Chrome Hacked In 5 Minutes At Pwn2Own

← Back to Stories (view on slashdot.org)

Chrome Hacked In 5 Minutes At Pwn2Own

Posted by samzenpus on Wednesday March 7, 2012 @01:07PM from the what-took-so-long? dept.

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

57 of 169 comments (clear)

Min score:

Reason:

Sort:

Obviously they were just waiting to start by msobkow · 2012-03-07 13:08 · Score: 5, Interesting

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.
Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

--
I do not fail; I succeed at finding out what does not work.
1. Re:Obviously they were just waiting to start by SpanglerIsAGod · 2012-03-07 13:12 · Score: 5, Informative
  
  I think that's how most of the successful hacks have been going in this contest. Someone finds a few vulnerabilities, hordes them until the contest, and then goes public with them.
  
  I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.
  
  --
  War doesn't show who is right - just who is left.
2. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 13:13 · Score: 5, Insightful
  
  I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.
3. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 13:15 · Score: 3, Insightful
  
  Every major sports team comes into the contest with a scouting report and a plan to win.
  These guys did their scouting and executed their plan.
  Well done !
4. Re:Obviously they were just waiting to start by 93+Escort+Wagon · 2012-03-07 13:15 · Score: 5, Insightful
  
  I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.
  I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).
  
  --
  #DeleteChrome
5. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 13:37 · Score: 2, Insightful
  
  It's pretty obvious how the tone of the first handful of up modded posts differs from when IE or Safari are first down.
6. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 13:43 · Score: 5, Funny
  
  That's because when other browsers are cracked first it shows they are insecure, while when it's Chrome it is only an experimental error.
7. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 13:48 · Score: 5, Insightful
  
  I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).
  And is that such a bad thing? For the white hats, the money's just a bonus.
  But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.
  In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.
  Win-win situation in my books.
8. Re:Obviously they were just waiting to start by GameboyRMH · 2012-03-07 14:18 · Score: 5, Interesting
  
  I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
9. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 14:32 · Score: 2, Interesting
  
  It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security.
  There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.
  
  I mean I could understand it if there ever once was and now you want to have that again. But there never was. There isn't. There's not going to be. There is only hard work and diligence and learning from experience. Stop acting so shocked you dumb fucks! Seriously.
10. Re:Obviously they were just waiting to start by haruchai · 2012-03-07 15:03 · Score: 4, Funny
  
  You've clearly never read a press release from a software company
  
  --
  Pain is merely failure leaving the body
11. Re:Obviously they were just waiting to start by hairyfeet · 2012-03-07 15:35 · Score: 3, Insightful
  
  Can someone please explain which OS it was running, which version, any AV, you know, more details than a fricking tweet? I know we don't generally actually READ TFA but hell this might as well have been "Chrome got pwned by a man doing a thing" for all the lack of details!
  Now as for Chrome getting hacked well anything CAN be hacked if you have enough of a reason to go after it and i think Google made themselves a nice juicy target on purpose to get the data before any blackhats so kudos to them and the hackers. i know anecdotes aren't data but at least for myself and my customers and family the combo of Comodo Dragon (Chromium based) with either Avast Free or Comodo IS and Win 7 has been pretty much hack AND idiot proof, no small task. Just for shits and giggles i tried to infect a machine I was gonna wipe anyway, threw it at every topsite and crapsite and junksite I could find and...nothing, nada zip zilch. of course that wasn't just Chromium protecting it it also had Win 7 and low rights mode with DEP and ASLR, it had Comodo SecureDNS filtering known malware dumps, it had the sandboxing that is built into Avast and Comodo IS (tried both to make sure and they seem about equal on everything from protection to RAM usage so its more a taste thing or if you need to protect a business as Comodo is free for business use) and finally ABP blocked many of the ads that are the biggest source of malware, at least from what I've seen.
  So a little more info would be nice, I'd like to know if there is something I need to tweak in my system or not.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
12. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 15:43 · Score: 3, Funny
  
  There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.
  Not true that there are no silver bullets for anything. There are silver bullets for killing werewolves.
13. Re:Obviously they were just waiting to start by GigaplexNZ · 2012-03-07 16:26 · Score: 4, Funny
  
  There is not and never has been a "silver bullet" for anything much less security.
  Except, of course, for an actual bullet made of silver.
14. Re:Obviously they were just waiting to start by kcbnac · 2012-03-07 16:34 · Score: 4, Insightful
  
  Then perhaps they need to start doing them more often than yearly? Do them quarterly?
15. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 16:37 · Score: 5, Interesting
  
  I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?
16. Re:Obviously they were just waiting to start by rrohbeck · 2012-03-07 16:38 · Score: 2
  
  What, you can't disassemble and grok 60-some MB in 5 minutes? Wimp.
  
