Dueling browser-exploit contests at the CanSecWest conference yielded immediate results -- two hacks against Google Chrome -- with contestants in both competitions demonstrating exploits within an hour of the contests' opening.
In both cases, contestants first demonstrated they could take over a fully patched Chrome browser and then turned the exploits over to contest officials to verify.
In the Chrome Pwnium contest, run by Google, the exploit preyed on two vulnerabilities and won $60,000 for its author, Sergey Glazunov, a member of the Chromium Hall of Fame for finding Chrome bugs and recipient previously of about $88,000 for finding Chrome bugs.
He exploited two vulnerabilities and avoided the Chrome sandbox that is supposed to mitigate exploits to the browser.
In Pwn2Own, French consulting company Vupen took down the browser with a zero-day exploit that used a flaw in the browser itself and also broke out of the browser's sandbox that is supposed to be a secure execution environment. The exploit won the five-man Vupen team 32 points in the competition.
In the Pwnium case, Glazunov turns over details of his entire exploit to Google, which will then patch it. In the Pwn2Own contest, Vupen's CEO turned the exploit against the browser itself to contest officials, who will reveal it to Google for patching.
But Vupen CEO Chaouki Bekrar says he has no intention of turning over details of the sandbox escape. "That vulnerability is very rare. We'll keep it for our own customers," says Bekrar.
Vupen sells exploits against browsers to its clients, mainly government covert agencies from countries around the world. "That's life," he says.
Both Glazunov and Vupen worked on their exploits prior to the competition and merely demonstrated them when the competition opened today.
Glazunov was not at the CanSecWest conference himself, but sent a proxy to demonstrate his zero-day exploit.
Vupen sent a team that has been preparing nearly full time for the competition for six weeks, Bekrar says. It has come with more than one Chrome exploit, and exploits for all the other browsers being targeted in the competition -- Safari, Internet Explorer, Firefox. It will wheel them out as needed in order to win the contest, Vupen says, so some of the exploits may go home with him without being made public.
Pwn2Own is sponsored by the Zero Day Initiative and HP/Tippingpoint. First prize is $60,000, second is $30,000 and third is $15,000, depending on which team accumulates the most points.
Gamesmanship has already started with Vupen scoring 32 points and attacking the second phase of the competition, which calls for writing an exploit that takes advantage of a previously patched flaw. So contestants receive a laptop with earlier versions of browsers that contain vulnerabilities that have been patched in the most current versions, and are tasked with exploiting those specific vulnerabilities.
The presence of Vupen's team has apparently intimidated other competitors, at least in the short term, says Aaron Portnoy, manager of security research for HP/Tippingpoint. In previous years, individuals entered the contest on the first day hoping to win, he says.
But this year the rules have changed. Before, contestants were randomly given a browser to attack. This year, contestants can attempt zero day attacks against any of the browsers being targeted in the contest, Portnoy says.
The Vupen team and its professed ability to zero-day any browser in the contest may have individuals with fewer resources hanging back. "They may scare people off," he says. Portnoy says he knows of other potential competitors who might jump in on the final day to try for second and third place, essentially conceding first to Vupen.
This is the first year for Chrome Pwnium and in previous years, Google has helped sponsor Pwn2Own. This year Google wanted Pwn2Own to require that any sandbox escapes be turned over to Google, and the Zero Day Initiative declined.
The rationale for that as expressed by the blog for HP/Tippingpoint's DVLabs is that nobody would compete if that were a requirement. Sandbox escapes are so rare they are worth more on the open market than the contest organizers could hope to post as prize money. If someone had one, they wouldn't expose it for a mere $60,000 prize.
The blog predicts no one will demonstrate a chrome sandbox escape in Chrome Pwnium. It may get some code execution exploits that are more common, the blog says.
The Zero Day Initiative figures that if contestants don't have to reveal their sandbox escapes, they may well compete and reveal the code exploits that they have come up with. Those code exploit vulnerabilities can then be patched, which makes at least some progress toward improving Chrome security, the blog says.