It's that time again folks, the hosting of the Pwn2Own hacking contest.
This year has, for the first time, seen Google's Chrome browser fall almost immediately to two zero-day exploits, which had avoided discovery for the past three years. The exploits make use of a use-after-free bug to bypass typical protection such as Data Execution Prevision (DEP) and Address Space Layout Randomization (ASLR), combined with a second exploit that allows execution of code, outside the safety of the Chrome sandbox.
Though exact details of the hack were not revealed, it's strongly suspected to be via a bundled Adobe Flash plugin, surprise surprise, which to function correctly requires a less stringent sandbox to run in.
Researchers this year paid specific attention to Google Chrome, as the browser had previously been seen as an impregnable fortress protecting web users. Shortly after the downfall of the previously undefeated king, the latest release of Internet Explorer 9, a top Windows 7 SP1 was successfully hacked, likewise, with two previously unknown exploits, with other browsers following trend throughout the event.
Researchers commented that it was easier to break free of the Internet Explorer 9 sandbox than the sandbox of Chrome, as it's both less restrictive and riddled with memory corruptions. It was pointed out, however, that the latest beta of IE 10 running in Protected Mode did come much closer to the security offered up by Chrome and could pose some serious competition in the near future.
No doubt both Google and Microsoft will be rushing to implement a few fixes into their next releases.
