Google has pushed out a patch for the second full sandbox escape exploit used in the Pwnium contest at CanSecWest. The Chrome vulnerabilities that the exploit targeted were discovered by an anonymous researcher who used the name PinkiePie and claimed a $60,000 reward from Google.
The attack that the researcher used included three separate vulnerabilities which he was able to string together to compromise Chrome. The researcher did not use his real name, but Google security officials at the conference said that they knew who he was and that he was well-respected in the security community. He had been working on the attack for a while and Google officials were unsure whether he’d be able to complete before the Pwnium contest ended Friday afternoon.
The contest was created as a rival to the Pwn2Own contest at CanSecWest, which as been running for several years. Google officials said they were happy with the results of Pwnium, which attracted two full sandbox escapes in Chrome, and the contest could end up being expanded in future years.
“We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for both CVE-2011-3046 and CVE-2011-3047 in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwnium submissions in the future,” Jason Kersey of Google said in a blog post.
Google patched the other vulnerabilities used by researcher Sergey Glazunov in the contest last week.