Google patches Chrome days before hacking contest
Only browser predicted to survive Pwn2Own gets 11 fixes
The update to Chrome 18.104.22.1686 fixes six flaws rated "high," the second-most-severe ranking in Google's four-step threat system; plugs three "medium" holes; and quashes two "low" bugs.
Danish vulnerability tracker Secunia rated the update as "highly critical."
Although Google typically hides technical details of the most serious vulnerabilities when it issues an update -- it blocks bug tracker entries to prevent attackers from using the information -- all of the 11 bugs are behind the wall this time.
"The referenced bugs may be kept private until a majority of our users are up to date with the fix," explained Orit Mazor, a technical program manager with the Chrome team, in a blog entry Wednesday.
A bug in WebKit, the open-source browser engine that powers Chrome as well as Safari, earned researcher Sergey Glazunov a check for $1,337, the maximum Google pays for vulnerabilities as part of a bounty program that debuted last January. Most flaws earn their finders just $500, but "particularly severe or particularly clever" bugs reap rewards of $1,337 each. The amount is a reference to "leet," a kind of geek-speak used by some researchers; there, "leet" is rendered as "1337."
Other vulnerabilities were credited to Mark Dowd, a noted browser and OS vulnerability researcher who is working under contract for Google; Robert "RSnake" Hansen, CEO of SecTheory; and Aki Helin of OUSPG (Oulu University Secure Programming Group), Oulu University in Finland.
Altogether, Google paid out $3,337 in bounties for the bugs it patched Wednesday.
Only the Windows "stable" channel -- a term Google uses in place of "final" -- was patched; the Mac and Linux versions of Chrome have not yet left the "beta" channel.
Google added several non-security features to Wednesday's update, including integrated language translation and new private browsing settings, that had made their way into the beta earlier this month.
Chrome is the second browser to be patched in seven days. On March 11, Apple fixed 16 flaws in Safari. Both browsers' updates were timely: Starting next Wednesday, Chrome, Safari, Microsoft's Internet Explorer 8 (IE8) and Mozilla's Firefox will go head-to-head with an unknown number of hackers who will try to exploit unpatched vulnerabilities and win $40,000 in cash at Pwn2Own, the annual contest sponsored by 3Com's TippingPoint. On Thursday, Aaron Portnoy, a security research team lead at TippingPoint and the organizer of this year's Pwn2Own, predicted that Safari would fall to attack on the second of the contest's three days, while Chrome would be the sole survivor.
The last time Google patched the stable build of Chrome for Windows was in late January.
Chrome is now the third-most-used browser on the planet, having grabbed the No. 3 spot from Safari in December 2009, and as of last month, accounted for approximately 6% of all browsers in use, according to Web measurement vendor NetApplications.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- EDI in China: Developing a Strategy for B2B Integration Success IBM solutions for EDI have helped companies across the globe securely connect and build partner communities.
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Polycom Virtual Meeting Rooms Video The conference room is the hub for group collaboration. With Polycom, you can extend the productivity and efficiency benefits of face-to-face meetings beyond...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All E-business White Papers | Webcasts