Experts Start Finding Vulnerabilities in Browser-Hacking Contests

A Russian security experts cracked Chrome soon after the competition began

By on March 8th, 2012 15:58 GMT

Not long after the Pwn2Own and Pwnium competitions started, security experts managed to identify vulnerabilities in Google Chrome that could be exploited by ill-intended hackers.

This year Google decided that it didn’t like the new rules of Pwn2Own so it started its own contest, Pwnium, with a total prize of $1 million (€744,000).

Shortly after the start was announced, Russian security researcher Sergey Glazunov uncovered a remote code execution vulnerability that could allow cybercriminals to execute malicious code only by convincing potential victims to visit a website.

Sophos reports that for managing to execute unauthorized code in a Chrome browser running on a Windows 7 operating system, Glazunov earned $60,000 (45,000 EUR).

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a “Full Chrome” exploit, qualifying for a $60k reward,” Sundar Pichai, senior vice-president at Google, said.

“We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”

In the other court, at the Pwn2Own contest launched by TippingPoint's Zero Day Initiative, French security experts from VUPEN also managed to compromise Chrome, but since this year’s rules are a bit different, they only earned 32 points for their findings, instead of money.

Only if they keep their advantage over the entire duration of the competition will they win the $60,000 (45,000 EUR) prize.

According to Threat Post, VUPEN is the only team in the competition. That’s mainly because the new rules state that competitors are not required to pre-register, so once more security holes are found, others may show up.

“I wouldn't be surprised if no one else showed up, though. If they heard that VUPEN was showing up with 0-days for every single browser, and this all the do, all day, every day, that might discourage them,” said Aaron Portnoy of TippingPoint.

Comments