Google patches Pwn2Own WebKit bug in Chrome
First browser maker to fix a flaw exploited at last week's hacking contest
Computerworld - Google has patched a WebKit flaw in its Chrome browser that was exploited by a multinational team to hack the BlackBerry Torch smartphone at Pwn2Own.
Although Chrome was unchallenged at Pwn2Own, the browser relies on the open-source WebKit browser engine, and so needed to be patched.
Friday's Chrome update made Google the first browser developer to patch a vulnerability used at Pwn2Own, the hacking contest sponsored by HP TippingPoint and its Zero Day Initiative (ZDI) bug bounty program. Pwn2Own ran Wednesday through Friday and handed out $60,000 in prize money to four individuals or teams.
Last Thursday, Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann won $15,000 by hacking Research in Motion's BlackBerry Torch with an exploit of a WebKit vulnerability in the BlackBerry's browser. The same day, Dion Blazakis and four-time winner Charlie Miller exploited a different WebKit flaw in Apple's Safari browser on the iPhone 4.
As is Google's practice, it locked access to its bug tracker to bar outsiders from viewing the technical details of the just-patched vulnerability. The company blocks public access to flaws for weeks or even months to give users time to update.
Apple, which will need to patch the same WebKit bug that Google addressed, as well as the one that Blazakis and Miller exploited, does not comment on its security update process.
Google also awarded Iozzo, Pinckaers and Weinmann $1,337 from its own bug bounty program, adding to their cash take for the Pwn2Own hack.
Neither Chrome nor Mozilla's Firefox were challenged at last week's Pwn2Own: Researchers who had earlier signed up to take on the browsers didn't show or withdrew because they had failed to come up with reliable exploits in time for the contest.
Employees of both Mozilla and Google touted the browsers' survival skills.
"Whew, Firefox survived #pwn2own 2011. This is not a laurel we are resting on, but I'm still happy about it," said Brendan Eich, Mozilla's CTO, in a tweet last week. "Congrats to Chrome surviving, too."
"Both surviving browsers: open source, have bounty programs, have embedded security teams, better at faster fixes. Coincidence?" tweeted Chris Evans, an engineer on the Chrome security team.
Last week's contest was the third consecutive Pwn2Own that Chrome was not exploited by researchers. It was the first time for Firefox since browsers were designated as targets in 2009.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts