VANCOUVER, British Columbia — The French security firm Vupen successfully cracked the Google Chrome Web browser on the first day of this year's Pwn2Own hacking contest, held annually at the CanSecWest security conference here.
In a demonstration at 1:30 p.m. PT on March 7, Vupen exploited a memory-corruption vulnerability in Chrome's WebKit component, a library used in numerous browsers, including Apple Safari and Google's Android browser.
"It's a pleasure," Chaouki Bekrar, Vupen chairman and CEO told SecurityNewsDaily shortly after demonstrating the hack. "We wanted to show that Google, despite the fact that it's a very secure browser — with a motivated team and enough resources, we can create a sophisticated exploit to bypass all security protections and fully compromise Chrome."
"Google is not unbreakable," Bekrar added. "We wanted to be the ones to make it fall."
Vupen researchers also leveraged a sandbox escape, allowing them to break out of Chrome's sandbox security feature, in place to contain bugs and prevent malicious code from executing on the user's system.
Vupen's exploit was performed on the latest stable version of Chrome, version 17.0.963.66, using a fully updated Windows 7 64-bit system.
This is the first time researchers have been able to successfully crack Chrome during the Pwn2Own contest.
"It's a big deal," Aaron Portnoy, manager of security research for HP TippingPoint, the sponsor of Pwn2Own, told SecurityNewsDaily.
Bekrar said his team spent six weeks developing the two exploits.
Per contest rules, Vupen submitted the memory corruption flaw to HP TippingPoint. The researchers are not required to report the Chrome sandbox exploit they demonstrated to Google or to HP TippingPoint.
Though the full contest prizes won't be announced until March 9, Bekrar already has an idea how he and his team will celebrate if they win.
"We'll probably open a bottle of champagne," he told SecurityNewsDaily. "As French guys, it's mandatory."
Related on SecurityNewsDaily:
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved.