Google patches Pwn2Own WebKit bug in Chrome
First browser maker to fix a flaw exploited at last week's hacking contest
Computerworld - Google has patched a WebKit flaw in its Chrome browser that was exploited by a multinational team to hack the BlackBerry Torch smartphone at Pwn2Own.
Although Chrome was unchallenged at Pwn2Own, the browser relies on the open-source WebKit browser engine, and so needed to be patched.
Friday's Chrome update made Google the first browser developer to patch a vulnerability used at Pwn2Own, the hacking contest sponsored by HP TippingPoint and its Zero Day Initiative (ZDI) bug bounty program. Pwn2Own ran Wednesday through Friday and handed out $60,000 in prize money to four individuals or teams.
Last Thursday, Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann won $15,000 by hacking Research in Motion's BlackBerry Torch with an exploit of a WebKit vulnerability in the BlackBerry's browser. The same day, Dion Blazakis and four-time winner Charlie Miller exploited a different WebKit flaw in Apple's Safari browser on the iPhone 4.
As is Google's practice, it locked access to its bug tracker to bar outsiders from viewing the technical details of the just-patched vulnerability. The company blocks public access to flaws for weeks or even months to give users time to update.
Apple, which will need to patch the same WebKit bug that Google addressed, as well as the one that Blazakis and Miller exploited, does not comment on its security update process.
Google also awarded Iozzo, Pinckaers and Weinmann $1,337 from its own bug bounty program, adding to their cash take for the Pwn2Own hack.
Neither Chrome nor Mozilla's Firefox were challenged at last week's Pwn2Own: Researchers who had earlier signed up to take on the browsers didn't show or withdrew because they had failed to come up with reliable exploits in time for the contest.
Employees of both Mozilla and Google touted the browsers' survival skills.
"Whew, Firefox survived #pwn2own 2011. This is not a laurel we are resting on, but I'm still happy about it," said Brendan Eich, Mozilla's CTO, in a tweet last week. "Congrats to Chrome surviving, too."
"Both surviving browsers: open source, have bounty programs, have embedded security teams, better at faster fixes. Coincidence?" tweeted Chris Evans, an engineer on the Chrome security team.
Last week's contest was the third consecutive Pwn2Own that Chrome was not exploited by researchers. It was the first time for Firefox since browsers were designated as targets in 2009.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts