Teenager cracks Chrome again

Powered by SC Magazine
 

Full exploit earns teen a cool US$60,000.

Updated: A teenage hacker has launched a successful full exploit against Google Chrome at the HackInTheBox conference in Malaysia.

The exploit, now confirmed by Google’s US headquarters, earned the teenage hacker known as Pinkie Pie the top US$60,000 cash reward during Google’s Pwnium 2 event yesterday afternoon.

Google engineer Chris Evans said the attack targeted  two vulnerabilities. One exploited  the Scalable Vector Graphics function in Chrome's WebKit that led to compromise of the rendering process. The second bug affected the IPC layer to escape the Chrome sandbox.

It took Google only 10 hours to release a patch for the holes.

The company will give away up to a total of US$2 million during the event.

  • $60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
  • $40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
  • $20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. 

It will be the second time Pinkie Pie has scored the lucrative top prize. In March this year he strung together six vulnerabilities to escape the Chrome sandbox during the CanSecWest Pwnium event.

That exploit was done on an updated Windows 7 64bit machine and only required normal user web browsing.

Google dedicates three teams to exploits uncovered during Pwnium and can have a patch ready within 24 hours.

It formed Pwnium after pulling out of the pwn2own competition which did not require entrants to reveal information on their exploits.

Copyright © SC Magazine, Australia


Teenager cracks Chrome again
 
 
 
Top Stories
Photos: Global Switch opens Sydney East data centre
First stage opened, to some fanfare.
 
ATO releases long-awaited Bitcoin guidance
Everyday investors escape the tax man.
 
Why the Weather Bureau’s new supercomputer is a 'gamechanger'
IT transformation starts to reap results.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  67%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  7%
 
Insider threats
  11%
TOTAL VOTES: 470

Vote