CVEs: CVE: CVE-2011-3047
Platform: Cross Platform
View full post on @RISK: The Consensus Security Alert
View full post on National Cyber Security
Posts Tagged ‘Chrome’
24
Mar
2012
12.11.14 Google Chrome Remote Code Execution
10
Mar
2012
Google Chrome Hacker Wins $60K at Pwnium
Google has updated its Chrome browser, fixing an issue that was first uncovered at its Pwnium browser hacking contest. A Russian security researcher won $60,000 for demonstrating his exploit at the hackathon solely focused on Chrome hacks.
View full post on firefox hacker – Yahoo! News Search Results
View full post on National Cyber Security
09
Mar
2012
Google Chrome security busted by Pwnium hackers
During Google’s Pwnium contest at the CanSecWest security conference, Russian bug hunter Sergey Glazunov demonstrated a Chrome exploit that completely defeats the browser’s much touted security sandbox.
Chrome is viewed as one of the most secure web browsers by the security community, primarily because of its sandboxed architecture, which restricts how it interacts with the OS and significantly limits what attackers can do if they exploit a vulnerability. A panel of security experts from Accuvant and Coverity, who analysed the defensive capabilities of modern browsers in depth, said last week at the RSA security conference that Chrome’s sandbox prevents processes from doing much of anything on the system.
However, there is a consensus in the security community that while sandboxing is a strong anti-exploitation mechanism, it does not provide a perfect defence and a determined attacker can theoretically defeat it, although with a lot of work.
For this year’s CanSecWest conference, Google decided to run a contest called Pwnium in parallel with TippingPoint’s well known Pwn2Own contest, which rewards security researchers for finding and exploiting unpatched remote code execution (RCE) vulnerabilities in browsers.
Pwnium has a maximum prize pool of $1 million (£600,000) and rewards various types of Chrome exploits. The largest prize is $60,000 and is awarded to researchers who demonstrate persistent RCE exploits that target only vulnerabilities in Google Chrome’s code.
The first to earn this top reward was Sergey Glazunov, a regular Chrome bug hunter, who demonstrated an exploit that completely bypassed Chrome’s sandbox.
The exploit was validated by the Google Chrome team.
“Congrats to long time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a ‘Full Chrome’ exploit,” Sundar Pichai, Google’s senior vice president for Chrome, said via his Google+ account. “We’re working fast on a fix that we’ll push via auto-update.”
Other Chrome security engineers, like Justin Schuh or Chris Evans, expressed their excitement about the exploit via Twitter.
“What a great bug from Sergey. But still a whole ton of cash left, hoping for more entrants,” Evans said.
Glazunov, who has earned many rewards for finding Chrome vulnerabilities in the past, wasn’t at CanSecWest in person. Instead he submitted his Pwnium entry through independent security researcher Aaron Sigel.
During day one of the Pwn2Own contest, a team of researchers from French security firm VUPEN Security also managed to hack Chrome. However, Chrome’s security team suspects that the researchers’ exploit targeted a vulnerability in the Flash Player plug-in that comes with the browser by default.
If that’s true, VUPEN’s exploit would have only qualified for a Pwnium consolation prize of $20,000, had it been submitted to the contest. VUPEN didn’t confirm that their Pwn2Own Chrome exploit targeted a Flash Player vulnerability, which isn’t prohibited by the Pwn2Own contest rules.
View full post on National Cyber Security » Computer Hacking
09
Mar
2012
Chrome Hacked at Pwn2Own and Pwnium Contests
Google’s browser falls in two separate hacking challenges as researchers probe for zero-day security holes.
View full post on eSecurityPlanet RSS Feed
View full post on National Cyber Security
It may be hard out there for a pimp, but it just got a little bit more lucrative for a hacker.
Google announced on Monday that it would pay $1 million in cash awards to anyone who can hack its Chrome browser during its Pwnium security challenge next week in Vancouver at the CanSecWest conference.
Google has pledged to pay multiple awards in the amounts of $60,000, $40,000 and $20,000, depending on the severity of the exploits, up to $1 million. Winners will also receive a Chromebook.
