Google patches 19 Chrome bugs week before Pwn2Own hacking contest
Pays out $14K in bounties to 9 researchers
Computerworld - Google on Monday patched 19 vulnerabilities in Chrome, paying nine researchers $14,000 in bug bounties for reporting the flaws.
As it did last year, Google beefed up the security of its browser a week before the kickoff of Pwn2Own, the annual hacking contest held at the CanSecWest security conference in Vancouver, British Columbia.
The update to Chrome 9.0.597.107 fixed 16 flaws rated "high," the second-most-severe ranking in Google's threat system, and quashed three "medium" bugs.
None of the vulnerabilities were ranked "critical," the category essentially reserved for bugs that may let an attacker escape Chrome's anti-exploit "sandbox." Google patched two sandbox-escape bugs -- both pegged critical -- in Chrome this year.
The bugs patched Monday were in several components, including WebGL, the hardware accelerated 3D graphics API that debuted in early February with Chrome 9; SVG (scalable vector graphics) rendering and animation; and the browser's address bar.
Nearly a quarter of the vulnerabilities were identified as "stale pointer" bugs, a term used to describe flaws in an application's -- in this case, Chrome's -- memory allocation code.
As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.
Google paid out $14,000, the second-highest total this year, for the 15 vulnerabilities found and reported by outside security researchers. Nine different researchers received checks, with Martin Barbella taking home $3,000, Sergey Radchenko $2,500 and two others $2,000 each.
Google and Mozilla, which makes Firefox, are the only browser developers to pay bounties directly to bug researchers.
In hindsight, Monday's update should have been expected: In 2010, Google also patched Chrome the week before Pwn2Own.
2011's Pwn2Own begins March 9, when security researchers will vie for fame and cash by trying to take down not just Chrome, but also the current versions of Apple's Safari 5, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.
Monday's patches could be particularly important this year, since Google has a special stake in Pwn2Own: It put up the $20,000 prize for hacking Chrome on the first of the contest's three days. (After that, if no one breaks the browser, the rules change and Google will fork over just $10,000, with Pwn2Own sponsor HP TippingPoint ponying up the other $10,000.)
At least one other browser builder will issue patches before Pwn2Own's first day of competition. Mozilla has scheduled a security update of Firefox 3.6 for later today.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts