VUPEN received 32 points for the Chrome hack from officials at TippingPoint's Zero Day Initiative, a bug-bounty reward program that sponsors the contest.
The annual pwn2Own battle of browser-hacking contest, Google Chrome was first browser to get easily attacked. It was the first browser to get breached against other competitive browsers taking part in the contest.
This of-course puts google in a jeopardy. Google claims Chrome to be one of the safest browser out there. Google has never been breached in last two years, but failing twice in a competition, that too with minimal effort makes it feel shy and un-answerable.
The early lead was captured by a French vulnerability research firm -- VUPEN Security in the Pwn2Own contest. Pwn2Own is the part of this week's CanSecWest information security conference in vancouver.
VUPEN received 32 points for the Chrome hack from officials at TippingPoint's Zero Day Initiative, a bug-bounty reward program that sponsors the contest. By day's end Vupen was in the lead with 62 points, after also hacking Safari 5 on Mac OS X Snow Leopard and Firefox 3 on Windows XP. The contest continues through Friday.
VUPEN said that the Google Chrome exploitation was the easiest one and was done as earliest as possible. According to the tweet from VUPEN -- its Chrome exploit involved "code execution and sandbox escape (medium integrity process resulted)" against a copy of Chrome running on Windows 7. VUPEN has previously discovered zero-day vulnerabilities that exploited Chrome after bypassing its sandbox, although this is the first time in three years that Chrome has been exploited in the Pwn2Own contest, the lead-up to which typically sees browser makers furiously issuing patches.
Google has been sponsoring Pwn2Own contest since years, but they pulled back this time, claiming the change in the rules is the culprit of their decision.
"Originally, our plan was to sponsor as part of this year's Pwn2Own competition," said Chris Evans and Justin Schuh, part of the Google Chrome security team, in a blog post. "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome."
Most browsers now offer some type of sandboxing for tabs and plugins to help prevent massive exploits from occurring.
The exploit will be addressed by the Google Chrome team in order to ensure no future attacks can not use the same approach.
Do you think Google’s approach to finding exploits will inevitably help them avoid major breaches of security by having hacking initiatives find problems before they are discovered independently.