A hacker who goes by "Pinkie Pie" has once again subverted the security of Google's Chrome browser, a feat that fetched him a $60,000 prize and resulted in a security update to fix underlying vulnerabilities.
Ars readers may recall Pinkie Pie from earlier this year, when he pierced Chrome's vaunted security defenses at the first installment of Pwnium, a Google-sponsored contest that offered $1 million in prizes to people who successfully hacked the browser. At the time a little-known reverse engineer of just 19 years, Pinkie Pie stitched together at least six different bug exploits to bypass an elaborate defense perimeter designed by an army of some of the best software engineers in the world.
At the second installment of Pwnium, which wrapped up on Tuesday at the Hack in the Box 2012 security conference in Kuala Lumpur, Pinkie Pie did it again. This time, his attack exploited two vulnerabilities. The first, against Scalable Vector Graphics functions in Chrome's WebKit browser engine, allowed him to compromise the renderer process, according to a synopsis provided by Google software engineer Chris Evans.
Pounding on sand
Even then, Pinkie Pie encountered a predicament that is growing increasingly common among software exploiters. A security sandbox acts as a boundary that quarantines HTML and other types of browser content so it doesn't interact with more sensitive parts of a computer's operating system. And Chrome utilized one that prevented Pinkie Pie's exploit from doing much more than crashing the machine. With Microsoft's Internet Explorer and Apple's Safari browser offering similar defenses, the ability to craft drive-by Web exploits that remotely execute malicious code is getting significantly harder. A comprehensive study from last year found Google's sandbox was far more restrictive than Microsoft's, although some people have discounted that finding because the report was commissioned by Google.
To work around this limitation and actually gain control of the system, Pinkie Pie targeted a second bug, this one in Chrome's interprocess communication layer. Because his exploit relied only on code that is included with Chrome, the attack once again qualified for the top $60,000 prize specified under the Pwnium rules.
"We'd like to thank Pinkie Pie for his hard work in assembling another great Pwnium submission," Evans wrote. "We'll post an in-depth look at the bugs used and subsequent mitigations once other platforms have been patched."
Pinkie Pie was the sole winner this time around, but based on a Twitter dispatch from self-described "vulnerability assassin" Nikita Tarakanov, a freshly fixed vulnerability in Adobe's Flash Player scuttled his Pwnium plans during day one of the competition. Google Chrome is notable for packaging a custom version of Flash and providing security fixes for it before Adobe patches other Flash versions.
All told, it took just 12 hours from the time Pinkie Pie's attack was demonstrated to the time Google engineers released a fix. If that's not a record, it's better than the weeks or months it can take Mozilla, Microsoft, and Apple to patch their browsers against similarly devastating bugs.
You must login or create an account to comment.