We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Pwnium hacking contest winners exploited 16 Chrome zero-days

'Pinkie Pie' used six, Sergey Glazunov 10, to hack Chrome and win $60,000 each in March

Google yesterday revealed that the two researchers who cracked Chrome in March at the company's inaugural "Pwnium" hacking contest used a total of 16 zero-day vulnerabilities to win $60,000 each.

The number of bugs each researcher used -- six in one case, "roughly" 10 in the other -- was dramatically more than the average attack. The Stuxnet worm of 2010, called "groundbreaking" by some analysts, used just four bugs, only three of them previously-unknown "zero-day" vulnerabilities.

Google detailed only the half-dozen deployed by the researcher known as "Pinkie Pie" in a post to the Chromium blog yesterday. Details of the 10 used by Sergey Glazunov will not be disclosed until they are patched in other programs they afflict, said Jorge Lucangeli Obes and Justin Schuh, two Chrome security engineers, in the blog.

Pinkie Pie and Glazunov were the only prize winners at Pwnium, the March contest Google created after it withdrew from the long-running "Pwn2Own" hacking challenge. Google had pledged to pay up to $1 million, but ended up handing out just $120,000 -- $60,000 to each of the men.

In previous P2n2Own contests, Chrome had escaped not only unscathed, but also untested by top-flight security researchers.

Pinkie Pie strung together six vulnerabilities on March 9 to successfully break out of the Chrome "sandbox," an anti-exploit technology that isolates the browser from the rest of the system.

The vulnerabilities let him exploit Chrome's pre-rendering -- where the browser loads potential pages before a user views them -- access the GPU (graphics processor unit) command buffers, write eight bytes of code to a predictable memory address, execute additional code in the GPU and escape the browser's sandbox.

At the time of Pwnium, one Google program manager called Pinkie Pie's exploits "works of art."

Google patched Pinkie Pie's bugs within 24 hours of his demonstration. Since then, the company has revealed technical details in its Chromium bug database of five of the six vulnerabilities.

Glazunov's exploits relied on approximately 10 vulnerabilities -- they, too, were patched within 24 hours -- but Google is keeping information on those secret for now.

"While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies," said Obes and Schuh. "We won't be posting that part until we're comfortable that all affected products have had an adequate time to push fixes to their users."

Chrome, currently at version 19, had an estimated 18.9% of the browser usage market in April, according to metrics firm Net Applications. Rival StatCounter, however, pegged Chrome's share for the month at 31.2%.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is [email protected].

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

IDG UK Sites

Windows 10 for phones UK release date, price and new features: When will my phone get Windows 10?

IDG UK Sites

It's World Backup Day 2015! Don't wait another minute: back up now

IDG UK Sites

Get the free Adobe Comp CC iPad app for rapid layout design

IDG UK Sites

New 13-inch Retina MacBook Pro (early 2015, 2.7GHz) review: Just about the greatest upgrade any...