  --
  thegodmovie.com - watch it
17. Re:Obviously they were just waiting to start by Anonymous Coward · 2012-03-07 16:53 · Score: 3, Interesting
  
  $60k is considerably more than my "1st-world" annual income. I imagine you'd have to be rich or a little goofy not to do that, if the opportunity presents itself.
18. Re:Obviously they were just waiting to start by eulernet · 2012-03-07 21:34 · Score: 4, Insightful
  
  This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).
  No, it just proves that when you put enough money, professional crackers are attracted.
  There is an article where Charlie Miller (winner of past contests) explains why he won't compete:
  https://www.zdnet.com/blog/security/charlie-miller-skipping-pwn2own-as-new-rules-change-hacking-game/10554
  On the contrary, I think that money attracts professionals, and discourages all other people, who may have interesting hacks but know that they cannot compete against professionals.
  In short, it encourages people who came to win, and discourages people who came to participate.
19. Re:Obviously they were just waiting to start by Zero__Kelvin · 2012-03-08 00:24 · Score: 4, Funny
  
  Are you mad man? Didn't you hear!!??? It exposes bugs!
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
20. Re:Obviously they were just waiting to start by Gavagai80 · 2012-03-08 00:51 · Score: 4, Funny
  
  Ah, so you're the guy this is about. Stop whining and get back to your luxuries while the rest of us make a tiny fraction of your salary.
  
  --
  This space intentionally left blank
21. Re:Obviously they were just waiting to start by TheRaven64 · 2012-03-08 01:43 · Score: 3, Funny
  
  I use a Mac, but the air of condescension surrounding my computer makes malware slink off and attack someone else's computer.
  
  --
  I am TheRaven on Soylent News
22. Re:Obviously they were just waiting to start by hairyfeet · 2012-03-08 02:52 · Score: 2
  
  Uhhh...what's hard? Win 7 updates itself, both Comodo and Avast (I was using Avast but lately I've gone back to Comodo as i like its tougher sandboxing) have silent installers, frankly the entire system takes less than 15 minutes of actual time to install. And once installed its pretty much walk away as everything is automated, no need for input from the user at all. Frankly its one of the easiest systems ever and certainly easier than constantly doing forum hunts when Linux craps on its own drivers during the 6 month upgrade deathmarch.
  I've had machines in the field running this system since Win 7 RTM in the hands of users that usually pick up more bugs than a Bangkok whore and so far they haven't been able to infect their machines so i'd say its probably the best 15 minutes I've ever spent hardening a machine. Some shops believe you should do the absolute minimum, let the users easily infect their machines multiple times for the repeat business but I've found word of mouth and referrals makes up for the lack of repeat business and more than that I can sleep well at night knowing I've done the most I can to ensure that the customer's PC stays clean and running well and knock on wood so far a 98% success rate, and you can't really count the one failure as the guy refused to listen to me and promptly uninstalled his AV when it wouldn't let him have "the new limewire" which of course was just a giant trojan package that dropped over 60 pieces of malware on his system. Some times you just can't stop stupid.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
5 minutes? by Anonymous Coward · 2012-03-07 13:10 · Score: 4, Insightful

I guess this means they went in knowing exactly what they were going to do. This means that it has been known for a while which means there could be many more people who know and are exploiting this.
1. Re:5 minutes? by v1 · 2012-03-07 13:23 · Score: 5, Insightful
  
  Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.
  Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.
  There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.
  It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.
  
  --
  I work for the Department of Redundancy Department.
2. Re:5 minutes? by Anonymous Coward · 2012-03-07 13:43 · Score: 3, Interesting
  
  All the browsers except for IE pay for bug bounties...
  It is probably more the fame of winning the event...
3. Re:5 minutes? by __aaltlg1547 · 2012-03-07 13:55 · Score: 4, Insightful
  
  And that brings up an even more troubling thought. Are the pwn2own incentives creating a perverse incentive to conceal vulnerabilities?
  I think so. If this is how Google will find and fix its flaws, exploiters are basically safe between events.
  If you want flaws and exploits identified and fixed fast, pay on a first-to identify basis and never announce what the exploits found were. Just quietly fix them as fast as you can and distribute patches regularly.
4. Re:5 minutes? by artor3 · 2012-03-07 14:53 · Score: 4, Insightful
  
  That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.
  I doubt they care so much about the fame. The extra $54k, on the other hand...
Why even mention the time? by Anonymous Coward · 2012-03-07 13:17 · Score: 5, Insightful

This isn't Swordfish. They had plenty of time to prepare their attack.
It's impressive they exploited Chrome. But the preparation took more than 5 minutes.
1. Re:Why even mention the time? by Brad1138 · 2012-03-07 13:55 · Score: 4, Funny
  
  You mean they weren't getting BJ's as they hacked Chrome? What kind of contest is this anyway?
  
