Ir para conteúdo


Revista PROGRAMAR – Edição 46 (Setembro 2014): Download já disponível!

- - - - -

Google Chrome's winning streak fades at annual hacking contest


  • Por favor inicie sessão para responder
7 respostas a este tópico

#1 Baderous

Baderous

    Unsigned User

  • Moderador
  • PipPipPipPipPipPip
  • 2677 mensagens

Publicado 08 de Março de 2012 - 15:24

Citar

As day one of the annual Pwn2Own hacker contest wound down on Wednesday, no browser suffered more abuse than Google Chrome, which was felled by an attack exploiting a previously unknown vulnerability in the most up-to-date version. Combined with a separate contest Google sponsored a few feet away, it was the second zero-day attack visited on Chrome in a span of a few hours.

It was a rare event. To date, there are no known reports of a zero-day attack ever hitting Chrome in the wild, and at the previous three years' contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software. The chief reason: Chrome's security sandbox—which isolates web content inside a highly restricted perimeter that's separated from the rest of the operating system—makes it harder to write reliable attacks.

"We pwned Chrome to make things clear to everyone," said Chaouki Bekrar, CEO of Vupen Security, which wielded the Chrome zero-day an hour or so after the contest began on Wednesday. "We wanted to show that even Chrome is not unbreakable."

A contestant in the second contest, which Google has dubbed "Pwnium," was also able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. Sergey Glazunov wasn't on site to discuss the hack. Google has said only that for him to win the top $60,000 reward, his exploit was required to bypass the sandbox using code native to Chrome.

Bekrar told Ars that his team's attack exploited what's known as a use-after-free bug to bypass DEP, or data execution prevention, and ASLR, or address space layout randomization. Both mitigations are designed to prevent hackers from executing malicious code even when they locate vulnerabilities. He said it exploited a second vulnerability that allows code to break out of the sandbox. He declined to detail the vulnerable component, except to say it was found in the "default" installation of the Google browser.

That detail led several observers to speculate that an Adobe Flash plugin was the means Vupen used to access more sensitive parts of the operating system. While Chrome runs the media player add-on in its own sandbox, the perimeter is considerably more porous than it is with other components, security researchers say. Core functionality in Flash, for instance, requires the app be able to control web cams and microphones, access system state, and connect to display monitors and other connected devices.

Now in its sixth year at the CanSecWest security conference in Vancouver, the contest rules this time around have been significantly reworked. In the past, organizer Tipping Point paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. Competitors on Wednesday scored 32 points for zero-day vulnerabilities, and they received 10 points each for exploiting already patched security flaws.

The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. Tipping Point gave them a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use debuggers, disassemblers and other tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.

"It's really challenging because you don't only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly," Bekrar said. "Our team creates exploits every day, every year, so for us it was a nice challenge."

So far, his team has exploited three of the six eligible vulnerabilities. It took 20 minutes to develop an attack for version 8 of IE running on Windows XP, an hour to write one that pwned Safari 5 on OS X Snow Leopard, and two hours for one that compromised Firefox 3 on Windows XP. That left Vupen with 62 points as day one was winding down. A separate contestant that had entered had no points, but it was still possible for members to submit entries until midnight. The contestants will also have a shot at the same vulnerabilities on Thursday and Friday, although the points scored diminish over time.

Vupen plans to exploit the remaining patched vulnerabilities on Thursday. But Bekrar, who said his team spent six months developing multiple zero-days for all four of the eligible browsers, said people shouldn't be surprised if Vupen drops another one in the coming day.

"I think tomorrow we will go for another browser, just for fun," he said.

Fonte: http://arstechnica.com/business/news/2012/03/google-chromes-winning-streak-fades-at-annual-hacking-contest.ars

#2 Baderous

Baderous

    Unsigned User

  • Moderador
  • PipPipPipPipPipPip
  • 2677 mensagens

Publicado 09 de Março de 2012 - 01:32

After the pwnage: Critical Google Chrome hole plugged in 24 hours

#3 HecKel

HecKel

    Stack Overflow

  • Membro
  • PipPipPipPipPipPipPip
  • 8882 mensagens

Publicado 09 de Março de 2012 - 20:07

Ser o primeiro a cair é que eu não esperava...

#4 taviroquai

taviroquai

    Unsigned User

  • Membro
  • PipPipPipPipPipPip
  • 1665 mensagens

Publicado 09 de Março de 2012 - 20:57

Citar

"I think tomorrow we will go for another browser, just for fun," he said.

Lol, imagino que se referia ao IE...  :thumbsup:

#5 Baderous

Baderous

    Unsigned User

  • Moderador
  • PipPipPipPipPipPip
  • 2677 mensagens

Publicado 09 de Março de 2012 - 21:49

Ver Mensagemtaviroquai, em 09 de Março de 2012 - 20:57, disse:

Lol, imagino que se referia ao IE...  :thumbsup:
IE 9, on most secure Windows yet, next browser to fall at hacker contest

#6 Baderous

Baderous

    Unsigned User

  • Moderador
  • PipPipPipPipPipPip
  • 2677 mensagens

Publicado 10 de Março de 2012 - 17:32

At hacking contest, Google Chrome falls to third zero-day attack (Updated)

#7 taviroquai

taviroquai

    Unsigned User

  • Membro
  • PipPipPipPipPipPip
  • 1665 mensagens

Publicado 10 de Março de 2012 - 21:03

Ver MensagemBaderous, em 10 de Março de 2012 - 17:32, disse:


Citar

It's now almost certain that attack relied on Adobe Flash to break out of the safety perimeter.

Então afinal é responsabilidade do Chrome ou do Flash Player???  :thumbsup:

#8 pedrotuga

pedrotuga

    Stack Overflow

  • Membro
  • PipPipPipPipPipPipPip
  • 7517 mensagens

Publicado 11 de Março de 2012 - 11:17

Ver Mensagemtaviroquai, em 10 de Março de 2012 - 21:03, disse:

Então afinal é responsabilidade do Chrome ou do Flash Player???  :thumbsup:
Uma das grandes vantagens do chrome, em termos de conveniência é que vem com o flash embutido. Se assumem isso como uma questão de conveninência têm que assumir tambem os riscos que isso acarreta.
O IE e o firefox não vêm com flash, e se instalares o flash, bem te avisam que não podem fazer nada em relação ao comprometimento de segurnaça em que estás a incorrer.

Eu acho que isto que está a acontecer com o chrome é natural. Não fazia sentido estarem ali numa posição priviligiada a pavonearem-se que eram os maiores. O browser deles afinal de contas não é mais seguro que os outros. O google bem tenta manter o seu estatuto de excelência, mas quanto mais se estabelece em mercados comuns às outras empresas grandes, mais se aproxima delas nas coisas más.