Pwnium 2012 has concluded with 5 critical vulnerabilities of Google Chrome released and 4 of them patched with 2 stable updates this week. Well, that explains why your Chrome was downloading updates more than usual. Total $120,000 has been paid out to two hackers/security experts and if I am reading this correctly, renaming 880,000 will go to the Chrome security team. That’s a really nice way to appreciate their hard work!

The second patch went out Saturday, March 10, 2012 fixing the vulnerability which helped PinkiePie gain access of a Windows7 PC by visiting a website using Chrome. Here are the hilights from this blogpost.

Congratulations to PinkiePie (aka PwniePie) for a beautiful piece of work to close out the Pwnium competition!

We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for both CVE-2011-3046 and CVE-2011-3047 in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwnium submissions in the future.

• [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.

Can Anyone Hack A Browser in 5 Minutes?

I came across an interesting piece of “rant” on Google Plus which discusses a few items around Pwn2Own and such hacking contests. It is an interesting read. Here is what i liked the most.

Normally, teams prepare exploits in advance and then arrive at the contest, sit down, and use them — leading to true but misleading headlines like “XXX Browser hacked in 5 minutes at Pwn2Own!” …Well, probably days to months of preparation, really.

In any case, in the three previous years Chrome has been public (and thus been included) no one had touched us. By contrast, the only other browser to make it through one of those contests unexploited was Firefox — and it did it once.

Read the entire post here.

An Interesting Comment I received For My Last Post.

PAEz posted the following when I discussed about a “teenager” hacking Chrome. I agree with him completely on this, so I am re-posting it here for everyone.

No offense but I dont see a teenager cracking Chrome to be embarrassing. Teenagers can do some amazing code. Their young creative brains, mixed with their lack of experience can enable them to think outside the box better than someone with experience. Experience brings beliefs that constrict the way they think, while a young persons brain can buzz with new ways of thinking and looking at problems.

Pwnium  is in progress and we have a second full Chrome pwn, interestingly by a Teenager who will get $60,000 from Google as announced.The hacker who identified himself only as PinkiePie said he spent the past week and half working on the attack. It combined three previously unknown vulnerabilities to gain full system access to a Dell Inspiron laptop that ran a fully patched version of Chrome on top of the most up-to-date version of Windows 7.

This is the second full attack of Google Chrome during the conference. The first hack was by Sergey Glazunov who also won $60,000 from Google. 5 Chrome vulnerabilities have been found as part of these two hacks and 2 of them have been patched.

While “Pinkie Pie” was previously unknown to onlookers here, Googlers described him as a “known and respected security researcher.” He said he never considered selling the vulnerability to third-party brokers.  ”I’ve never sold a vulnerability before.”

Strangely, which sandbox escapes are rare, Pinkie Pie said the easiest part of his attack was jumping out of the Chrome sandbox after the initial exploit.

“I got lucky because I found a way [to jump out of the sandbox] very early.  I figured it out by looking at it carefully,” he added. He declined to discuss specifics of the vulnerabilities or the exploit techniques, deferring comments to Google representatives.

So, now we can wait for another patch from the Google team fixing this vulnerability.

For many, this will be a reason to say, “See, Chrome is not as secure as you think” Yes, we have to agree, no software is perfect. But this move from the Chrome team of encouraging security researchers to find vulnerabilities of the browser and patch them before “bad guys” get their hands on them,  I must call it “Smart“

Did Google plan something ahead of the Pwn2Own so that they can find out what exactly the VUPEN  team was using to hack in to Chrome?

Okay, to understand the story completely, I need to remind you all about this post. Security research group at VUPEN posted a video of their exploit breaking Chrome’s sandbox.

When the news came out, Chrome team claimed that the flawed code came from Adobe, one of the plugins used by Chrome, but it comes pre-installed with the browser. To confirm this, Google needed access to the exploit, pwnium helped.

On March 5, the protection was added to Google Chrome 17.0.963.65.  When the protection triggers, it generates a very unique signature — 0xABAD1DEA — which is hexidecimal that spells out “a bad idea.” The protection was meant to make the browser resilient to certain attacks but in a bit of cat-and-mouse, it was left in there to see if anyone would find it and make a public comment.

The VUPEN team arrived at CanSecWest and during testing of its exploits for Pwn2Own, they stumbled into the exception.  VUPEN exploit writer confirmed on Twitter:

So, that gave Google a confirmation that VUPEN is using Adobe’s flawed code to gain access to Chrome’s sandbox.

VUPEN co-founder Chaouki Bekrar, an outspoken exploit writer who insisted the team deliberately targeted Chrome to prove a point, was uncharacteristically coy when asked if the faulty Chrome code came from Adobe.

”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit

Got the story?

via Zdent

Finally, that day has come. After two years staying unreachable to hackers during annual Pwn2Own security conference, Chrome got hacked this time, that, became the first browser to lose the battle. Well, its ironic that this news comes just after the announcement from the US State Department that they will be deploying Chrome on all their computers.

This year, Vupen, the first team that successfully cracked Safari last year, set its sights on Chrome first after developing a plan of attack for six weeks. Its method took advantage of two zero-day exploits — unknown issues with a shipping product — and a baited website set up during the hack. Once the computer visited the site, the exploit ran and opened up the Chrome calculator extension outside of the browsers sandbox, demonstrating complete control of the up-to-date 64-bit Windows 7 box.

The details of the hack was not published but we saw an update to the Chrome browser soon after this news came out. It said this.

The Chrome Stable channel has been updated to 17.0.963.78 on Windows, Mac, Linux and Chrome Frame.  This release fixes issues with Flash games and videos, along with the security fix listed below.

Security fixes and rewards:

Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!

