VANCOUVER -- A Russian university student hacked into a fully patched Windows 7 machine (64-bit) using a remote code execution vulnerability/exploit in Google's Chrome web browser.
The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome security holes.
Glazunov scored a $60,000 payday for the exploit, which targeted two distinct zero-day vulnerabilities in the Chrome extension sub-system. The cash prize was part of Google's new Pwnium hacker contest which is being run this year as an alternative to the more well-known Pwn2Own challenge.
According to Justin Schuh, a member of the Chrome security team, Glazunov's exploit was specific to Chrome and bypassed the browser sandbox entirely. "It didn't break out of the sandbox [but] it avoided the sandbox," Schuh said in an interview.
"It was an impressive exploit. It required a deep understanding of how Chrome works," Schuh added. "This is not a trivial thing to do. It's a very difficult and that's why we're paying $60,000.
Glazunov is a regular contributor to Google's bug bounty program and Schuh raved about the quality of his research work.
Schuh said Glazunov once submitted a similar sandbox bypass bug but stressed that these kinds of full code execution that executes code outside the browser sandbox form a very small percentage of bug submissions.
Google's Sundar Pichai says the company is "working fast on a fix" that will be pushed out via the browser's automatic update utility.