A Russian student has won US$60,000 for hacking into a fully patched Windows 7 machine using a remote code execution exploit in Google Chrome as part of Google’s Pwnium hacker contest at CanSecWest.
ZDNet reports that Sergey Glazunov’s exploit targeted two distinct zero-day vulnerabilities in Chrome’s extension sub-system. It was specific to Chrome and bypassed the browser sandbox.
Justin Schuh, who is part of Google’s Chrome security team, said the attack was "very impressive" and that the exploit could have done "anything" on the infected machine, as he executed the code with full permission of the user.
Glazunov won US$60,000 for this exploit as part of Google’s Pwnium hacker contest, which is taking place at the CanSecWest security conference in Vancouver, Canada. Google will give prizes of US$60,000, US$40,000 and US$20,000 out of a total US$1m prize fund depending on how participants manage to exploit Chrome on a Windows 7 PC.
In the Pwn2Own hacker contests, Chrome managed to withstand hacks for three years in a row.
Google hosted this competition in order to discover any unknown vulnerabilities within the Chrome browser.
“We have a big learning opportunity when we receive full end-to-end exploits,” wrote the company in a blog post.
“Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing and sandboxing. This enables us to better protect our users,” it wrote.