Chrome is the loser at security conference

Google’s Chrome browser was the surprise loser at the Pwn2own conference.

The competition, which has been running for a number of years, normally sees Apple’s Safari being the first to fall with Firefox and Internet Explorer lasting a bit longer.

After managing to evade hackers for a number of years, it seems that a French team, Vupen, was very happy break Chrome’s record.

In fact, they hacked Chrome during the first five minutes of the competition, and took 32 points. Google rushed to update Chrome to fix the hole exploited by the hack, but it did tarnish the outfit’s reputation.

The hack was carried out on the Windows version and managed to avoided the sandbox security functions.

It would have been a great relief to Apple which normally does badly at this sort of competition. It’s browser fell second and it was Vupen hackers who turned it over.

Vupen makes a crust by discovering and then selling vulnerabilities and exploits to government customers.

Chaouki Bekrar, the co-founder and head of research, told The Guardian that to kill off Chrome it had to bypass DEP and ASLR on Windows and then have another technique to break out of the Chrome sandbox.”

Apparently it had known about the vulnerability last May. The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox.

Bekrar admits that it was a little unfair for his outfit to take down Chrome. It was possibly the most secure browser because of its hefty sandboxing. It was not easy to create a full exploit to bypass all the protections in the sandbox.