Chrome Hacked In 5 Minutes At Pwn2Own

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

Obviously they were just waiting to start

[msobkow]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

Re:Obviously they were just waiting to start

[SpanglerIsAGod]

I think that's how most of the successful hacks have been going in this contest. Someone finds a few vulnerabilities, hordes them until the contest, and then goes public with them.

I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

Re:Obviously they were just waiting to start

I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.

Re:Obviously they were just waiting to start

Every major sports team comes into the contest with a scouting report and a plan to win.

These guys did their scouting and executed their plan.

Well done !

Re:Obviously they were just waiting to start

[93+Escort+Wagon]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

Re:Obviously they were just waiting to start

That's because when other browsers are cracked first it shows they are insecure, while when it's Chrome it is only an experimental error.

Re:Obviously they were just waiting to start

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

And is that such a bad thing? For the white hats, the money's just a bonus.

But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.

In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.

Win-win situation in my books.

Re:Obviously they were just waiting to start

[GameboyRMH]

I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.

Re:Obviously they were just waiting to start

[haruchai]

You've clearly never read a press release from a software company

Re:Obviously they were just waiting to start

[hairyfeet]

Can someone please explain which OS it was running, which version, any AV, you know, more details than a fricking tweet? I know we don't generally actually READ TFA but hell this might as well have been "Chrome got pwned by a man doing a thing" for all the lack of details!

Now as for Chrome getting hacked well anything CAN be hacked if you have enough of a reason to go after it and i think Google made themselves a nice juicy target on purpose to get the data before any blackhats so kudos to them and the hackers. i know anecdotes aren't data but at least for myself and my customers and family the combo of Comodo Dragon (Chromium based) with either Avast Free or Comodo IS and Win 7 has been pretty much hack AND idiot proof, no small task. Just for shits and giggles i tried to infect a machine I was gonna wipe anyway, threw it at every topsite and crapsite and junksite I could find and...nothing, nada zip zilch. of course that wasn't just Chromium protecting it it also had Win 7 and low rights mode with DEP and ASLR, it had Comodo SecureDNS filtering known malware dumps, it had the sandboxing that is built into Avast and Comodo IS (tried both to make sure and they seem about equal on everything from protection to RAM usage so its more a taste thing or if you need to protect a business as Comodo is free for business use) and finally ABP blocked many of the ads that are the biggest source of malware, at least from what I've seen.

So a little more info would be nice, I'd like to know if there is something I need to tweak in my system or not.

Re:Obviously they were just waiting to start

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

Not true that there are no silver bullets for anything. There are silver bullets for killing werewolves.

Re:Obviously they were just waiting to start

[GigaplexNZ]

There is not and never has been a "silver bullet" for anything much less security.

Except, of course, for an actual bullet made of silver.

Re:Obviously they were just waiting to start

[kcbnac]

Then perhaps they need to start doing them more often than yearly? Do them quarterly?

Re:Obviously they were just waiting to start

I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?

Re:Obviously they were just waiting to start

$60k is considerably more than my "1st-world" annual income. I imagine you'd have to be rich or a little goofy not to do that, if the opportunity presents itself.

Re:Obviously they were just waiting to start

[eulernet]

This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

No, it just proves that when you put enough money, professional crackers are attracted.

There is an article where Charlie Miller (winner of past contests) explains why he won't compete:
https://www.zdnet.com/blog/security/charlie-miller-skipping-pwn2own-as-new-rules-change-hacking-game/10554

On the contrary, I think that money attracts professionals, and discourages all other people, who may have interesting hacks but know that they cannot compete against professionals.
In short, it encourages people who came to win, and discourages people who came to participate.

Re:Obviously they were just waiting to start

[Zero__Kelvin]

Are you mad man? Didn't you hear!!??? It exposes bugs!

Re:Obviously they were just waiting to start

[Gavagai80]

Ah, so you're the guy this is about. Stop whining and get back to your luxuries while the rest of us make a tiny fraction of your salary.

Re:Obviously they were just waiting to start

[TheRaven64]

I use a Mac, but the air of condescension surrounding my computer makes malware slink off and attack someone else's computer.

5 minutes?

I guess this means they went in knowing exactly what they were going to do. This means that it has been known for a while which means there could be many more people who know and are exploiting this.

Re:5 minutes?

[v1]

Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.

Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.

There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.

It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.

Re:5 minutes?

All the browsers except for IE pay for bug bounties...

It is probably more the fame of winning the event...

Re:5 minutes?

[__aaltlg1547]

And that brings up an even more troubling thought. Are the pwn2own incentives creating a perverse incentive to conceal vulnerabilities?

I think so. If this is how Google will find and fix its flaws, exploiters are basically safe between events.

If you want flaws and exploits identified and fixed fast, pay on a first-to identify basis and never announce what the exploits found were. Just quietly fix them as fast as you can and distribute patches regularly.

Re:5 minutes?

[artor3]

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

Why even mention the time?

This isn't Swordfish. They had plenty of time to prepare their attack.

It's impressive they exploited Chrome. But the preparation took more than 5 minutes.

Re:Why even mention the time?

[Brad1138]

You mean they weren't getting BJ's as they hacked Chrome? What kind of contest is this anyway?

Re:Why even mention the time?

[binarylarry]

It's not called pwn2groan!

still more cost effective

[Bananasdoom]

Handing out 2mill of prize money is still more cost effective that standard R&D, you get more professionals testing it for the chance of wining some prize money than Google could ever employ and the people they chose not to employ.

Re:still more cost effective

[gweihir]

Unfortunately, wrong. First, you get only as much of their vulnerability stock that they need to maximize their profit. Then, you do only get what was easiest to find for them. A real security review looks at architecture, design, coding style and other things as well, which are completely absent at these competitions.

Basically, this is a show with very little actual security benefits.

Conflated competitions?

The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.

Re:Conflated competitions?

The Pwn2Own twitter account actually talks quite a bit about this.

Additionally, it appears that Vupen has already announced they won't be participating in Google's competition.

Nice salary

[Daniel+Phillips]

That's $12 million/hour, more than Larry and Sergey combined :-)

Re:Google's PHD Coders???

[Daniel+Phillips]

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Not as much as the combined wisdom of the community, a fact that permeates slowly through some of the thicker skulls in the land of Oz.

Re:I use Chromium

[causality]

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml

The one time the Slashdot groupthink is actually against Open Source code and privacy and software freedom ... is when it makes a statement against Google.

Since this particular statement cuts to the core of how Google makes its money, namely through acquiring marketing data from mostly hapless and unsuspecting users who have no idea how much information they are "contributing", and wouldn't if they did, it's too fundamental of a comment to be tolerated by the fanboys.

So you're being punished by the more impotent and bed-wetting type of mods for telling the truth. That's a badge of honor.

I mean, it's not like they were going to take you on with facts and explain why you're completely mistaken. They can't. So, like all other cowards, they lash out the only way they can. That's all. Nothing hard to understand about it.

Nice Linking

[rudy_wayne]

5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser.

Thanks for linking to a complete useless, pointless and content-free Twitter post.

Awarding this the most apologetic post of the day

saying "I know anecdotes aren't date" followed by "but insert anecdote here" doesn't excuse you from confirmation bias. There is no evidence presented by you that your practises wouldn't keep you just as safe with Opera or Gecko-based browsers.