Feeds

Google blats bugs in Chrome - days before $560k hacking contest

Ads giant stumps up cash, then raises the bar

SANS - Survey on application security programs

Pwn2Own 2013 Google patched 10 security vulnerabilities in its web browser Chrome on Monday - two days before the start of Pwn2Own, the annual hacking contest in which experts race to compromise software to win prizes.

The latest update fixes flaws in Chrome's Windows and Linux builds. Six of the 10 holes addressed are rated as "high" risk, the second highest severity rating.

The updates bolster the defences of Chrome ahead of Pwn2Own, which tees off on Wednesday at the CanSecWest security conference in Vancouver, Canada.

Boosting the browser's fortifications obviously benefits the web giant two-fold: if its product remains intact, it gets bragging rights over its rivals, who will also be targeted in the contest. And Google contributed to the competition's $560,000 prize fund, but presumably can claw back unclaimed cash.

Microsoft battled to secure all versions of its Internet Explorer browser, including versions 9 and 10, by issuing two updates in February that collectively squashed 14 security bugs. A cumulative IE update is a regular feature of the Windows giant's monthly Patch Tuesday, but pushing out two is highly unusual. It's suspected that Redmond's security gnomes may have been thinking ahead to Pwn2Own.

Meanwhile, Mozilla updated Firefox on 19 February, fixing eight security bugs in the process, again possibly with one eye towards Pwn2Own.

Pwn2Own 2013 expands the focus of the hackathon beyond phones and web browser vulnerabilities to include hacks that exploit vulnerabilities in Adobe Reader, Adobe Flash and Oracle Java. Prizes will be awarded according to a sliding scale of perceived difficulties. Successful hacks against Google Chrome on Windows 7 will earn $100,000, while pwning IE 9 on Windows 7 is worth $75,000 and Apple Safari on OS X Mountain Lion will earn up to $65,000.

By contrast, exploiting Oracle Java web browser plugins in Internet Explorer 9 on Windows 7 earns a maximum of $20,000, five times less than the maximum prize for hacking IE 10 on Windows 8 ($100,000). Tellingly, Java exploits also earn less than a third of the $70,000 prize for exploiting either Adobe Reader or Flash plugins for IE 9 on Windows 7, each of which earns $70,000. In total, $560,000 is up for grabs, a record prize fund.

Upon successful demonstration of an attack, the contestant will be required to provide HP's Zero Day Initiative (ZDI) a fully functioning exploit and all the details of the discovered vulnerability. HP's ZDI and Google are the main sponsors of this year's competition. Successful security researchers also gain possession of the kit they've hacked into as part of their prize, hence the Pwn2Own title of the competition. Past winners of the competition include Charlie Miller, serial exploiter of Apple bugs.

Unlike previous editions of the event, a prize for hacking into smartphones will not be a feature of this year's competition.

The third annual Google-organised Pwnium competition, also taking place at CanSecWest, offers a prize fund of $3,141,590 to researchers who can successfully crack the advertising giant's Chrome OS. Details of this parallel competition can be found in a blog post here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.