Google Chrome gets last-minute bandaid before Pwn2Own

Google Chrome gets last-minute bandaid before Pwn2Own

Summary: Google isn't taking any chances with this year's CanSecWest Pwn2Own hacker challenge.Just days before the annual contest where hackers are invited to break into the three main web browsers, Google pushed out another Chrome patch to fix a whopping 24 security holes.

SHARE:
TOPICS: Browser, Google, Security
11

Google isn't taking any chances with this year's CanSecWest Pwn2Own hacker challenge.

Just days before the annual contest where hackers are invited to break into the three main web browsers, Google pushed out another Chrome patch to fix a whopping 24 security holes.  The majority of these vulnerabilities are rated "high risk" and could lead to remote code execution attacks.

As part of its bug-bounty program, Google paid out more than $16,000 to researchers who reported these Chrome vulnerabilities.

SEE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

follow Ryan Naraine on twitter

This is the second major security update from Google Chrome in the few days.  Last week, Google released Chrome 9.0.597.107 (all platforms) to cover a total of 18 security holes, most rated “high-risk.”  Last week's update included a $14,000 cash payout.

This year's Pwn2Own contest will have a special emphasis on Google Chrome after Google announced it would put up a $20,000 cash prize for any hacker who can successfully compromise a Windows 7 machine via a vulnerability — and sandbox escape — in Chrome.

So far, two hacking teams have announced an interest in attacking the Chrome sandbox.

follow Ryan Naraine on twitter

Here are the raw details on the latest patch (Google Chrome 10.0.648.127) from Google's Jason Kersey:

  • [42574] [42765] Low Possible to navigate or close the top location in a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
  • [Linux only] [49747] Low Work around an X server bug and crash with long messages. Credit to Louis Lang.
  • [Linux only] [66962] Low Possible browser crash with parallel print()s. Credit to Aki Helin of OUSPG.
  • [$1337] [69187] Medium Cross-origin error message leak. Credit to Daniel Divricean.
  • [$500] [69628] High Memory corruption with counter nodes. Credit to Martin Barbella.
  • [$1000] [70027] High Stale node in box layout. Credit to Martin Barbella.
  • [$500] [70336] Medium Cross-origin error message leak with workers. Credit to Daniel Divricean.
  • [$1000] [70442] High Use after free with DOM URL handling. Credit to Sergey Glazunov.
  • [Linux only] [70779] Medium Out of bounds read handling unicode ranges. Credit to miaubiz.
  • [$1337] [70877] High Same origin policy bypass in v8. Credit to Daniel Divricean.
  • [70885] [71167] Low Pop-up blocker bypasses. Credit to Chamal de Silva.
  • [$1000] [71763] High Use-after-free in document script lifetime handling. Credit to miaubiz.
  • [71788] High Out-of-bounds write in the OGG container. Credit to Google Chrome Security Team (SkyLined); plus subsequent independent discovery by David Weston of Microsoft and MSVR.
  • [$1000] [72028] High Stale pointer in table painting. Credit to Martin Barbella.
  • [73026] High Use of corrupt out-of-bounds structure in video code. Credit to Tavis Ormandy of the Google Security Team.
  • [$1000] [73066] High Crash with the DataView object. Credit to Sergey Glazunov.
  • [$1000] [73134] High Bad cast in text rendering. Credit to miaubiz.
  • [$2000] [73196] High Stale pointer in WebKit context code. Credit to Sergey Glazunov.
  • [73716] Low Leak of heap address in XSLT. Credit to Google Chrome Security Team (Chris Evans).
  • [$1500] [73746] High Stale pointer with SVG cursors. Credit to Sergey Glazunov.
  • [$1000] [74030] High DOM tree corruption with attribute handling. Credit to Sergey Glazunov.
  • [$1000] [74662] High Corruption via re-entrancy of RegExp code. Credit to Christian Holler.
  • [$1000] [74675] High Invalid memory access in v8. Credit to Christian Holler.

Topics: Browser, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Guess we'll see what happens.

    Guess we'll see what happens. Most of the previous competitions demonstrated that any browser can have holes.
    CobraA1
  • Why wait till Pwn2Own?

    If google really cared about this they would have patched it long ago to protect their CUSTOMERS, not do it to protect their reputation before the hacking contest!
    Will Farrell
    • RE: Google Chrome gets last-minute bandaid before Pwn2Own

      @Will Farrell

      Dammit Farrell didn't you read the article? These were found out by users and most were paid for their discovery. Do you see a timeline here on when they were found? Perhaps all were within the time frame between this update and the last. How long was that? What you expect these patches to be made in hours? A patch is made, another vulnerability is found and the patch has to then accomoodate that fix, now add another 22 vulnerabilities and there you have it. Jesus, with you fricken spammers on every last thing that isn't exactly what you use. GET OVER IT!
      KBot
      • Why wouldn't he?

        @KBot: [i]What you expect these patches to be made in hours?[/i]

        The Linux fanboys have advocated how quickly OSS is patched and demonized Microsoft for waiting until the second Tuesday of each month before releasing their patches.
        ye
    • RE: Google Chrome gets last-minute bandaid before Pwn2Own

      @Will Farrell Obviously, you didn't know that Google announced they would be offering this cash prize for hackers months and months ago. This isn't anything new and out of left field. I don't think there reputation needs protecting, considering they are rocking pretty hard with Android, WebOS is making a big noise, and Chrome has always been awesome. So what exactly needs protecting?
      Bates_
  • RE: Google Chrome gets last-minute bandaid before Pwn2Own

    Which version is going to be in pwn2own? The article mentions 9 and 10. I don't use chrome but I thought 9 was stable and 10 was the dev version.
    Loverock Davidson
    • RE: Google Chrome gets last-minute bandaid before Pwn2Own

      @Loverock Davidson 9 was stable, 10 Beta and 11 Dev. From today 10 is stable and 11 is Beta.<br>(<a href="http://googleblog.blogspot.com/2011/03/speedier-simpler-and-safer-chromes.html" target="_blank" rel="nofollow">http://googleblog.blogspot.com/2011/03/speedier-simpler-and-safer-chromes.html</a>)
      anothersmartguy
  • RE: Google Chrome gets last-minute bandaid before Pwn2Own

    I think it nice of Google to pay a bounty to people who find issues, instead of threatening to sue them like a certain big software company does.
    anothercanuck
  • RE: Google Chrome gets last-minute bandaid before Pwn2Own

    I think it's great that Google has replaced quality control with hobbyist nerds.

    Apparently they work cheap as well ;-)
    tonymcs@...
  • Google's Gaping security hole

    The biggest security hoes are Google's creepy engineers.
    iPad-awan
  • The end product is what matters.

    Google have produced a secure, compliant, browser and lead the way in supporting evolving standards and features.<br> Firefox and Opera are similar.<br>All three also work on Linux and Apple machines.<br><br>What exactly is the problem that some seem to have with that ?<br><br>Microsoft haven't exactly contributed to browser development, we had virtual stagnation with IE6 from 2001-2006.<br><br>Why do the MS fanboys think that changed ?<br><br>Look at the damage IE has done in terms of standards corruption.<br><br>Microsoft only respond when their revenue stream is threatened, they are the antithesis of a progressive company.
    Chipesh