Chrome, IE and Firefox Hacked
Written by Alex Armstrong   
Wednesday, 14 March 2012

By the end of the Pwn2Own competition held last week Google Chrome, Microsoft Internet Explorer and Mozilla Firefox were all subject to zero day exploits. In the separate Pwnium competition Chrome was a victim twice over. 

VuPen, the French team that felled Chrome within the first five minutes of the contest (see Chrome Hacked Twice at CanSecWest) were the overall winners of Pwn2Own, collecting the $60,000 prize for having the greatest number of points (123). On the final day of the competition VuPen exposed two vulnerabilities in Internet Explorer 9 that are also claimed to go back as far as IE6 and also to affect future generations of Microsoft's browser.

Relying on work done over the previous six weeks, the VuPen team used an unpatched heap-overflow bug to bypass DEP and ASLR and a separate memory corruption flaw to work around the browser's "Protected Mode" sandbox, the security feature that's meant to contain malicious code and prevent it from executing any commands on system.

browsers

The second prize awarded at the end of Pwn2Own went to the two-man team of Willem Pinckaers and Vincenzo Iozzo whose zero-day attack on Firefox involved a use-after-free problem which evaded DEP and ASLR protections in Windows 7. The same vulnerability was first used to leak information multiple times and was then used a a conduit through which execute prepared code, again through the same vulnerability. Pinckaers and Iozzo won $30,000 for amassing 66 points.

A second prize ($60,000) was also awarded in Google's separate Pwnium contest, organized once it became apparent that the new rules for Pwn2Own meant contestants would not have to reveal the full exploits or even the bugs used. A few hours before the contest closed a teenage hacker known as Pinkie Pie chained two, or possibly, three zero day vulnerabilities in Chrome together to break out of the browser's sandbox and execute code.

Google has already patched both this vulnerability and the earlier one by Russian researcher Sergey Glazunov. 

Google’s Jason Kersey also said the two Pwnium vulnerability submissions are “works of art that deserve wider sharing and recognition" and plans to prepare technical reports on both Pwnium submissions.

 

Related Articles

Chrome Hacked Twice at CanSecWest

Google Offers $1 million for Chrome Hack

 

 

blog comments powered by Disqus

 

To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on Google+, Twitter, Linkedin or Facebook or sign up for our weekly newsletter.

 

Banner

 


Python Tools for Visual Studio Gets New Focus
21/10/2014

PTVS 2.1 has just been released and now can be used for free with Visual Express. The more interesting news is that the PTVS team has become part of the Azure Machine Learning group and it PTVS2. [ ... ]



The Docker Way To Development
29/09/2014

Docker is the new way to distribute apps and entire systems in the cloud, on VMs and physical hardware. Now you can set up a development environment with a single command courtesy of a set of new Dock [ ... ]


More News

Last Updated ( Wednesday, 14 March 2012 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.