Breaking the browser

April 2013 Information Security

Critical vulnerabilities in Google Chrome that could leave millions of Web users exposed to risk were demonstrated on March 6th by the winners of this year’s Pwn2Own competition, global IT security firm MWR InfoSecurity. The contest was held at the CanSecWest Conference in Vancouver, Canada.

Researchers from MWR Labs, the company’s research arm, joined IT security consultants from all over the world in the annual Pwn2Own competition, which focuses on Web browser vulnerabilities.

MWR InfoSecurity focused on Google Chrome, and won the category by fully compromising the browser. MWR’s researchers exploited two undisclosed vulnerabilities that were combined to break through the browser’s protection mechanisms, resulting in a full compromise that required no user interaction and allowed complete access to the operating system.

The vulnerabilities MWR identified in Chrome are the type that could be used by sophisticated and advanced attackers as a first step to compromise large corporate networks.

“Browser security standards have improved over the last few years, however it is still possible to find and exploit a number of vulnerabilities that could compromise some of the most popular Web browsers. MWR’s researchers have been preparing for this demonstration for the last four months,” said Ian Shaw, MD of MWR InfoSecurity.

He added: “Google Chrome is one of the most widely used Web browsers and was perceived to be the hardest target in the competition. The reason Chrome was chosen as the target for the demonstration is to encourage understanding as a security breach of this nature could expose millions of users to serious risk.”

The exploited version of Chrome was running on the latest, fully patched version of Windows 7 and was installed in its default configuration, as this is how a majority of users have configured it.

Shaw said: “Similar vulnerabilities are used in APT attacks to compromise companies’ networks for economic espionage or to simply disrupt their businesses. Attacks of this class are happening more frequently and need to be better understood.”

The details of the vulnerabilities remain undisclosed and are being shared with the vendors to allow them to work on a patch for these specific issues.

MWR Labs is the research arm of MWR InfoSecurity, which has offices in the UK and South Africa. MWR continually investigate security weaknesses in technologies and systems to allow its clients to understand and react to the latest threats. The firm has previously won the Mobile Pwn2Own competition held at the EuSecWest Conference in Amsterdam in September 2012 by finding critical vulnerabilities in a popular Android device.

For more information contact MWR South Africa, +27 (0)10 100 3159, [email protected], www.mwrinfosecurity.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
What does Agentic AI mean for cybersecurity?
Information Security AI & Data Analytics
AI agents will change how we work by scheduling meetings on our behalf and even managing supply chain items. However, without adequate protection, they become soft targets for criminals.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...
Crypto in SA: between progress and precaution
Information Security
“As cryptocurrency gains momentum and legitimacy, it’s becoming increasingly important for people to pay attention to financial security”, says Richard Frost, head of technology and innovation at Armata Cyber Security.

Read more...
Cyber recovery requires a different approach to disaster recovery
Information Security
Disaster recovery is about getting operations back on track after unexpected disruptions; cyber recovery, however, is about calculated actions by bad actors aiming to disrupt your business, steal sensitive data, or hold your system hostage.

Read more...
MDR users claim 97,5% less
Sophos Information Security
The average cyber insurance claim following a significant cyberattack is just $75 000 for MDR users, compared with $3 million for endpoint-only users, according to a new independent study.

Read more...
The impact of GenAI on cybersecurity
Sophos News & Events Information Security
Sophos survey finds that 89% of IT leaders worry GenAI flaws could negatively impact their organisation’s cybersecurity strategies, with 87% of respondents stating they were concerned about a resulting lack of cybersecurity accountability.

Read more...
Efficient, future-proof estate security and management
Technews Publishing ElementC Solutions Duxbury Networking Fang Fences & Guards Secutel Technologies OneSpace Technologies DeepAlert SMART Security Solutions Editor's Choice Information Security Security Services & Risk Management Residential Estate (Industry) AI & Data Analytics IoT & Automation
In February this year, SMART Security Solutions travelled to Cape Town to experience the unbelievable experience of a city where potholes are fixed, and traffic lights work; and to host the Cape Town SMART Estate Security Conference 2025.

Read more...
Kaspersky KATA 7.0 for targeted attack protection
Information Security Products & Solutions
] Kaspersky has announced a major update to its Kaspersky Anti Targeted Attack (KATA) including enhanced network detection and response (NDR) capabilities with deeper network visibility, internal threats detection and other critical security features.

Read more...
The role of advanced technologies in ransomware recovery
Information Security
As businesses increasingly adopt cloud technologies, the complexities of maintaining resilience and ensuring rapid recovery from such incidents become even more pronounced. The integration of advanced technologies is essential to navigate these challenges effectively.

Read more...