Security researcher Pinkie Pie nets US$60,000 for Chrome exploit
Google says a patch closing the exploit was released less than 10 hours after Pwnium 2 concluded
WHEN a submission for Pwnium 2 came in, Chris Evans (pic), who leads the Chrome security team, was standing at the Google booth with a friend who works at Adobe.
“The thought in his head was ‘please don’t let it be Flash’,” said Evans, speaking during the last conference slot on the final day of the HITB Security Conference hosted at Intercontinental Hotel in Kuala Lumpur.
It wasn’t Flash, but it was indeed a valid exploit by returning ‘pwner’ Pinkie Pie. The exploit was confirmed at midnight (Oct 9) by Google’s home team back in the United States.
“Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a ‘full Chrome exploit’ a US$60,000 prize and free Chromebook,” said Evans in his blog reporting the find.
The exploit involved a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the inter-process communication (IPC) layer to escape the Chrome sandbox.
“Pinkie Pie pwned Chrome pretty hard, but we’re very happy to have him enter again,” said Evans.
Pwn is a slang term in the cyber community to mean “taking over one’s computer or compromising a PC" for the sole purpose of controlling the device.
During his HITB presentation, Evans also shared that back in Sept 2010, a security researcher known as ncspz posted the following message: “The SVG module will make Google go bankrupt.”
“Guess he was a visionary and Google is about US$120,000 closer to his prediction,” said Evans. To date, Google under its Chromiun program has paid out 489 rewards totaling US$650,000.
This is the second time; Pinkie Pie has captured top honors from Google’s Pwnium challenge.
In March of this year at the Pwnium contest which took place during the Pwn2Own competition at CanSecWest, he was rewarded for vulnerabilities he used to break out of the browser's sandbox and execute code.
He had to combine a total of six vulnerabilities, in order to get his code to execute on the test system at the time; the holes were later closed with the release of Chrome 18.
“We’re also pretty pleased with the time it took to release the patch for this exploit. We beat our record from the first Pwnium challenge,” said Evans.
“We started analyzing the exploit as soon as it was submitted, and in fewer than 10 hours after Pwnium 2 concluded we were updating users with a freshly patched version of Chrome,” he added.
Only one other entry, a previously undiscovered kernel driver vulnerability, was unveiled for the Pwnium 2 challenge, by a security researcher known as Nikita Tarakanov (@NTarakanov), which dispels the “no-one entered” myth. However, it did not work in the sandbox and was considered a “non-entry.”
Google offers US$2 million in bug hunt competition to be hosted in KL
Chris Evans: Google Chrome's Captain Security