Feeds

Google blats bugs in Chrome - days before $560k hacking contest

Ads giant stumps up cash, then raises the bar

Top 5 reasons to deploy VMware with Tegile

Pwn2Own 2013 Google patched 10 security vulnerabilities in its web browser Chrome on Monday - two days before the start of Pwn2Own, the annual hacking contest in which experts race to compromise software to win prizes.

The latest update fixes flaws in Chrome's Windows and Linux builds. Six of the 10 holes addressed are rated as "high" risk, the second highest severity rating.

The updates bolster the defences of Chrome ahead of Pwn2Own, which tees off on Wednesday at the CanSecWest security conference in Vancouver, Canada.

Boosting the browser's fortifications obviously benefits the web giant two-fold: if its product remains intact, it gets bragging rights over its rivals, who will also be targeted in the contest. And Google contributed to the competition's $560,000 prize fund, but presumably can claw back unclaimed cash.

Microsoft battled to secure all versions of its Internet Explorer browser, including versions 9 and 10, by issuing two updates in February that collectively squashed 14 security bugs. A cumulative IE update is a regular feature of the Windows giant's monthly Patch Tuesday, but pushing out two is highly unusual. It's suspected that Redmond's security gnomes may have been thinking ahead to Pwn2Own.

Meanwhile, Mozilla updated Firefox on 19 February, fixing eight security bugs in the process, again possibly with one eye towards Pwn2Own.

Pwn2Own 2013 expands the focus of the hackathon beyond phones and web browser vulnerabilities to include hacks that exploit vulnerabilities in Adobe Reader, Adobe Flash and Oracle Java. Prizes will be awarded according to a sliding scale of perceived difficulties. Successful hacks against Google Chrome on Windows 7 will earn $100,000, while pwning IE 9 on Windows 7 is worth $75,000 and Apple Safari on OS X Mountain Lion will earn up to $65,000.

By contrast, exploiting Oracle Java web browser plugins in Internet Explorer 9 on Windows 7 earns a maximum of $20,000, five times less than the maximum prize for hacking IE 10 on Windows 8 ($100,000). Tellingly, Java exploits also earn less than a third of the $70,000 prize for exploiting either Adobe Reader or Flash plugins for IE 9 on Windows 7, each of which earns $70,000. In total, $560,000 is up for grabs, a record prize fund.

Upon successful demonstration of an attack, the contestant will be required to provide HP's Zero Day Initiative (ZDI) a fully functioning exploit and all the details of the discovered vulnerability. HP's ZDI and Google are the main sponsors of this year's competition. Successful security researchers also gain possession of the kit they've hacked into as part of their prize, hence the Pwn2Own title of the competition. Past winners of the competition include Charlie Miller, serial exploiter of Apple bugs.

Unlike previous editions of the event, a prize for hacking into smartphones will not be a feature of this year's competition.

The third annual Google-organised Pwnium competition, also taking place at CanSecWest, offers a prize fund of $3,141,590 to researchers who can successfully crack the advertising giant's Chrome OS. Details of this parallel competition can be found in a blog post here. ®

Beginner's guide to SSL certificates

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.