Want to uncover security flaws in your product before the bad guys do? Just put a big pile of money on the table.
Security researchers collected over $60,000 in prize money on Wednesday for reporting new zero-day flaws in Google’s Chrome web browser at the Pwn2Own and Pwnium security challenges held during the CanSecWest conference.
Google’s Chrome browser survived the gauntlet of hacker challenges at the Pwn2Own hacking challenge in 2011, but this year it was the first to fall — and it took less than 5 minutes to do it. The Pwn2Own Chrome exploit was popped by security research group VUPEN.
“Google Chrome is the first browser to fall at #pwn2own 2012, we pwned it using an exploit bypassing DEP/ASLR and the sandbox!” VUPEN wrote in a tweet yesterday afternoon.
DEP (Data Execution Prevention) is a security technology that is intended to help keep code that has been loaded into non-executable memory locations from being allowed to execute. ASLR (Address Space Layout Randmonization) is a similar kind of idea as a technology that attempts to make it more difficult for non-allocated memory to be used as a launch pad for attack. Both DEP and ASLR have been attacked and defeated at Pwn2Own as far back as 2009.
For its part, Google mocked the Pwn2Own VUPEN win as being just a Flash bug. Chrome is the only web browser that directly integrates Flash into the browser.