“We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties,” Google wrote on its blog.
The exploits must work against Windows 7 machines running the Chrome browser.
$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.
Google’s hack challenge will run alongside the $15,000 Pwn2Own contest that runs each year at CanSecWest, which challenges researchers to exploit vulnerabilities in fully patched browsers and other software.
Last year, Google offered a $20,000 bounty, on top of the base $15,000 Pwn2Own prize, for anyone who successfully downed Chrome, but there were no takers. Chrome is currently the only browser eligible for the Pwn2Own contest that has never been brought down, Ars Technica notes. Contestants have indicated that difficulties bypassing Google’s security sandbox is the reason they’ve avoided the browser and focused on Internet Explorer and Safari.
Article source: http://www.wired.com/threatlevel/2012/02/google-1-million-dollar-hack-contest/
View full post on National Cyber Security » Computer Hacking
Category: Widely Deployed Software
Affected:
- Google Chrome prior to 17.0.963.46
View full post on @RISK: The Consensus Security Alert
View full post on National Cyber Security
Google released a new version of its Chrome browser in order to update the bundled Flash Player plug-in and address serious security vulnerabilities.
Google Chrome 17.0.963.56 fixes 12 security flaws, seven of which are considered high severity, four of medium severity and one of low severity.
Security researcher Jüri Aedla received a special $1,337 reward for discovering and reporting an integer overflow vulnerability in libpng, the library used by Chrome to process PNG images.
Other high-severity flaws were identified in the browser’s PDF codecs, its subframe loading, h.264 parsing and path rendering components, as well as its MKV, database, column and counter node handling code.
In theory these vulnerabilities should be considered critical because they could facilitate the remote execution of arbitrary code on the targeted systems.
However, because Google Chrome has a sandboxed architecture, exploiting these vulnerabilities alone would not provide attackers with the necessary level of access to run malicious code.
Six vulnerabilities patched in this release were discovered with the help of an open-source tool called AddressSanitizer, Google Chrome engineer Jason Kersey said in a blog post on February 15.
Chrome 17.0.963.56 also includes a new Flash Player version that Adobe released earlier this week, Kersey said. The Flash Player update addresses seven critical security flaws.
Google paid a total of $6,837 to security researchers who reported vulnerabilities patched in this release. The company recently expanded its Chromium Security Rewards Program to also cover vulnerabilities found in Chrome OS.
View full post on National Cyber Security » Computer Hacking
Google plans to remove online certificate revocation checks from future versions of Chrome, because it considers the process inefficient and slow.
Browsers currently check if a website’s SSL certificate has been revoked by its issuing Certificate Authority (CA) when trying to establish an HTTPS connection. These checks are done by querying CA-operated servers through a special protocol known as OCSP (Online Certificate Status Protocol).
The problem is that browsers can’t always communicate with the validation servers because of various technical problems and when something like this happens, the HTTPS connections should not be established; at least in theory.
HTTPS interception
However, because these failures can have a serious usability impact, especially when CAs experience server downtime, browser vendors have decided ignore revocation checks that result in network errors. This is a referred to as a soft-fail.
“An attacker who can intercept HTTPS connections can also make online revocation checks appear to fail and so bypass the revocation checks,” Google security engineer Adam Langley said.
“So soft-fail revocation checks are like a seat-belt that snaps when you crash,” he said. “Even though it works 99% of the time, it’s worthless because it only works when you don’t need it.”
This suggests that online certificate revocation checking doesn’t add a lot of value to web security in its current implementation. However, keeping it on comes at a significant cost – browsing speed.
Doubts over current SSL infrastructure
“The median time for a successful OCSP check is ~300ms and the mean is nearly a second,” Langley said. “This delays page loading and discourages sites from using HTTPS.”
After considering the drawbacks, Google decided to remove OCSP checks from future versions of Chrome and replace them with a local list of revoked certificates that can be updated without requiring a browser restart. Attackers could theoretically block the update process, but this will require more effort than blocking an OCSP revocation check, Langley said.
