Feeds

Google blats bugs in Chrome - days before $560k hacking contest

Ads giant stumps up cash, then raises the bar

Using blade systems to cut costs and sharpen efficiencies

Pwn2Own 2013 Google patched 10 security vulnerabilities in its web browser Chrome on Monday - two days before the start of Pwn2Own, the annual hacking contest in which experts race to compromise software to win prizes.

The latest update fixes flaws in Chrome's Windows and Linux builds. Six of the 10 holes addressed are rated as "high" risk, the second highest severity rating.

The updates bolster the defences of Chrome ahead of Pwn2Own, which tees off on Wednesday at the CanSecWest security conference in Vancouver, Canada.

Boosting the browser's fortifications obviously benefits the web giant two-fold: if its product remains intact, it gets bragging rights over its rivals, who will also be targeted in the contest. And Google contributed to the competition's $560,000 prize fund, but presumably can claw back unclaimed cash.

Microsoft battled to secure all versions of its Internet Explorer browser, including versions 9 and 10, by issuing two updates in February that collectively squashed 14 security bugs. A cumulative IE update is a regular feature of the Windows giant's monthly Patch Tuesday, but pushing out two is highly unusual. It's suspected that Redmond's security gnomes may have been thinking ahead to Pwn2Own.

Meanwhile, Mozilla updated Firefox on 19 February, fixing eight security bugs in the process, again possibly with one eye towards Pwn2Own.

Pwn2Own 2013 expands the focus of the hackathon beyond phones and web browser vulnerabilities to include hacks that exploit vulnerabilities in Adobe Reader, Adobe Flash and Oracle Java. Prizes will be awarded according to a sliding scale of perceived difficulties. Successful hacks against Google Chrome on Windows 7 will earn $100,000, while pwning IE 9 on Windows 7 is worth $75,000 and Apple Safari on OS X Mountain Lion will earn up to $65,000.

By contrast, exploiting Oracle Java web browser plugins in Internet Explorer 9 on Windows 7 earns a maximum of $20,000, five times less than the maximum prize for hacking IE 10 on Windows 8 ($100,000). Tellingly, Java exploits also earn less than a third of the $70,000 prize for exploiting either Adobe Reader or Flash plugins for IE 9 on Windows 7, each of which earns $70,000. In total, $560,000 is up for grabs, a record prize fund.

Upon successful demonstration of an attack, the contestant will be required to provide HP's Zero Day Initiative (ZDI) a fully functioning exploit and all the details of the discovered vulnerability. HP's ZDI and Google are the main sponsors of this year's competition. Successful security researchers also gain possession of the kit they've hacked into as part of their prize, hence the Pwn2Own title of the competition. Past winners of the competition include Charlie Miller, serial exploiter of Apple bugs.

Unlike previous editions of the event, a prize for hacking into smartphones will not be a feature of this year's competition.

The third annual Google-organised Pwnium competition, also taking place at CanSecWest, offers a prize fund of $3,141,590 to researchers who can successfully crack the advertising giant's Chrome OS. Details of this parallel competition can be found in a blog post here. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.