Pwn2Own 2012: Google Chrome first to fall
At last year’s CanSecWest Pwn2Own hacker contest, Google Chrome was the only browser left standing. This year, Chrome was the first to fall, thanks to an impressive exploit from a team of French hackers.
VUPEN, the controversial company that sells vulnerabilities and exploits to government customers, deliberately took aim at Chrome this year to send a simple message: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.
VUPEN co-founder and head of research Chaouki Bekrar and his team used a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine. As part of the new competition format, VUPEN will earn 32 points for the successful Chrome exploit. In an interview, Bekrar said his team worked for about six weeks to find the vulnerabilities and write the exploits. ”We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”