure application. Given enough time, someone, somewhere, will find a way to circumvent any security you may have in your software.

So yeah, fuckers, allowing Chrome to be installed without admin privileges IS a gaping security hole waiting to happen. And here it is.

Re:Does this exploit sandbox in other programs

[TheRaven64]

And, another question: Which sandbox did it exploit? Chromium has a chroot-based sandbox, an SELinux sandbox, a Capsicum sandbox, and a Windows sandbox and a Mac sandbox. Was the compromise something specific to one of these implementations, or was it in the platform-agnostic code?

Re:OP - here's WHY you were "down-modded"

[TheVelvetFlamebait]

I state that, because a good 90% of the fools around here don't know a DAMNED THING about computing other than @ user level

That's probably because it's news for nerds, not news for computer engineers. The days when there was a natural bias on the internet towards computer geeks is over. Nerds on the internet come in all flavours now.

Re:Does this exploit sandbox in other programs

[V+for+Vendetta]

The point of the competition is that you show up with your exploit, and run it.

This article linked in another post above disagrees:

Miller, a Pwn2Own regular who makes headlines every year for his work breaking into fully patched Mac OS X machines, says he is skipping the contest this year because of the new rules that require on-the-spot writing of exploits.

Chrome on Windows Hacked In 5 Minutes

[dgharmon]

Corrected headline .. :)

Obligatory

[cmburns69]

"I'm gonna write myself a new minivan this afternoon!"

http://dilbert.com/strips/comic/1995-11-13/

Also:

http://thedailywtf.com/Comments/The-Defect-Black-Market.aspx

Chrome exploited with 0day in 5 minutes

[jmerlin]

Actual corrected headline. Please stop with the sensationalist headlines about hacking. The only number that matters is how long it took to find the exploits and to package them into an attack vector versus the reward from Google.

There are virtually no applications that will survive for more than a few minutes against a 0day when the attacker is given sufficient capability to execute an attack.

Re:Does this exploit sandbox in other programs

[Goaway]

Well, that would explain why it took so long, if he had to type it out from memory.

Re:Does this exploit sandbox in other programs

[Harik]

If only there were a -1 WRONG button.

That's for Pwn2Own, which google is also not particpating in. Pwnium (what this is about) allows pre-written exploits.