The security engineer invited CAs to voluntarily contribute their revoked certificates to the list by publishing them in a format and place that’s accessible to Google’s crawler.
Experts have raised serious questions about the security and reliability of the current SSL infrastructure during recent months, following security breaches at several CAs that resulted in rogue certificates being issued. Various proposals for improving or replacing the current system are being discussed.
View full post on National Cyber Security » Computer Hacking
Google today patched 20 vulnerabilities in the desktop edition of Chrome and added new anti-malware download warnings to version 17.
The company called out a pair of new features in Chrome 17, including the expansion of anti-malware download warnings and pre-rendering of pages suggested by the address/search bar’s auto-complete function.
Google last refreshed Chrome eight weeks ago, on Dec. 13. Google generates an update to its “stable” channel about every six to eight weeks, a slightly more flexible schedule than rival Mozilla’s every-six-week pace.
One of the 20 vulnerabilities patched today was rated “critical,” the most-dire ranking in Google’s threat system. Eight were marked “high,” while five were labeled “medium” and six were tagged “low.”
Google paid $10,500 in bounties to four researchers for reporting 11 bugs, and another $3,133 to one of the four who uncovered a serious flaw that was quashed by developers before Chrome 17 made it to today’s release. The nine other vulnerabilities were uncovered by members of Google’s own security team, developers who contribute to the open-source Chromium project — which feeds code to Chrome — or those, who for one reason or other, were not bonus eligible.
Per its usual practice, Google blocked access to its bug tracking database for all 20 vulnerabilities to prevent outsiders from obtaining details that could be used to build exploits. Google typically opens up the database weeks or even months later, after it’s sure a majority of users have migrated to the new edition.
Google typically includes a handful of obvious changes in each Chrome upgrade, and it stayed with that practice today: The two features visible to users were an extension of Chrome’s long-running anti-malware download warnings and faster displaying of some Web pages.
The new download warnings alert users when they try to retrieve executable Windows files — including those with the “.exe” and “.msi” extensions — that Google knows or suspects are malicious, or are hosted on a website that commonly distributes threats.
Such warnings have been part of Chrome since version 12, which launched in June 2011, but they’ve been expanded in Chrome 17.
If the file isn’t a known quantity or from a reputable publisher, information about the file is sent to Google, which runs it through an analyzer to rank its “reputation and trustworthiness [compared to] files previously seen from the same publisher and website,” said the company last month.
Suspicious files — ones that match the criteria of others known to come from the same source — are tagged and if there’s a high probability it’s malicious, the user sees an alert.
Google has also beefed up its anti-phishing tool; Chrome now inspects the destination URL for characteristics common to sites that try to steal confidential information, and if it makes a match, spits out a warning.
The new anti-malware tools have been available in the beta of Chrome 17 for a month.
Also new to Chrome 17: Pre-loading of pages that appear in the browser ‘s combination address/search bar when users start typing an address or search string.
“If the URL auto-completes to a site you’re very likely to visit, Chrome will begin to pre-render the page [to reduce] the time between when you hit Enter and when you see your fully-loaded Web page,” Google explained last month when it added the feature to Chrome 17′s beta.
In admittedly unscientific tests of Chrome 17′s pre-loading, however, Computerworld did not notice any difference in the speed with which pages popped up.
According to metrics company Net Applications, Chrome accounted for nearly 19% of all browsers used in January, keeping it in second place behind Firefox (with 20.9%) and Microsoft ‘s Internet Explorer (53%).
Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google’s website. Users running the browser will be updated automatically through its silent service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg’s RSS feed . His e-mail address is gkeizer@computerworld.com .
See more articles by Gregg Keizer .
Read more about browsers in Computerworld’s Browsers Topic Center.
View full post on National Cyber Security » Virus/Malware/Worms
28
Jan
2012
(1) MEDIUM: Google Chrome Stable Channel Updates
Category: Widely Deployed Software
Affected:
- Google Chrome prior to 18.0.1017.2
View full post on @RISK: The Consensus Security Alert
View full post on National Cyber Security