The second installment of Google’s hacking fest Pwnium has just wrapped up, and once again Google Chrome’s security features were successfully bypassed. Earlier this year, Chrome fell for the first time when VUPEN managed to exploit Chrome within five minutes at the first installment of Pwnium. During the same event, two more hackers – Pinkie Pie and Sergey Glazunov, managed to humble Chrome and bag the top award of $60,000.
The second edition of Pwnium was organized as a part of the ‘Hack in the Box 2012′ security conference held in Kuala Lumpur. This time around, Chrome’s sandboxing mechanism was defeated by exploiting two flaws – an “SVG use-after-free” and an “IPC arbitrary write”. The exploiter was once again Pinkie Pie. Since his exploit depended entirely on bugs within Chrome to achieve arbitrary code execution, it qualified for Google’s highest award level as a “full Chrome exploit”, and won him $60,000 and a free Chromebook.
Detailed explanation of the bugs leveraged by Pinkie Pie is still not available. However, the good news is that Google has already patched the vulnerability, so even if you use Chrome, you are safe. Google deserves a round of applause for not only encouraging the security community to discover bugs in Chrome, but also for patching the vulnerability in less than twelve hours after its disclosure.