Google showed a great deal of confidence ahead of the CanSecWest conference this year when it announced plans to offer up to $1 million in rewards for a successful exploit against its Chrome browser. The company even launched its own Pwnium contest.
Unfortunately for Google, Chrome got dinged for the first time in the history of CanSecWest. Wednesday, security researcher Sergey Glazunov used two separate bugs to compromise the browser as part of Pwnium, earning a $60,000 reward. According to Sophos Senior Consultant Graham Cluley, Glazunov discovered a remote code execution vulnerability that could be used by hackers in drive-by attacks to install and run code.
“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” Sundar Pichai, Google’s senior vice president of Google Chrome, wrote on Google+. “Looks like it qualifies as a “Full Chrome” exploit, qualifying for a $60k reward. We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”
Not long after Glazunov’s success, researchers at VUPEN Security exploited the browser as well at CanSecWest’s annual Pwn2Own contest using a pair of zero-day vulnerabilities to take control of a fully-patched PC running 64-bit Windows 7 (SP1).
“We wanted to show that Chrome was not unbreakable,” VUPEN CEO and head of research Chaouki Bekrar told ZDNet. “Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year.”
Prior to the event, Google plugged 14 security holes in the Chrome browser. Thirteen of the 14 were classified by Google as ‘High’ risk.
Historically, Google Chrome has escaped exploitation at Pwn2Own, with researchers having better luck against Microsoft Internet Explorer, Mozilla Firefox and Apple’s Safari browser. This year, Google created the Pwnium contest and withdrew its sponsorship from Pwn2Own because contestants were not required to reveal full details of their exploits to vendors.
“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google security team members Chris Evans and Justin Schuh blogged Feb. 27. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing…Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”
CanSecWest will continue on until Friday in Vancouver.
Update: Google addressed the vulnerabilities exploited by Glazunov on Thursday with Chrome Version 17.0.963.78 on Windows, Mac, Linux and Chrome Frame. Google noted that the release fixes issues with Flash games and videos, and other security updates.