• [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.

Was this the fix for the hack that brought Chrome down? I am not really sure yet. Anyone here knows more?

source

Update : Okay, that was fast Dan, thanks for the update. Here is the post by Google’s Sundar Pichai confirming this update.

We had the first successful exploit at Pwnium yesterday (https://plus.google.com/u/1/116651741222993143554/posts/5Eq5d9XgFqs) , and today we’ve already rolling out an update to protect our users. The team took less than 24 hours from initial report to verification to fix development to getting a fix out. we take the security of chrome very seriously for our users!

Google Chrome has a good performance record in the pwn2own annual conferences. This year, the team has come with some attractive offers for those who can hack Chrome, you can win up to $1 million if you are successful. Here are the hi-lights from the Chromium blog post.

While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve. To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards in the following categories:

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

All winners will also receive a Chromebook.

Read more here.

Meet the new security feature coming to Chrome, “Do Not Track” It is already available for Firefox, IE and Safari. Google will ad this feature to Chrome by end of the year.

So, What Is “Do Not Track”

Well, it does pretty much the same thing as what the name says. Here is the official description of this initiative. donottrack.us provides guidelines on how this can be implemented as well.

Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. At present few of these third parties offer a reliable tracking opt out, and tools for blocking them are neither user-friendly nor comprehensive. Much like the popular Do Not Call registry, Do Not Track provides users with a single, simple, persistent choice to opt out of third-party web tracking.

Good news for all those extra security conscious mind here! Will you be enabling this feature/installing extension when it is available?

It’s better to use different passwords for different websites but I end up using the same for all because that’s more easy to manage. I also know that its better to have passwords with extra characters, symbols signs and numbers, but that’s too tough to remember.

What if Chrome helps you have such strong passwords, unique for each website you use?

Yes, Chrome wants to help you with the password management. This is still under discussion/design so we just have a design document showing how this is expected to work. But don’t worry, we will bring more info on this as soon as they implement this.

How Are They Going To Do This?

Chrome will detect when you are visiting a sign up page (looking at a “username” field and two “password” fields) now, next to the password field, it will invite you to use the new password generator. If user selects yes, a new password will be generated randomly with numbers, letters and additional characters.

Chrome Password Generator

Chrome saves this password for you and syncs it across your computers and will be ready for you to use on all of them, provided you have selected Chromesync to include passwords too.

Chrome Password Generator

What Happens When I Am Not Using “My” Chrome?

The design document is not giving details about this situation but their ides is to “ have a website similar to Valentine where users can sign in and view (and possibly export?) their passwords”

Problems and Challenges

This method is not perfect and has lot of challenges. For starters, this will secure only new passwords, not any of our existing passwords because the process starts at the sign up page.

If the website you are signing up have disabled “autocomplete” this wont work at all.  Another problem is, if someone hacks in to your Google Chrome account, they get access to all your passwords. This also makes Chrome a high value target for hackers.

This is in its early stages of development so we will soon see changes and improvements. Stay tuned for more!

source : Chromium Projects.  via François Beaufort

A great news for Google Chrome team, and us, users. BSI, a German government agency, has recommended Google Chrome as part of a best practice for Windows users.

“The Bundesamt für Sicherheit in der Informationstechnik (abbreviated BSI – in English: Federal Office for Information Security) is the German government agency in charge of managing computer and communication security for the German government”

Take a look at what they are saying about Chrome in this report.

The browser is the central component for using any online service on the Web and therefore is the most critical attack surface for cyber attacks. Therefore, if possible, you should use a browser with sandbox technology. The browser that currently most consistently implements this protection is Google Chrome (https://www.google.com/chrome). Comparable mechanisms implemented in other browsers are either weaker, or non-existent. By using Google Chrome, in addition to the other mechanisms we mentioned, you can significantly reduce the risk of a successful IT attack.

In addition to Chrome’s sandbox, the guide also highlights the importance of Chrome’s auto-update feature:

Equally positive is the auto-update functionality of Google Chrome, which includes a bundled version of the Adobe Flash Player. By bundling it with Chrome, the Adobe Flash Player will also always be kept up to date.

Google Chrome team  is promoting this news via their blog. I am sure this will give  a boost to Chrome user base in Germany and elsewhere.

Mitja Kolsek, CEO of ACROS Security has written a detailed article here explaining a security bug in Chrome which may let hackers run remote code in Chrome.

Even when Google is not accepting this as a bug, but just a “strange behavior” , Mitja has provided a detailed analysis and suggestions in his article. Here is his conclusion.

1. Loading data files from untrusted locations can be dangerous, and this includes current working directory. Action item: fire up Process Monitor while testing your applications and see what they’re loading.

2. 3rd party libraries can introduce vulnerabilities into your software, and possibly only into your software. Action item: use 3rd party libraries whose developers are quick in fixing or at least which you can patch yourself. (The NSS library with this particular bug fortunately has both of these properties.)

3. What is a vulnerability to some, can be just strange behavior to others, and there’s no industry criteria for telling who’s right. (Although we can probably agree that the actual attacker is always right.) Action item for the issue described in this post: Make sure your Chrome home page is an HTTPS address or loads at least one HTTPS resource, and you won’t have to care who’s right.

Read the full article here.

Google Chrome was accidently marked as malware on Microsoft Security Essentials recently. It started deleting the browser from users’ computers.

Here is the fix from Google Chrome team. It gives to steps to correct the issue and re-install the program.

 We are releasing an update that will automatically repair Chrome for affected users over the course of the next 24 hours. In the meantime, if you want to fix the problem with Microsoft Security Essentials and restore Chrome manually, please follow the instructions below.

Read the full set of instructions from Official Google Chrome Blog Here.