Web & social

Pwnium Hacking Contest Winners Exploited 16 Chrome Zero-days

Google yesterday revealed that the two researchers who cracked Chrome in March at the company's inaugural "Pwnium" hacking contest used a total of 16 zero-day vulnerabilities to win $60,000 each.

The number of bugs each researcher used -- six in one case, "roughly" 10 in the other -- was dramatically more than the average attack. The Stuxnet worm of 2010, called "groundbreaking" by some analysts, used just four bugs, only three of them previously-unknown "zero-day" vulnerabilities.

Google detailed only the half-dozen deployed by the researcher known as "Pinkie Pie" in a post to the Chromium blog yesterday. Details of the 10 used by Sergey Glazunov will not be disclosed until they are patched in other programs they afflict, said Jorge Lucangeli Obes and Justin Schuh, two Chrome security engineers, in the blog.

Pinkie Pie and Glazunov were the only prize winners at Pwnium, the March contest Google created after it withdrew from the long-running "Pwn2Own" hacking challenge. Google had pledged to pay up to $1 million, but ended up handing out just $120,000 -- $60,000 to each of the men.

In previous P2n2Own contests, Chrome had escaped not only unscathed, but also untested by top-flight security researchers.

Pinkie Pie strung together six vulnerabilities on March 9 to successfully break out of the Chrome "sandbox," an anti-exploit technology that isolates the browser from the rest of the system.

The vulnerabilities let him exploit Chrome's pre-rendering -- where the browser loads potential pages before a user views them -- access the GPU (graphics processor unit) command buffers, write eight bytes of code to a predictable memory address, execute additional code in the GPU and escape the browser's sandbox.

At the time of Pwnium, one Google program manager called Pinkie Pie's exploits "works of art."

Google patched Pinkie Pie's bugs within 24 hours of his demonstration. Since then, the company has revealed technical details in its Chromium bug database of five of the six vulnerabilities.

Glazunov's exploits relied on approximately 10 vulnerabilities -- they, too, were patched within 24 hours -- but Google is keeping information on those secret for now.

"While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies," said Obes and Schuh. "We won't be posting that part until we're comfortable that all affected products have had an adequate time to push fixes to their users."

Chrome, currently at version 19, had an estimated 18.9% of the browser usage market in April, according to metrics firm Net Applications. Rival StatCounter, however, pegged Chrome's share for the month at 31.2%.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Subscribe to the The Advisor Newsletter

Comments