Pwnium Two – Google Chrome To Hold Another Hacking Contest

Google had so much fun with the Pwnium competition the first time they’ve decided to hold another one. This should be interesting as we’ll get to see if Chrome exploits are really worth 60,000 dollars or if attackers are more willing to sell to higher bidders.

The rewards are similar though now instead of a 1 million dollar limit there’s a 2 million dollar limit. This is largely irrelevant as it is very unlikely there will be that many exploits.

The competition essentially lets a bunch of people come together and see how far they can break Chrome. Last competition we had three exploits bypass Chrome’s sandbox – One by Pinkie Pie, one by Vupen, and one by Sergey Glazunov.

The Vupen exploit was pretty lame and used the Flash plugin. The Flash plugin for Chrome is now PPAPI and far stronger than it used to be so Vupen’s going to have to find another way to get out of the sandbox.

The Vupen exploit was not revealed but the others were. They made use of 6 and 12 bugs respectively and were really brilliant.

Chrome’s sandbox has improved since the last competition – the renderer now runs at Untrusted as does Flash – so it will be fun to see how people break out this time.

PPAPI Flash For Linux Finally Seems Ready

PPAPI Flash is the Flash plugin built into Google Chrome that allows for more secure Flash by virtue of the Chrome Sandbox. Adobe has declared that Flash 11.3 will not be supported for Linux except for the PPAPI version so if you’re looking for the latest you’re going to need to use Chrome.

The Flash sandbox isn’t very tight in Chrome as we can see by Vupen’s bypass┬áso a tighter sandbox is very welcome.

Until very recently the plugin was super buggy and unusable. This seems to have changed and I’m noticing no issues.

The PPAPI Plugin is limited to Chrome Beta right now so you can either way ~1 month for it to hit stable or you can download the beta now.