ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Google first to patch Pwn2Own WebKit vulnerability

By | March 11, 2011, 8:47pm PST

Summary: Less that 24 hours after a team of researchers exploited a WebKit security hole to hack into RIM’s BlackBerry smart phone, Google has issued a Chrome browser update to address the vulnerability.

VANCOUVER — Less that 24 hours after a team of researchers exploited a WebKit security hole to hack into RIM’s BlackBerry smart phone, Google has issued a Chrome browser update to address the vulnerability.

This makes Google the first vendor to ship a patch in response to the CanSecWest Pwn2Own contest where Willem Pinckaers, Vincenzo Iozzo and Ralf Philipp Weinmann took down the BlackBerry with the WebKit flaw.

follow Ryan Naraine on twitter

[ SEE: BlackBerry falls to WebKit browser hack ]

Google also paid out a $1337 cash prize to the three researchers as part of the vulnerability rewards program.

Details of the vulnerability is being kept under wraps.  Google describes it as a “high risk” memory corruption issue in style handling.

The vulnerable WebKit browser rendering engine also powers Apple’s Safari browser and the new browser in RIM’s BlackBerry devices.   There is no word yet from Apple or BlackBerry on the timeline for a fix.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Vulnerability, RIM BlackBerry, Handhelds, Security, Hardware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
10
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Google first to patch Pwn2Own WebKit vulnerability
talih Updated - 12th Aug
Well done! Thank you very much for professional templates and community edition
sesli chat sesli sohbet
View in thread
0 Votes
+ -
RE: Google first to patch Pwn2Own WebKit vulnerability
alsobannedfromzdnet 11th Mar 2011
It also obviously powers chrome and the browser used with Android.

So will the patch be available for phones like the flipout/cliq which Motorola stated they will not update to Froyo?
0 Votes
+ -
RE: Google first to patch Pwn2Own WebKit vulnerability
jeremychappell 12th Mar 2011
@alsobannedfromzdnet I think you know the answer to that...

In the interests of fairness I'd also say the same is true for the original iPhone and the iPhone 3G (though not the iPhone 3GS or iPhone 4).

Clearly this is an issue for ALL handsets, and will eventually be an issue for all these new fangled "mobile tablets" too.
0 Votes
+ -
RE: Google first to patch Pwn2Own WebKit vulnerability
lariosshow 17th Mar 2011
google it
www.awwgame.com
0 Votes
+ -
RE: Google first to patch Pwn2Own WebKit vulnerability
lariosshow 17th Mar 2011
google it happy
www.awwgame.com
0 Votes
+ -
Browser Updates separate from OS!
Monarky 12th Mar 2011
What this fool doesn't say is that this vulnerability was not critical to either Android's OS Browser or any other of Google's Browser products. The same vulnerability could not have been used against their products in the same way or else this hacker team would have been happy to collect the extra $20,000 Google had on offer to break their Web Kit browser. This was purely a rapid response to cordon off any possibility of it being used in conjunction with a another vulnerability in the future!

Just Ryan's way of exposing that he's a bona fide ZDNet Gypsy Circus Barker out to collect views on a non-story!!!
0 Votes
+ -
Webkit is a piece of trash. Every browser using it is full of security
Johnny Vegas 12th Mar 2011
holes. And this was after -

"The patches arrive on the same day of the annual contest, which pits vulnerability researchers and exploit writers against the major web browsers and smart phones. Apple has now followed Google and Mozilla in releasing browser updates ahead of Pwn2Own.
The new Apple Safari 5.0.4 fixes a total of 62 documented vulnerabilities, most serious enough to allow code execution attacks if a user simply surfs to a booby-trapped web site. The majority of the vulnerabilities are in WebKit, the open-source browser rendering engine."

Anyone who uses a webkit based browser on any device is just asking to be pwnd and have their device become part of a botnet...
0 Votes
+ -
mwaha.. ha... ha..
Monarky 12th Mar 2011
@Johnny Vegas There are no Bot Net's using Linux you ignorant FOOL.....! lol.... But now if you were talking about using Linux to make the bot nets then you'd be correct. Linux is a hacker's paradise. Not because it's easy to hack, but because it's the only OS that can be used in a Live Boot situation, where no records are ever kept and nothing is ever written to a hard drive.

You may be able to hack one session if you are really good at getting past a fully sandboxed browser, that neither IE or Apple's Safari can do on either Windows or OS-X. Maybe Safari is worse than IE, but that's hardly a compliment when the only browser or OS's hacked at PWN2OWN weren't Linux #1 or Chrome Browser! grin

Say what you will about Google being Skynet or out to sell your lame information, but they are the only ones that have actually worked to keep the Internet FREE. The others...... will sell your soul for a dime and take your money while you get butchered by another Corporations Greed!

btw... to refresh your memory, the Director of the FBI recommends using a live DVD booted Linux or browser appliance VM to do banking and make purchases online. The reason is quite simple; with a Linux Live Boot you have a Legion of Operating Systems ready to do Battle and.... I've never heard of a Live Booted Linux Distro burned onto a DVD ever being hacked, cracked or even written to..... EVER!!! ......have you? lol..... it's foolish to think the way you do.... fool!!! wink
0 Votes
+ -
RE: Google first to patch Pwn2Own WebKit vulnerability
facebook@... 13th Mar 2011
@Monarky ummmm, yes. one of the largest bot nets in the world were using an apache exploit running Linux.
0 Votes
+ -
what?
magallanes 14th Mar 2011
@Monarky

Linux is safe, Apache (and other service) are not but Linux's admin "fool" it, and run Apache as a restricted user ("nobody") this user can't do anything in the system but to run themself and to connect to internet, just enough to serve as a bot net.
0 Votes
+ -
RE: Google first to patch Pwn2Own WebKit vulnerability
talih Updated - 12th Aug
Well done! Thank you very much for professional templates and community edition
sesli chat sesli sohbet

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix