A Russian student who studies in Canada has successfully hacked into a fully patched Windows 7 64-bit version. He used a remote code execution vulnerability/exploit in Google Chrome.
Sergey Glazunov is a security researcher who finds security holes in Chrome and reports it directly to Google.
He earned $60,000 due to his exploits. He targeted two distinct zero-day vulnerabilities in the sub-system of the Chrome extension. Google is trying to partner with hackers to find holes in the system. In exchange they pay the hacker for his job. They call the Pwnium hacker contest which they are running this year.
Justin Schuh of Google said that, “It didn’t break out of the sandbox [but] it avoided the sandbox.” Glazunov’s exploits bypassed the browser sandbox in its entirety.
He also added, “It was an impressive exploit. It required a deep understanding of how Chrome works. This is not a trivial thing to do. It’s a very difficult and that’s why we’re paying $60,000.”
Sergei is a regular contributor in the Google bug bounty program. He also did a similar sandbox bypass bug before that is similar to his work. Schuh said that these types of full code execution that executes code outside the browser sandbox from a very small percentage of bug submissions.
Image source: isp101.net
