Google patches $310K worth of Chrome, Chrome OS bugs

First browser maker to fix flaws revealed in Pwn2Own hacking contest

Google on Friday patched several vulnerabilities in Chrome and Chrome OS within 48 hours of their disclosures at last week's Pwn2Own and Pwnium hacking contests.

While all four targeted browsers -- Chrome, Apple's Safari, Mozilla's Firefox and Microsoft's Internet Explorer -- fell to researchers at the cash prize contest, Google's was the only one to have fixed flaws as of Sunday.

Four vulnerabilities were patched in Chrome to close the holes used by a team from Vupen -- the French vulnerability research firm and seller of zero-day bugs to government and law enforcement agencies -- and an anonymous researcher. Both had cracked Chrome on Thursday afternoon at Pwn2Own, the Zero Day Initiative (ZDI)-sponsored hacking contest.

Google posted its usual terse descriptions of the four bugs exploited by Vupen and the unnamed researcher in a short note about an available update for Chrome 33.

The Mountain View, Calif. search giant also promised to publish more about the two successful hacks of Chrome. "We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future," wrote Anthony Laforge, technical program manager for Chrome, on the release note. "We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwn2Own submissions in the future."

Google did the same last year in a write-up two months after others cracked Chrome at 2013's Pwn2Own.

Vupen won $100,000 for its Chrome hack -- part of a record $400,000 awarded the team -- while the anonymous researcher walked away with $60,000. The latter's award had been reduced because his or her attack had relied in part on a vulnerability that had been revealed the day before at Pwnium, Google's own challenge.

All told, ZDI -- the bug bounty program operated by HP TippingPoint -- and co-sponsor Google paid out $850,000 in prize money at last week's Pwn2Own, nearly twice the amount of the prior record from last year.

Google also patched seven vulnerabilities, including a rare bug rated "critical," the company's highest threat ranking, in Chrome OS, the browser-based operating system that powers the inexpensive Chromebook laptops.

Those vulnerabilities were disclosed Wednesday at Pwnium, the other hacking contest at CanSecWest, the security conference that took place in Vancouver, British Columbia last week. Unlike Pwn2Own, Pwnium was a Google-only contest.

George Hotz, also known as "geohot," a noted iPhone and Sony PlayStation 3 hacker, was handed $150,000 by Google for a four-vulnerability chain that Google called "an epic Pwnium competition win." Hotz also participated in Pwn2Own, where he was one of four teams or individuals to bring down Firefox for a $50,000 cash prize.

The other Pwnium contestant, "Pinkie Pie," a researcher who has won several prizes, used two vulnerabilities to partially hack Chrome within Chrome OS, but Google has not yet set an award.

As with the Chrome exploits applied in Pwn2Own, those aimed at Chrome OS will be revealed in greater detail at a later date, Google said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon