VANCOUVER–A group of researchers from VUPEN, a French security firm, was able to compromise Google Chrome in the initial stages of the Pwn2Own contest. But because of the new rules this year, that doesn’t guarantee them a win in the contest. Rather, it just gives them a nice head start.
The successful exploitation of Chrome via a new vulnerability is the second ding against the browser within a couple of hours at the CanSecWest conference here. Earlier in the day, Sergey Glazunov was able to compromise Chrome as part of Google’s own Pwnium contest, earning a $60,000 reward from the company. The exploit by VUPEN gives them a lead in Pwn2Own, which is now a three-day long, points-based program rather than a one-time shot thing as it has been in the last four years.
Under the new system, VUPEN’s Chrome exploit gets them 32 points. There are several other components to the contest as well, including the addition of known vulnerabilities in the various targets for which the contestants must write their own exploits. Each successful exploit of that kind earns points as well, and the team with the most points at the end of the three days wins the $60,000 first prize.
So far, VUPEN is the only team to begin the competition. In previous years, contestants needed to pre-register and the organizers from TippingPoint’s Zero Day Initiative knew how many participants there would be. However, they didn’t require registration this year, so there may be other teams showing up in the coming days.
“I wouldn’t be surprised if no one else showed up, though,” said Aaron Portnoy, manager of the security research team at TippingPoint. “If they heard that VUPEN was showing up with 0-days for every single browser, and this all the do, all day, every day, that might discourage them.”
When the new rules for Pwn2Own were announced earlier this year, there was some controversy surrounding it, specifically the question of whether competitors would be required to hand over their exploitation techniques as well as the details of their bugs. Portnoy said that contestants never have been required to turn over exploits, only bugs.
“All we care about is the crash,” he said. “Anything that happens after that isn’t our interest. Sandbox escapes are post-exploitation. We only care about the details of the crash and what we can use to defend against it. The more bugs that get killed, the better.”