Interestingly the Pwn2Own exploit was not the only one reported. For the Pwn2Own hack the exploit was a two part attack that used a combination of a Sandbox Escape and a DEP/ASLR (Data Execution Prevention / Address Space Layout Randomization) exploit to infect Windows 7 (which was what the browser was installed on). This was accomplished by the French security company Vupen.

At the same time Google was open for their own exploit submissions under the Pwnium program. Pwnium is a program that gives security researchers or groups a chance to win bounties on exploits found in Chrome. The top prize is $60,000 for a single submission, which was actually won this year with an exploit submitted by Sergey Glazunov.  Glazunov is one of the leading bug hunters for Chrome and also works on the open source project that is tied directly into the Chrome program.

Google started Pwnium after breaking away from ZDI (the organizers of Pwn2Own). The split was over the submittal requirements. Under ZDI researchers only have to submit Zero-Day code execution exploits and not any code or bugs that allow for breaking out of the sandbox that protects the OS from malicious running in the browser. Under Pwnium the submittal must include both Zero-Day code execution exploits and sandbox escapes. Any exploits (including Sandbox Escapes) must exist in the Chrome codebase to qualify also.

Still this plays into what we have said all along; there is no such thing as a secure OS, browser, application, web server etc. Not matter how much you secure it, someone will find a hole and exploit it.

Discuss this in our Forum