Chrome Hacked In 5 Minutes At Pwn2Own 169
Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."
Obviously they were just waiting to start (Score:5, Interesting)
I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.
Still, kudos on what has to be almost world-record-time penetration of a "secure" system.
Conflated competitions? (Score:5, Interesting)
The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.
Re:5 minutes? (Score:3, Interesting)
All the browsers except for IE pay for bug bounties...
It is probably more the fame of winning the event...
Re:Obviously they were just waiting to start (Score:5, Interesting)
I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.
Re:Obviously they were just waiting to start (Score:2, Interesting)
It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security.
There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.
I mean I could understand it if there ever once was and now you want to have that again. But there never was. There isn't. There's not going to be. There is only hard work and diligence and learning from experience. Stop acting so shocked you dumb fucks! Seriously.
Re:still more cost effective (Score:4, Interesting)
Unfortunately, wrong. First, you get only as much of their vulnerability stock that they need to maximize their profit. Then, you do only get what was easiest to find for them. A real security review looks at architecture, design, coding style and other things as well, which are completely absent at these competitions.
Basically, this is a show with very little actual security benefits.
Re:Obviously they were just waiting to start (Score:5, Interesting)
I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?
Re:Obviously they were just waiting to start (Score:3, Interesting)