www.tech-sanity.com
CanSecWest's organizers confirmed that Chrome had been hacked during the Pwn2Own contest almost immediately. Team Vupen exploited a security hole in the browser within five minutes of the contest's start. The group will be getting at least a $60,000 prize. Funded partly by Google itself, as well as 32 points in the still-ongoing contest; it had already found two more vulnerabilities in software at the conference in intervening hours.
Exact details of the hole weren't detailed, but it was a zero-day exploit that successfully escaped Google's sandboxing and ran code.
The hack was prepared in advance and was likely helped by Google's own willingness to add significantly to the prize pool to test Chrome. It nonetheless undermines Google's insistence that Chrome is safe and shows it to not necessarily be safer in the real world than previous Pwn2Own targets like Safari. Google was one of the first to implement sandboxing, where any breach in a given browser tab or plugin is supposed to be blocked from compromising other parts, but it's now proven that the practice isn't a guarantee against exploits.
Most other browsers now have at least some form of sandboxing, whether for plugins or browser tabs.
No comments:
Post a Comment