James Delahunty
8 Mar 2012 14:00
Russian researcher gets nice payday from vulnerability he found in Chrome.
Sergey Glazunov, who is familiar with Chrome bug hunting, uncovered a remote code execution vulnerability in Google's Chrome web browser. He demonstrated how he could use this vulnerability to escape the Chrome sandbox and run unauthorized code on a full-patched Windows 7 system.
His award comes as part of the Google Pwnium competition. The search giant has put $1,000,000 on the line for breaches of its browser's security.
"Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a ?Full Chrome? exploit, qualifying for a $60k reward. We?re working fast on a fix that we?ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users."
- Sundar Pichai, a senior vice-president at Google
As time of writing, the remaining prize fund is $940,000. The Pwmium webpage reports that there have been two successful exploits of Chrome, the other being the reported VUPEN breach of the browser at this year's Pwn2Own contest. The vulnerability used by Glazunov is reported to already be patched, though of course, Google has no idea what VUPEN did to break its browser security.