Google zaps 'PinkiePie' zero-day flaws in Chrome

Summary:Google is withholding technical details of the vulnerabilities and exploit technique, which has been described as "a beautiful piece of work."

Google has wasted no time fixing the security vulnerabilities exploited during last week's CanSecWest Pwnium hacker contest.

The company shipped Chrome version 17.0.963.79 on (Windows, Mac, Linux and Chrome Frame) as a "critical" update and confirmed the $60,000 cash award to the researcher who asked to be identified only as PinkiePie.

follow Ryan Naraine on twitter

Google is withholding technical details of the vulnerabilities and exploit technique, which has been described as "a beautiful piece of work."

  • [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.

[ SEE: Ten little things to secure your online presence ]

During the contest, PwniePie told me he exploited three different Chrome vulnerabilities but Google's advisory on the fix only lists two bugs and a solitary CVE identification.

PinkiePie's submissions followed a similar drive-by download/code execution issue that won Russian researcher Sergey Glazunov the maximum $60,000 award.  Both hacks included a full bypass of the Chrome sandbox.

Google's Jason Kersey said the two Pwnium vulnerability submissions are "works of art that deserve wider sharing and recognition."

"We plan to do technical reports on both Pwnium submissions in the future," Kersey said.

A third Chrome hack, believed to be linked to the Flash Player plugin, remains unpatched.

Previous Pwn2Own/Pwnium coverage:

  • Teenager hacks Google Chrome with three 0day vulnerabilities
  • Pwn2Own 2012: Google Chrome browser sandbox first to fall
  • CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
  • Charlie Miller skipping Pwn2Own as new rules change hacking game
  • CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover
  • How Google set a trap for Pwn2Own exploit team
  • Researchers hack into newest Firefox with zero-day flaw
  • Video: Microsoft responds to Pwn2Own IE hack
  • Topics: Enterprise Software, Google, Security, Developer


    Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

    zdnet_core.socialButton.googleLabel Contact Disclosure

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

    Related Stories

    The best of ZDNet, delivered

    You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
    Subscription failed.