Google patches Pwn2Own WebKit bug in Chrome
First browser maker to fix a flaw exploited at last week's hacking contest
Computerworld - Google has patched a WebKit flaw in its Chrome browser that was exploited by a multinational team to hack the BlackBerry Torch smartphone at Pwn2Own.
Although Chrome was unchallenged at Pwn2Own, the browser relies on the open-source WebKit browser engine, and so needed to be patched.
Friday's Chrome update made Google the first browser developer to patch a vulnerability used at Pwn2Own, the hacking contest sponsored by HP TippingPoint and its Zero Day Initiative (ZDI) bug bounty program. Pwn2Own ran Wednesday through Friday and handed out $60,000 in prize money to four individuals or teams.
Last Thursday, Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann won $15,000 by hacking Research in Motion's BlackBerry Torch with an exploit of a WebKit vulnerability in the BlackBerry's browser. The same day, Dion Blazakis and four-time winner Charlie Miller exploited a different WebKit flaw in Apple's Safari browser on the iPhone 4.
As is Google's practice, it locked access to its bug tracker to bar outsiders from viewing the technical details of the just-patched vulnerability. The company blocks public access to flaws for weeks or even months to give users time to update.
Apple, which will need to patch the same WebKit bug that Google addressed, as well as the one that Blazakis and Miller exploited, does not comment on its security update process.
Google also awarded Iozzo, Pinckaers and Weinmann $1,337 from its own bug bounty program, adding to their cash take for the Pwn2Own hack.
Neither Chrome nor Mozilla's Firefox were challenged at last week's Pwn2Own: Researchers who had earlier signed up to take on the browsers didn't show or withdrew because they had failed to come up with reliable exploits in time for the contest.
Employees of both Mozilla and Google touted the browsers' survival skills.
"Whew, Firefox survived #pwn2own 2011. This is not a laurel we are resting on, but I'm still happy about it," said Brendan Eich, Mozilla's CTO, in a tweet last week. "Congrats to Chrome surviving, too."
"Both surviving browsers: open source, have bounty programs, have embedded security teams, better at faster fixes. Coincidence?" tweeted Chris Evans, an engineer on the Chrome security team.
Last week's contest was the third consecutive Pwn2Own that Chrome was not exploited by researchers. It was the first time for Firefox since browsers were designated as targets in 2009.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Datacenter eGuide Read on to learn what technologies are essential for high-performing data centers today, and to get a glimpse of what the data center...
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Malware and Vulnerabilities White Papers | Webcasts