Google's Chrome untouched at Pwn2Own hack match
Scheduled attackers don't show, or pass on exploiting sandboxed browser
Computerworld - Google's $20,000 was as safe at Pwn2Own Wednesday as if it had been in the bank.
The search giant had promised to pay $20,000 to the first researcher who broke into Chrome on the hacking contest's opening day.
But no one took up Google's offer.
"The first contestant was a no-show," said Aaron Portnoy, manager of HP TippingPoint's security research team, and Pwn2Own's organizer. "And the other team wanted to work on their BlackBerry vulnerability. So it doesn't look like anyone will try Chrome."
Only two entries had pre-registered for Chrome: Moatz Khader and one or more researchers going as "Team Anon." (Researchers may remain anonymous if they wish.) Based on a random drawing several weeks ago, Khader was to get first shot, with Team Anon second.
Team Anon is also slated to tackle RIM's BlackBerry OS on Thursday.
Late Wednesday, TippingPoint provided a tentative schedule for today's Pwn2Own; that schedule doesn't show any planned Chrome exploit.
Even if someone unexpectedly stepped up to take a crack at Chrome and exploited the browser, Google would be on the hook for just $10,000. As part of the deal it struck with TippingPoint, the two will split the $20,000 payment for a successful hack on the second or third days of the contest.
If Chrome comes out unscathed, as it now appears it will, the browser will have survived three consecutive Pwn2Owns, a record.
On Wednesday, researchers successfully exploited Safari and Internet Explorer. A team from French security company Vupen took down Safari 5 running on a MacBook Air notebook in five seconds, and independent researcher Stephen Fewer used a trio of vulnerabilities to hack IE8 on Windows 7.
Portnoy was impressed with Fewer's work. "The most impressive so far," said Portnoy. "He used three vulnerabilities to [not only] bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before."
ASLR, for address space layout randomization, and DEP, or data execution prevention, are a pair of technologies baked into Windows that are designed to make it more difficult for exploits to reliably execute. Protected Mode is IE's "sandbox," which isolates the browser -- and thus any attack code that manages to infiltrate it -- from escaping to do damage on the system as a whole.
Pwn2Own continues today and Friday, when Mozilla's Firefox and four smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS will be in researchers' crosshairs.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is [email protected].
Pwn2Own 2011
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Security in Computerworld's Security Topic Center.
- 5 Fast, Easy, Cheap IT Certifications
- Register for this Computerworld guide to useful IT certifications and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Evaluating File Sync and Share Solutions: 12 Questions to Ask about Security File sync and share can increase productivity, but how do you pick a solution that works for you? Download to learn some important...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What is this "File Sync" Thing and Why Should I Care About It? All of a sudden, getting a file from your work laptop to your iPad became as simple as clicking "Save." So it's no...
- What are the desktop virtualization market trends and how can you successfully deploy your solution? You've probably heard about desktop virtualization -- and some of its benefits -- things like tighter security, streamlined management and lower costs. But...
- The Value of Symantec NetBackup Appliances In this video, Symantec's Shelley Schmokel, Principal Product Manager for NetBackup Appliances, talks about the NetBackup Integrated Appliances and how they deliver enterprise-class... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!