Chrome Hacked In 5 Minutes At Pwn2Own 169
Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."
5 minutes? (Score:4, Insightful)
I guess this means they went in knowing exactly what they were going to do. This means that it has been known for a while which means there could be many more people who know and are exploiting this.
Re:Obviously they were just waiting to start (Score:5, Insightful)
I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.
Re:Obviously they were just waiting to start (Score:3, Insightful)
Every major sports team comes into the contest with a scouting report and a plan to win.
These guys did their scouting and executed their plan.
Well done !
Re:Obviously they were just waiting to start (Score:5, Insightful)
I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.
I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).
Why even mention the time? (Score:5, Insightful)
This isn't Swordfish. They had plenty of time to prepare their attack.
It's impressive they exploited Chrome. But the preparation took more than 5 minutes.
still more cost effective (Score:5, Insightful)
Re:5 minutes? (Score:5, Insightful)
Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.
Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.
There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.
It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.
Re:Obviously they were just waiting to start (Score:2, Insightful)
It's pretty obvious how the tone of the first handful of up modded posts differs from when IE or Safari are first down.
Re:Obviously they were just waiting to start (Score:5, Insightful)
And is that such a bad thing? For the white hats, the money's just a bonus.
But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.
In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.
Win-win situation in my books.
Re:5 minutes? (Score:5, Insightful)
And that brings up an even more troubling thought. Are the pwn2own incentives creating a perverse incentive to conceal vulnerabilities?
I think so. If this is how Google will find and fix its flaws, exploiters are basically safe between events.
If you want flaws and exploits identified and fixed fast, pay on a first-to identify basis and never announce what the exploits found were. Just quietly fix them as fast as you can and distribute patches regularly.
Re:Google's PHD Coders??? (Score:4, Insightful)
Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.
Not as much as the combined wisdom of the community, a fact that permeates slowly through some of the thicker skulls in the land of Oz.
Re:I use Chromium (Score:3, Insightful)
Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).
Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml [softpedia.com]
The one time the Slashdot groupthink is actually against Open Source code and privacy and software freedom ... is when it makes a statement against Google.
Since this particular statement cuts to the core of how Google makes its money, namely through acquiring marketing data from mostly hapless and unsuspecting users who have no idea how much information they are "contributing", and wouldn't if they did, it's too fundamental of a comment to be tolerated by the fanboys.
So you're being punished by the more impotent and bed-wetting type of mods for telling the truth. That's a badge of honor.
I mean, it's not like they were going to take you on with facts and explain why you're completely mistaken. They can't. So, like all other cowards, they lash out the only way they can. That's all. Nothing hard to understand about it.
Re:5 minutes? (Score:5, Insightful)
That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.
I doubt they care so much about the fame. The extra $54k, on the other hand...
Comment removed (Score:4, Insightful)
Awarding this the most apologetic post of the day (Score:4, Insightful)
saying "I know anecdotes aren't date" followed by "but insert anecdote here" doesn't excuse you from confirmation bias. There is no evidence presented by you that your practises wouldn't keep you just as safe with Opera or Gecko-based browsers.
Re:Obviously they were just waiting to start (Score:5, Insightful)
Then perhaps they need to start doing them more often than yearly? Do them quarterly?
Re:Why even mention the time? (Score:3, Insightful)
Well, every year when Safari was the first browser to be targeted and thus also the first to be broken the fandroids and the anti-Apple crowds would scream on and on about how this proved Safari was the shittiest browser in existence and by extension Apple was a horrible horrible company.
I guess it's Google's turn this year.
And no, I don't use Safari, I just find it interesting that when previous stories like this have been about Safari the first dozen or so posts weren't about how the reporting was biased...
Re:But what very did they try to exploit? (Score:1, Insightful)
Common sense. With 100 million users there are many bad sites and these are not games. It is a dangerous place.
Yes there are many bad websites and legit ones that have been compromised with ads or hacked to serve javascript exploits. Wordpress seems to be a popular legit series of sites that hackers keep injecting bad ads and malware to infect users who browse.
Go Google Norton Safe web and click the top 10? It changes everyday.
If you are really freaked out use an anti virus package that has cloud updates that blocklists bad sites and prevents them from opening. Avast Free is a popular one which updates every 8 minutes and blocks any browser. Commodo Dragon is a Chromium/Chrome based browser that has built in website blocking from bad domains as they make Commodo IS (haven't used it but has good ratings, though slows down your computer).
If you go to www.openDNS.com you can use the IP addresses in your DNS settings and it will provide filtering too (not as quick to block as other AV products I listed above).
Use a great Anti Virus product and do not got wierd unknown sites. Do not listen to the slashdot geeks who claim you do not need AV products and that they are not infected. 90% are and all it takes is one bad or flash exploit ... keep flash up to date too by going to Adobe or www.filehippo.com. The new one will auto update. Good luck keeping secure
Re:Obviously they were just waiting to start (Score:5, Insightful)
This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).
No, it just proves that when you put enough money, professional crackers are attracted.
There is an article where Charlie Miller (winner of past contests) explains why he won't compete:
https://www.zdnet.com/blog/security/charlie-miller-skipping-pwn2own-as-new-rules-change-hacking-game/10554 [zdnet.com]
On the contrary, I think that money attracts professionals, and discourages all other people, who may have interesting hacks but know that they cannot compete against professionals.
In short, it encourages people who came to win, and discourages people who came to participate.