Google Chrome Hacked in 2 Minutes At Pwn2Own 2012

Finally, that day has come. After two years staying unreachable to hackers during annual Pwn2Own security conference, Chrome got hacked this time, that, became the first browser to lose the battle. Well, its ironic that this news comes just after the announcement from the US State Department that they will be deploying Chrome on all their computers.

This year, Vupen, the first team that successfully cracked Safari last year, set its sights on Chrome first after developing a plan of attack for six weeks. Its method took advantage of two zero-day exploits — unknown issues with a shipping product — and a baited website set up during the hack. Once the computer visited the site, the exploit ran and opened up the Chrome calculator extension outside of the browsers sandbox, demonstrating complete control of the up-to-date 64-bit Windows 7 box.

The details of the hack was not published but we saw an update to the Chrome browser soon after this news came out. It said this.

The Chrome Stable channel has been updated to 17.0.963.78 on Windows, Mac, Linux and Chrome Frame.  This release fixes issues with Flash games and videos, along with the security fix listed below.

Security fixes and rewards:

Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!

  • [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.

chrome news  Google Chrome Hacked in 2 Minutes At Pwn2Own 2012

Was this the fix for the hack that brought Chrome down? I am not really sure yet. Anyone here knows more?

source

Update : Okay, that was fast Dan, thanks for the update. Here is the post by Google’s Sundar Pichai confirming this update.

We had the first successful exploit at Pwnium yesterday (https://plus.google.com/u/1/116651741222993143554/posts/5Eq5d9XgFqs) , and today we’ve already rolling out an update to protect our users. The team took less than 24 hours from initial report to verification to fix development to getting a fix out. we take the security of chrome very seriously for our users!