Google's Chrome OS partially hacked

Summary:While the Linux-based operating system wasn't really cracked at Pwnium, Google has decided to award a hacker $40,000 for finding an unreliable Chrome OS exploit.

As computer security guru Bruce Schneier likes to say, "security is a process, not a product". He was proven right again when Google announced that, while its Linux-based Chrome OS hadn't been cracked in its Pwnium Chrome OS contest , one hacker was successful in creating an unreliable exploit.

chrome-logo
While not cracked open, a hacker was able to pry a bit at Chrome OS in Google's recent Pwnium competition. Image: Google

Specifically, the hacker known as Pinkie Pie, who cracked the Chrome web browser on Windows last year in Google's security contest, "submitted a plausible bug chain involving video parsing, a Linux kernel bug, and a config file error. The submission included an unreliable exploit demonstrating one of the bugs."

Google also thanked him "for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures, and keep users safe."

For this, Pie was awarded $40,000. A true browser- or system-level compromise would have been worth $110,000, and one that persisted after a reboot would have brought a talented hacker $150.000.

Google released a new version of Chrome OS, 25.0.1364.173, which patched these potential problems on March 15. We don't know exactly what these bugs were. The exact details are only available, at this time, to Chromium developers. We do know that one had to do with an overflow in the Graphic Processor Unit process, and the other involved the Time-of-Check/Time-of-Use and counting overflows in Intel i915 graphics driver.

That said, Google, well aware of Schneier's rule, added that, "While these security gatherings and live competitions are fun, we also want to highlight the ongoing Chromium Vulnerability Reward Program, which covers not only the Chrome desktop browser, but also all Chrome OS components and Chrome on mobile devices. We've given away more than $900,000 in rewards over the years and we're itching to give more, as engaging the security community is one of the best ways to keep all internet users safe."

Related stories

Topics: Security, Browser, Google, Laptops, Linux

About

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.His work has been published in everything from highly technical publications... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.