Tags

, , , , , , , , , , , , , , , , , , , , , ,

Sometimes you need hackers to help you avoid getting hacked.

Google offered to pay as much as $1 million to anyone who could show vulnerabilities in its Chrome browser

Less than two weeks after Google launched Pwnium, a competition for hackers to find security exploits in Chrome, the search giant has announced its first winner.

Google has paid out $60,000 to a security researcher for demonstrating a ‘full Chrome exploit’ in its Chrome web browser.

Sergey Glazunov, who has built up a reputation for demonstrating weaknesses in Chromium, is the first researcher to be awarded the $60,000 top prize. Glazunov showed off a remote code execution vulnerability in Chrome on an up-to-date Windows 7 system, which qualifies as a full Chrome exploit.

The exploit makes it possible for a malicious hacker to do just about anything they want on an infected machine.

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome.

Update 1 :[11-03-2012] Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits

Google’s Chrome browser on Friday fell to a zero-day attack that pierced its vaunted security sandbox, the third such attack in as many days at a contest designed to test its resistance to real-world threats.

A teenage hacker who identified himself only as PinkiePie said he spent the past week and half working on the attack. It combined three previously unknown vulnerabilities to gain full system access to a Dell Inspiron laptop that ran a fully patched version of Chrome on top of the most up-to-date version of Windows 7. He spent the past three days holed up in hotel rooms and conference areas refining the attack so it would break out of the sandbox, which was designed to prevent code-execution attacks like his, even when security bugs are identified.

The five vulnerabilities exposed during the third and final day of the contest are miniscule compared to the overall number of bugs Chrome’s security team fixes each year. A member of the team said the value of Pwnium isn’t in the number of bugs that come to light, but rather in the insights that come from watching how a reliable exploit is able to slip through carefully crafted defenses.

Update 2 : IE 9 on Windows 7 was also hacked, again through a complicated hack that had to circumvent the browser’s sandbox. Microsoft, however, may not respond so rapidly, as its quality testing procedure usually takes a few months to fix bugs like these.Safari on Mac OS X Snow Leopard, along with Firefox and IE 8 on Windows XP, was also hacked.

Source : CNET,PWNIUM,arstechnica,slatester,thehackernews

About these ads