  --
  If you could reason with religious people, there would be no religious people
2. Re:Why even mention the time? by binarylarry · 2012-03-07 14:09 · Score: 5, Funny
  
  It's not called pwn2groan!
  
  --
  Mod me down, my New Earth Global Warmingist friends!
3. Re:Why even mention the time? by Billlagr · 2012-03-07 14:18 · Score: 2
  
  pwn2blown! In under 5 minutes no less
4. Re:Why even mention the time? by mikael_j · 2012-03-07 17:58 · Score: 2, Insightful
  
  Well, every year when Safari was the first browser to be targeted and thus also the first to be broken the fandroids and the anti-Apple crowds would scream on and on about how this proved Safari was the shittiest browser in existence and by extension Apple was a horrible horrible company.
  I guess it's Google's turn this year.
  And no, I don't use Safari, I just find it interesting that when previous stories like this have been about Safari the first dozen or so posts weren't about how the reporting was biased...
  
  --
  Greylisting is to SMTP as NAT is to IPv4
Re:You always could google pwn2own... by Torodung · 2012-03-07 13:20 · Score: 2

You forgot "In Soviet Russia..."
still more cost effective by Bananasdoom · 2012-03-07 13:22 · Score: 5, Insightful

Handing out 2mill of prize money is still more cost effective that standard R&D, you get more professionals testing it for the chance of wining some prize money than Google could ever employ and the people they chose not to employ.
1. Re:still more cost effective by __aaltlg1547 · 2012-03-07 14:46 · Score: 2
  
  No it's not. It's Ann incentive to create and CONCEAL cracks while drawing attention to Ans glorifying crackers.
2. Re:still more cost effective by Ambiguous+Coward · 2012-03-07 14:53 · Score: 2
  
  I'm dying to know what (assumedly mobile) OS is autocorrecting you An this way. :)
  
  --
  Their may be a grammatical error, misspeling, or evn a typo in this post.
3. Re:still more cost effective by gweihir · 2012-03-07 14:56 · Score: 3, Interesting
  
  Unfortunately, wrong. First, you get only as much of their vulnerability stock that they need to maximize their profit. Then, you do only get what was easiest to find for them. A real security review looks at architecture, design, coding style and other things as well, which are completely absent at these competitions.
  Basically, this is a show with very little actual security benefits.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
4. Re:still more cost effective by westyvw · 2012-03-07 17:36 · Score: 2
  
  Shirley the next name I am going to use in my next kids book will be Ann Incentive. I can see her leading the way.
Conflated competitions? by Anonymous Coward · 2012-03-07 13:27 · Score: 5, Interesting

The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.
1. Re:Conflated competitions? by Anonymous Coward · 2012-03-07 13:59 · Score: 5, Informative
  
  The Pwn2Own twitter account actually talks quite a bit about this.
  Additionally, it appears that Vupen has already announced they won't be participating in Google's competition.
How does this go by eyenot · 2012-03-07 13:33 · Score: 2

I haven't used Chrome for months. It was behaving errratically and made me nervous during a yime I was looking for a secure browser out of immediate necessity. I eventually managed to use an old version of firefox portable that settled things. I forgot pwn2own was even happening by the time I noticed Chrome zipped in my archives folder and deleted it as useless just two days ago.
But this stuff has me wondering: suppose this goes on and Chrome eventually has all of the exploits worked out of it. A theoretical possibility. Suppose, then, that some new features are requested. Now it seems to me that if I recall correctly, every time revisions are made to software, new exploits appear. This leads me to my first question: what is getting screwed up, learned, forgotten then screwed up again in the coding process that this always seems to be the case?
My second question is, by extension of the first, what are the major weaknesses of browsers? Their implementation of a half-finished "standard" like dHTML? The coders borrowing classes or libraries that would introduce flaw.X to any programmers including them or using them with the program? Programmers being clumsy and trying to force data types to do things they aren't meant to like fit four bytes through an argument that's two bytes wide, and instead of backtracking both directions and setting them both to te same width in planning, just over-riding some compiler warning and supressing runtime halts and sending it to market?

--
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Yo Dawg I heard you liked sandboxes by flappinbooger · 2012-03-07 14:29 · Score: 2

So I run chrome inside of a sandbox so I can be sandboxed while Chrome's sandbox is being hacked.

--
Flappinbooger isn't my real name
Nice salary by Daniel+Phillips · 2012-03-07 14:30 · Score: 4, Funny

That's $12 million/hour, more than Larry and Sergey combined :-)

--
Have you got your LWN subscription yet?
1. Re:Nice salary by viperidaenz · 2012-03-07 14:43 · Score: 2
  
  I get paid $26 million/hour. If I only look at the 1 second it takes for my pay to appear in my account every fortnight.
Re:I use Chromium by Calos · 2012-03-07 14:33 · Score: 2

Yeah, that truth, that's not why people were modding your post. I think you know that.
And people are probably modding it troll because most of us haven't seen any legitimate proof of these claims. Most of us see a fair amount to the contrary.
By all means, if you know something and can show it or have some links with substantiated evidence - please post them, so people can make the choice to switch if they desire.
Otherwise, all you're doing is raising the noise floor. And moderators are seeking to lower it.

