Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google’s Chrome Web Browser Hacked at CanSecWest

Google showed a great deal of confidence ahead of the CanSecWest conference this year when it announced plans to offer up to $1 million in rewards for a successful exploit against its Chrome browser. The company even launched its own Pwnium contest.

Google showed a great deal of confidence ahead of the CanSecWest conference this year when it announced plans to offer up to $1 million in rewards for a successful exploit against its Chrome browser. The company even launched its own Pwnium contest.

Unfortunately for Google, Chrome got dinged for the first time in the history of CanSecWest. Wednesday, security researcher Sergey Glazunov used two separate bugs to compromise the browser as part of Pwnium, earning a $60,000 reward. According to Sophos Senior Consultant Graham Cluley, Glazunov discovered a remote code execution vulnerability that could be used by hackers in drive-by attacks to install and run code.

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” Sundar Pichai, Google’s senior vice president of Google Chrome, wrote on Google+. “Looks like it qualifies as a “Full Chrome” exploit, qualifying for a $60k reward. We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”

Not long after Glazunov’s success, researchers at VUPEN Security exploited the browser as well at CanSecWest’s annual Pwn2Own contest using a pair of zero-day vulnerabilities to take control of a fully-patched PC running 64-bit Windows 7 (SP1).

“We wanted to show that Chrome was not unbreakable,” VUPEN CEO and head of research Chaouki Bekrar told ZDNet. “Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year.”

Prior to the event, Google plugged 14 security holes in the Chrome browser. Thirteen of the 14 were classified by Google as ‘High’ risk.

Historically, Google Chrome has escaped exploitation at Pwn2Own, with researchers having better luck against Microsoft Internet Explorer, Mozilla Firefox and Apple’s Safari browser. This year, Google created the Pwnium contest and withdrew its sponsorship from Pwn2Own because contestants were not required to reveal full details of their exploits to vendors.

“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google security team members Chris Evans and Justin Schuh blogged Feb. 27. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing…Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”

Advertisement. Scroll to continue reading.

CanSecWest will continue on until Friday in Vancouver.

Update: Google addressed the vulnerabilities exploited by Glazunov on Thursday with Chrome Version 17.0.963.78 on Windows, Mac, Linux and Chrome Frame. Google noted that the release fixes issues with Flash games and videos, and other security updates.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.