News

Google Patching Chrome After Attack at Hacking Contest

Google's Chrome Web browser fell to multiple exploits on Wednesday at CanSecWest security conference's Pwn2Own contest.

In response, Google released an over-the-air patch today to fix one of the issues demonstrated by hacker Sergey Glaznov. The update will be "silently" pushed to users.

Glaznov, a Russian university student, used a pair of privately disclosed exploits to bypass Chrome's sandbox. If exploited by attackers, malicious code could be run on an infected machine.

For demonstrating a zero-day attack, Glasnov will be awarded $60,000 by Google.

"Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry," said Sundar Pichai, senior vice president Chrome, in a Google+ announcement. "Looks like it qualifies as a 'Full Chrome' exploit, qualifying for a $60k reward."

Glaznov wasn't the only one to expose a hole in the Chrome browser on Wednesday. Members of the vulnerability research firm VUPEN Security demonstrated a way to bypass the Chrome sandbox using a bug in Windows to bypass the DEP and the address space layout randomization. It also demonstrated a second Chrome flaw. However, information on it had not been released.

The group said it wasn't participating in the hacking contest for monetary gain. "We pwned Chrome to make things clear to everyone," said Chaouki Bekrar, CEO of Vupen Security, to Ars Technica. "We wanted to show that even Chrome is not unbreakable."

Because the first flaw demonstrated by VUPEN is caused by a Windows exploit and the second item had little data disclosed on it, fixes are not included in today's Chrome update.

This year's Pwn2Own contest marks the first time Google's Web browser has fallen to attackers. It participated and left the previous two years unscathed.

Not only was this the first year it had been successfully attacked, it was the first browser to fall – with VUPEN's first attack coming within the first five minutes of the contest.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Office Mobile Apps To End as Microsoft Highlights New Office App

    Microsoft plans to end support for Windows 10 Mobile applications on Jan. 12, 2021, according to a Friday announcement.

  • Is Microsoft Finally Reinventing Office?

    Microsoft is testing out a new technology called "Fluid Framework." It could mean that Brien's dream of one Office app to rule them all might soon become reality.

  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.