Hacker finds second Chrome bug, wins $60,000 prize

Google hosted its Pwnium 2 competition at Hack in the Box 2012 in Kuala Lumpur yesterday. The winner, Pinkie Pie, went home with a $60,000 prize and a free Chromebook. Pie, incidentally had also won $60,000 in the first Pwnium competition held earlier this year. The bug that Pie had discovered relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process. This time, he found a bug in the IPC layer to escape the Chrome sandbox.


In an official blog post on the Chromium blog, Software Engineer, Chris Evans shares that Pie took home the prize since this exploit fell within the parameters of a "“full Chrome exploit,” - thereby deserving the prize comprising - $60,000 and a free Chromebook. A “full Chrome exploit”, as Evans explains in the post “depends entirely on bugs within Chrome to achieve code execution.”


Out, finally!

The fresh patch is now available



Google started working on fixing the bug as soon as it was submitted. In fact, Evans shares that in less than 10 hours after Pwnium 2 concluded, they were already updating users with a freshly patched version of Chrome.


“One of Chrome’s most effective security defenses is our fast response time and ability to update users with critical patches, quickly. These bugs were no exception,” he wrote. 


He writes further, “We’d like to thank Pinkie Pie for his hard work in assembling another great Pwnium submission. We’ll post an in-depth look at the bugs used and subsequent mitigations once other platforms have been patched.”


Recently, Google rolled out the first post-beta update for its Chrome browser for the Android platform. The update addressed various security issues and brings improvements for Chrome’s sandboxing technology, besides fixing other moderate bugs. The update was for devices running Android v4.0 (Ice Cream Sandwich) and later. Chrome is available only for devices running Android v4.0 or later.


Chrome’s sandbox technology helps ensure malicious mobile websites are contained and do not impact the entire browser. A post on the Google Chrome blog by software engineer Jay Civelli states that this is made possible by “the innovative multi-process architecture in Chrome for Android, in conjunction with Android’s User ID (UID) isolation technology”. He adds that Jelly Bean devices would automatically use this more in-depth sandboxing technology.


In March this year, a group French hackers at the Pwn2own competition in Canada, the co-founder and head of research of Vupen, Chaouki Bekrar, and his team managed to break into Google Chrome in less than 5 minutes, in the process quashing talks about the browser's unquestionable security. They used "a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine". For the successful break-in, Vupen has won itself 32 points.

Published Date: Oct 12, 2012 15:38 PM | Updated Date: Oct 12, 2012 15:38 PM