Google issues last-minute Chrome fixes before Pwn2Own
Day before hacking contest starts, fixes 25 flaws and pays out $16K in bounties
Computerworld - Google patched 25 vulnerabilities in Chrome today in one last update before the Pwn2Own hacking contest starts Wednesday in Canada.
The company has a lot on the line at Pwn2Own, which runs March 9-11 at the CanSecWest security conference in Vancouver, British Columbia.
The first researcher to hack Chrome on Wednesday will be paid $20,000 by Google. If no one breaks the browser that day, the rules change and Google will fork over $10,000 for a successful exploit on Thursday or Friday, with Pwn2Own sponsor HP TippingPoint ponying up another $10,000.
Other browsers that researchers will tackle at Pwn2Own include Apple's Safari 5, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.
Tuesday's 25-patch update fixed 15 vulnerabilities rated "high," the second-most-severe ranking in Google's scoring; three labeled "medium"; and seven pegged as only "low."
None of the vulnerabilities was ranked "critical," the category essentially reserved for bugs that may let an attacker escape Chrome's anti-exploit "sandbox." Google has patched two sandbox-escape bugs this year.
Today's Chrome update was the second in the last eight days: Google patched 19 browser bugs on Feb. 28.
Three of the vulnerabilities were identified as "stale pointer" bugs, a term that describes flaws in an application's -- in this case, Chrome's -- memory allocation code. Google has patched numerous stale pointer bugs in the last two months.
As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.
Google paid out a record $16,174 in bounties for finding and reporting 15 of the vulnerabilities patched today. Five different researchers received checks, with frequent-contributor Sergey Glazunov taking home $6,500 and Daniel Divricean earning $3,174.
So far this year, Google has spent nearly $50,000 on bug bounties.
Along with the security update, Google also upped Chrome's stable channel -- the browser comes in three editions, stable, beta and dev -- to version 10. The upgrade to Chrome 10 came less than five weeks after Google boosted the stable channel to version 9.
Other additions to Chrome 10 include site password synchronization, and the first appearance in a stable build of an anti-exploit "sandbox" to isolate the integrated copy of Adobe's Flash Player.
Google has been releasing rougher versions of Chrome with a Flash sandbox since early December 2010.
Chrome 10 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts