Friday, October 12, 2012

Teenager found new critical vulnerability in Chrome

Young hacker Pinkie Pie can become a millionaire, receiving thousands of Google for each working exploit.

Yesterday at a conference Hack in the Box during the contest Pwnium 2 young talent has shown a couple of critical vulnerabilities in Chrome and working exploit for which he was awarded a monetary reward.

Vulnerability of an ID CVE-2012-5112, a detailed description of our issue tracker, tickets 117 715 and 117 736, as well as a blog Chromium. The first bug is associated with an error at rendering SVG-files engine WebKit, and the second bug was found in the system IPC (inter-process data transfer), which allowed to go beyond the sandbox. The result was to make NPAPI-browser plug-in that gets full privileges on the system.

This is the second time that Pinkie Pie earns thousand in the last time he scored in March 2012 for the first competition Pwnium. At the time, he was able to be chained six vulnerabilities to get out of the sandbox and get Chrome to execute arbitrary code on the system. Now, apparently, the exploit uses only two vulnerabilities, but the result is the same.

To the credit of engineers Google, they have managed to close the hole and release a new version of Chrome in less than 10 hours (!), After which it was immediately installed on the computers of all users via auto-update mechanism. A good example for some vendors.

New version number in the stable Chrome 22.0.1229.94 for Windows, Mac and Linux. Other vulnerabilities in Chrome on competition Pwnium two were found.

Pinkie Pie does not disclose its present because his current employer does not approve of hacking. But the journalist, who was able to see Pinkie Pie, describes the attacker as a "high-teenager", that is, it is not a 18-19.

No comments:

Post a Comment