--
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
Re:Google's PHD Coders??? by Daniel+Phillips · 2012-03-07 14:35 · Score: 3, Insightful

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.
Not as much as the combined wisdom of the community, a fact that permeates slowly through some of the thicker skulls in the land of Oz.

--
Have you got your LWN subscription yet?
Re:I use Chromium by causality · 2012-03-07 14:47 · Score: 3, Insightful

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).
Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml
The one time the Slashdot groupthink is actually against Open Source code and privacy and software freedom ... is when it makes a statement against Google.

Since this particular statement cuts to the core of how Google makes its money, namely through acquiring marketing data from mostly hapless and unsuspecting users who have no idea how much information they are "contributing", and wouldn't if they did, it's too fundamental of a comment to be tolerated by the fanboys.

So you're being punished by the more impotent and bed-wetting type of mods for telling the truth. That's a badge of honor.

I mean, it's not like they were going to take you on with facts and explain why you're completely mistaken. They can't. So, like all other cowards, they lash out the only way they can. That's all. Nothing hard to understand about it.

--
It is a miracle that curiosity survives formal education. - Einstein
Nice Linking by rudy_wayne · 2012-03-07 14:50 · Score: 5, Funny

5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser.
Thanks for linking to a complete useless, pointless and content-free Twitter post.
Re:Google's PHD Coders??? by gweihir · 2012-03-07 14:58 · Score: 2

The time is completely irrelevant. These are pre-packaged exploits that run as fast as possible.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
details on the exploit? by xandroid · 2012-03-07 15:16 · Score: 2

Are there any details on the exploit beyond "Code execution and sandbox escape (medium integrity process resulted)"?

--
$ echo "ceci n'est pas une pipe" | sed -Ee 's/(eci n|pas )//g'
Awarding this the most apologetic post of the day by Anonymous Coward · 2012-03-07 15:49 · Score: 4, Insightful

saying "I know anecdotes aren't date" followed by "but insert anecdote here" doesn't excuse you from confirmation bias. There is no evidence presented by you that your practises wouldn't keep you just as safe with Opera or Gecko-based browsers.
Re:But what very did they try to exploit? by anubi · 2012-03-07 17:18 · Score: 2

I just saw some stuff on youtube that, well for me, was quite scary.

http://www.youtube.com/watch?v=fxri6DDYAdM

It was about dangerous sites on the internet. Youtube has lots of links to other similar postings.

A question for fellow slashdotters... how much truth is in this? Or are they playing games with me to scare the hell out of me?

Comments invited.

--
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Won't help by dutchwhizzman · 2012-03-07 19:57 · Score: 2

The whole concept of PWNing is that someone comes up with a way to circumvent the security built into that system. Sure, multiple layers like you describe will hopefully catch the intruder at some other point, where they try to do something that triggers an alarm. However, there is nothing you can do against zero-day vulnerabilities, other than multilayer your security and set up proper alerting.

People smart enough to find a zero day in a common and well tested browser, tend to be smart enough to write "payload code" that will not be detected by your virus scanner as well. Most likely, they will disable your local (windows) firewall (the payload would have to be OS specific anyway) and get the information they are after back to themselves some way.

Like others already said, you won't get to hear details on how they got through until after the patch has been rolled out and you can download a fixed version. If you want to learn how to defend yourself against zero-days in general, read what the leak was, do that for as many other zero-day vulnerabilities as you can spend time on and come up with generic defenses that will help against as much of those as possible. Just concentrating on this one won't do you any good.

--
I was promised a flying car. Where is my flying car?
Re:You always could google pwn2own... by allo · 2012-03-07 20:46 · Score: 2

Soviet Russia forgot him!
Re:Google's PHD Coders??? by ais523 · 2012-03-07 21:04 · Score: 2

Well, it's probably an indication of whether the exploit is deterministic or probabilistic (probabilistic exploits will need more tries on average before they work). Also, if it's a buffer overflow, the size of the buffer it's overflowing (if it needs a lot of data to overflow, the browser will take a while to download it).
Not a good indicator of how difficult the exploit was to find, though.

--
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Obligatory by cmburns69 · 2012-03-08 05:38 · Score: 2

"I'm gonna write myself a new minivan this afternoon!"
http://dilbert.com/strips/comic/1995-11-13/
Also:
http://thedailywtf.com/Comments/The-Defect-Black-Market.aspx

--
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!