After managing to evade hackers for a number of years, Google’s browser is targeted by French group Vupen which has controversial method of funding itself: selling vulnerabilities to governments

Well, that’s a turnup for the books: Google’s Chrome browser has been the first to be hacked at the annual Pwn2own competition. Having seen its product being untouchable for the past two years, the company may have become a little overconfident – and offered up to $60,000 to anyone who could hack it at all, up to a limit of $1m.

It was a challenge which a French team, Vupen, was very happy to take – and break. in fact, they hacked Chrome during the first five minutes of the competition, and (under the new rules) took 32 points. It also earns them $20,000 from Chrome for using bugs in Chrome itself to gain “full unsandboxed code execution”. Note: a representative for Pwn2own tells us that “Vupen did not compete in the Pwnium competition and therefore will not receive any money from Google.

Also: Google has updated Chrome to fix the hole exploited by the hack. (Thanks @rquick for the link.)

The hack was carried out on the Windows version: according to Justin Schuh, of Google’s Chrome team, the exploit “didn’t break out of the sandbox… it avoided the sandbox”. Update: Pwn2own says that the sandbox-avoiding exploit “is true for the competitor in Pwnium. Vupen’s was a full sandbox escape for Pwn2own.”

The Twitter feed for the contest (which began at 12 noon Pacific time on Wednesday) indicates that Safari was the next to fall – again by Vupen.

Vupen has attracted some controversy by discovering and then selling vulnerabilities and exploits to government customers – a business that one might think is both lucrative and risky. Chaouki Bekrar, the co-founder and head of research, told ZDNet that “We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

In fact the Vupen team had achieved this last May, though too late of course for the March-timed Pwn2own. at the time they said that

The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level).

No trickery is needed at the contest, of course, because the teams can direct the browsers to whatever pages they’ve set up to exploit vulnerabilities. Vupen said that they have come armed with vulnerabilities which will exploit each of the browsers on show – Internet Explorer, Firefox, Chrome and Safari. but they decided to go after Chrome first, Bekrar told ZDNet: “We wanted to show that Chrome was not unbreakable. last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year.”

Equally he was complimentary about Chrome, generally seen as possibly the most secure browser because of its hefty sandboxing. “The Chrome sandbox is the most secure sandbox out there,” Bekrar told ZDNet. “It’s not an easy task to create a full exploit to bypass all the protections in the sandbox. I can say that Chrome is one of the most secure browsers available.”

An interesting point for Vupen is that all of the hacks used at Pwn2own are meant then to be disclosed publicly – which implies that they have either sold them already to customers (who will have been told to make use of them by this date, or may be feeling a little narked), or that they’re just polishing their reputation by hacking everything in sight. With day one over, Vupen looks to be far ahead of the rest. Update: Pwn2own tells us that “Everything Vupen displays at Pwn2own was created especially for this competition. The exploits were not previously sold to customers.”

There’s a page with the progress of the Pwn2own competition. Vupen is miles ahead of everyone at present with 124 points. The competition ends on Friday 9 March.

The competition, which has been running for a number of years, has usually seen Apple’s Safari being the first to fall (usually at the hands of fabled ex-NSA hacker Charlie Miller), with Firefox and Internet Explorer surviving longer. The advent of Chrome in the past few years has changed the landscape: its sandboxing and general security model has made it proof against repeated attacks. (The browsers run on the latest, fully-patched versions of Windows or Mac OSX; this year, it’s Windows 7 and Lion.)

• Malware
• Hacking
• Computing
• Internet
• Software
• Web browsers
• Google
• Chrome
• Safari
• Internet Explorer
• Microsoft
• Apple

Charles Arthurguardian.co.uk © 2012 Guardian News and Media Limited or its affiliated companies. all rights reserved. | Use of this content is subject to our Terms & Conditions | More Feeds

Google’s Chrome browser is first to fall at Pwn2own hacking contest

Shut your eyes for a moment and imagine that Apple has just appointed a new creative director: Kanye West.

How did that feel? It’s an important experiment because, just last night, Kanye took to Twitter to announce that he is the successor to Steve Jobs.

No, not at Apple. Instead, he tweeted that he is creating a company called Donda (his late mother’s name) that “will pick up where Steve Jobs left off.”

His precise tweet–one of many–read: “We can collectively effect the world trough (sic) design. we need to pick up where steve jobs left off.” (A brief suggestion: Perhaps Kanye might reconsider naming his company “World Trough Design.” just a thought.)

You might think this is the mere boastfulness of a large-ego’d rapper. you might be right. For Kanye also tweeted that “DONDA will be comprised of over 22 divisions with a goal to make products and experiences that people want and can afford…”

Might its first product be cheap, 7″iPad, um, killer? Kanye’s ambitions seem not to be as mundane as that. For he also tweeted: “We need scientist and top world designers to directly affect governments.”

You might think that he’s merely being a little, well, Kanye. But he insists: “I am assembling a team of architects, graphic designers, directors musicians, producers, AnRs, writers, publicist, social media experts…”

Yes, we certainly need those AnRs to directly affect governments. However, with Jobsian overtones, West said he wants to “marry our wants and needs” — presumably in a civil ceremony.

You know he’s serious when he tweets: “I know this is not a very rapper thing to say but I haven’t bought a newcar or piece of jewelry in about 2 years…”

At this point, you might be chuckling. But peer through his eccentricity and you might conclude that he’s right. most products that one sees in the wide world are homogenized dull lumps of beige. most have the taste level of Ann Taylor’s spinster sister.

Why not strive to create things that are a little more aesthetically pleasing and functional at the same time? Or, to use Kanye’s words: “We need to take what Michael Jackson felt and Mcqueen and Steve Jobs and we need make things better…”

You might think that the great rapper is merely using Steve Jobs’ name symbolically.

However, just before he (presumably) went to bed last night, Kanye offered this tweet: “If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. ….”

You see. this really is all about Apple. Or, rather, Apples.

(Credit:Screenshot: Chris Matyszczyk/CNET)

Kanye: I will pick up where Steve Jobs left off

LONDON, Nov. 3 (UPI) — Governments shouldn’t censor opinions or restrict the flow of information on the Internet in the name of security, British Foreign Secretary William Hague says.

Hague, speaking at the London Conference on Cyberspace, said that while cybersecurity threats loom large for all nations, government censoring what is posted on the Internet isn’t the way to deal with it.

“We reject the view that government suppression of the Internet, phone networks and social media at times of unrest is acceptable,” he said.

Instead, the chief British diplomat outlined a set of seven principles he asserted could used to reach broad international agreements to help fight burgeoning cybercrime and espionage without trampling on freedom of expression or handing too much power to individual governments.

Hague told at a reception for delegates at the two-day conference — in which representatives of 60 countries gathered to discuss cybersecurity – that it’s vital the Internet remain a bastion of free speech, the Financial Times reported.

“It is essential that the debate is as inclusive as possible, everyone has an interest in these issues and no one person or body controls the Internet,” he said.