Google issues last-minute Chrome fixes before Pwn2Own

Day before hacking contest starts, fixes 25 flaws and pays out $16K in bounties

By , Computerworld |  Security, Chrome, Google

Google patched 25 vulnerabilities in Chrome today in one last update before the Pwn2Own hacking contest starts Wednesday in Canada.

[ See also: Researcher blows $15K by reporting bug to Google ]

The company has a lot on the line at Pwn2Own, which runs March 9-11 at the CanSecWest security conference in Vancouver, British Columbia.

The first researcher to hack Chrome on Wednesday will be paid $20,000 by Google . If no one breaks the browser that day, the rules change and Google will fork over $10,000 for a successful exploit on Thursday or Friday, with Pwn2Own sponsor HP TippingPoint ponying up another $10,000.

Other browsers that researchers will tackle at Pwn2Own include Apple's Safari 5, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.

Tuesday's 25-patch update fixed 15 vulnerabilities rated "high," the second-most-severe ranking in Google's scoring; three labeled "medium"; and seven pegged as only "low."

None of the vulnerabilities was ranked "critical," the category essentially reserved for bugs that may let an attacker escape Chrome's anti-exploit "sandbox." Google has patched two sandbox-escape bugs this year.

Today's Chrome update was the second in the last eight days: Google patched 19 browser bugs on Feb. 28.

Three of the vulnerabilities were identified as "stale pointer" bugs, a term that describes flaws in an application's -- in this case, Chrome's -- memory allocation code. Google has patched numerous stale pointer bugs in the last two months.

Other flaws fixed today were credited to a wide range of the browser's components, including its V8 JavaScript engine, the code that processes video, and WebKit, the open-source browser engine that both Chrome and Apple's Safari use as their foundations.

As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.

Google paid out a record $16,174 in bounties for finding and reporting 15 of the vulnerabilities patched today. Five different researchers received checks, with frequent-contributor Sergey Glazunov taking home $6,500 and Daniel Divricean earning $3,174.

So far this year, Google has spent nearly $50,000 on bug bounties.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question