Google first to patch Pwn2Own WebKit vulnerability

Google first to patch Pwn2Own WebKit vulnerability

Summary: Less that 24 hours after a team of researchers exploited a WebKit security hole to hack into RIM's BlackBerry smart phone, Google has issued a Chrome browser update to address the vulnerability.

SHARE:

VANCOUVER -- Less that 24 hours after a team of researchers exploited a WebKit security hole to hack into RIM's BlackBerry smart phone, Google has issued a Chrome browser update to address the vulnerability.

This makes Google the first vendor to ship a patch in response to the CanSecWest Pwn2Own contest where Willem Pinckaers, Vincenzo Iozzo and Ralf Philipp Weinmann took down the BlackBerry with the WebKit flaw.

follow Ryan Naraine on twitter

[ SEE: BlackBerry falls to WebKit browser hack ]

Google also paid out a $1337 cash prize to the three researchers as part of the vulnerability rewards program.

Details of the vulnerability is being kept under wraps.  Google describes it as a "high risk" memory corruption issue in style handling.

The vulnerable WebKit browser rendering engine also powers Apple's Safari browser and the new browser in RIM's BlackBerry devices.   There is no word yet from Apple or BlackBerry on the timeline for a fix.

Topics: Mobility, Google, Hardware, BlackBerry, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • RE: Google first to patch Pwn2Own WebKit vulnerability

    It also obviously powers chrome and the browser used with Android.

    So will the patch be available for phones like the flipout/cliq which Motorola stated they will not update to Froyo?
    alsobannedfromzdnet
    • RE: Google first to patch Pwn2Own WebKit vulnerability

      @alsobannedfromzdnet I think you know the answer to that...

      In the interests of fairness I'd also say the same is true for the original iPhone and the iPhone 3G (though not the iPhone 3GS or iPhone 4).

      Clearly this is an issue for ALL handsets, and will eventually be an issue for all these new fangled "mobile tablets" too.
      jeremychappell
    • RE: Google first to patch Pwn2Own WebKit vulnerability

      google it
      www.awwgame.com
      lariosshow
    • RE: Google first to patch Pwn2Own WebKit vulnerability

      google it :)
      www.awwgame.com
      lariosshow
  • Browser Updates separate from OS!

    What this fool doesn't say is that this vulnerability was not critical to either Android's OS Browser or any other of Google's Browser products. The same vulnerability could not have been used against their products in the same way or else this hacker team would have been happy to collect the extra $20,000 Google had on offer to break their Web Kit browser. This was purely a rapid response to cordon off any possibility of it being used in conjunction with a another vulnerability in the future!

    Just Ryan's way of exposing that he's a bona fide ZDNet Gypsy Circus Barker out to collect views on a non-story!!!
    Monarky
  • Webkit is a piece of trash. Every browser using it is full of security

    holes. And this was after -

    "The patches arrive on the same day of the annual contest, which pits vulnerability researchers and exploit writers against the major web browsers and smart phones. Apple has now followed Google and Mozilla in releasing browser updates ahead of Pwn2Own.
    The new Apple Safari 5.0.4 fixes a total of 62 documented vulnerabilities, most serious enough to allow code execution attacks if a user simply surfs to a booby-trapped web site. The majority of the vulnerabilities are in WebKit, the open-source browser rendering engine."

    Anyone who uses a webkit based browser on any device is just asking to be pwnd and have their device become part of a botnet...
    Johnny Vegas
    • mwaha.. ha... ha.. :O

      @Johnny Vegas There are no Bot Net's using Linux you ignorant FOOL.....! lol.... But now if you were talking about using Linux to make the bot nets then you'd be correct. Linux is a hacker's paradise. Not because it's easy to hack, but because it's the only OS that can be used in a Live Boot situation, where no records are ever kept and nothing is ever written to a hard drive.

      You may be able to hack one session if you are really good at getting past a fully sandboxed browser, that neither IE or Apple's Safari can do on either Windows or OS-X. Maybe Safari is worse than IE, but that's hardly a compliment when the only browser or OS's hacked at PWN2OWN weren't Linux #1 or Chrome Browser! :D

      Say what you will about Google being Skynet or out to sell your lame information, but they are the only ones that have actually worked to keep the Internet FREE. The others...... will sell your soul for a dime and take your money while you get butchered by another Corporations Greed!

      btw... to refresh your memory, the Director of the FBI recommends using a live DVD booted Linux or browser appliance VM to do banking and make purchases online. The reason is quite simple; with a Linux Live Boot you have a Legion of Operating Systems ready to do Battle and.... I've never heard of a Live Booted Linux Distro burned onto a DVD ever being hacked, cracked or even written to..... EVER!!! ......have you? lol..... it's foolish to think the way you do.... fool!!! ;)
      Monarky
      • RE: Google first to patch Pwn2Own WebKit vulnerability

        @Monarky ummmm, yes. one of the largest bot nets in the world were using an apache exploit running Linux.
        Your Non Advocate
      • what?

        @Monarky

        Linux is safe, Apache (and other service) are not but Linux's admin "fool" it, and run Apache as a restricted user ("nobody") this user can't do anything in the system but to run themself and to connect to internet, just enough to serve as a bot net.
        magallanes
  • RE: Google first to patch Pwn2Own WebKit vulnerability

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>
    talih