Chrome succumbs to Pwn2Own hacks, issues patch

Looks like Google Chrome's winning streak at the Pwn2Own hacker contest is over -- it has participated for the past two years and left unscathed.

However, the Web browser fell to multiple exploits March 7 at CanSecWest security conference's competition. And not only is this the first year it has been successfully attacked, it was the first browser to fall – with the first attack coming within the first five minutes of the contest.

In response, Google released an over-the-air patch March 8 to fix one of the issues demonstrated by hacker Sergey Glazunov. The update will be "silently" pushed to users.

Related coverage:

Hackathon aims to produce open government apps

Glazunov, a Russian university student, used a pair of privately disclosed exploits to bypass Chrome's sandbox. If exploited by attackers, malicious code could be run on an infected machine.

For demonstrating a zero-day attack, Glazunov will be awarded $60,000 by Google.

"Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry," said Sundar Pichai, senior vice president Chrome, in a Google+ announcement. "Looks like it qualifies as a 'Full Chrome' exploit, qualifying for a $60k reward."

Glazunov wasn't the only one to expose a hole in the Chrome browser on Wednesday. Members of the vulnerability research firm VUPEN Security demonstrated a way to bypass the Chrome sandbox using a bug in Windows to bypass the DEP and the address space layout randomization. It also demonstrated a second Chrome flaw. However, information on it had not been released.

The group said it wasn't participating in the hacking contest for monetary gain. "We pwned Chrome to make things clear to everyone," said Chaouki Bekrar, CEO of Vupen Security, to Ars Technica. "We wanted to show that even Chrome is not unbreakable."

Because the first flaw demonstrated by VUPEN is caused by a Windows exploit and the second item had little data disclosed on it, fixes were not included in the March 8 Chrome update.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected