Google rushes out Chrome patch for Pwnium zero-day flaws

Google rushes out Chrome patch for Pwnium zero-day flaws

Summary: According to a Google advisory, the zero-day flaws related to universal cross-site scripting (UXSS) and bad history navigation.

SHARE:
13

VANCOUVER -- The Google Chrome security team wasted no time fixing the gaping security holes exploited by a Russian university student as part of this year's inaugural Pwnium hacker challenge.

Less than 24 hours after Sergey Glazunov hacked into a fully patched Windows 7 machine with a pair of Chrome zero-day flaws, Google rushed out a patch for Windows, Mac OS X, Linux and Chrome Frame users.

Technical details of the vulnerabilities are being kept under wraps until the patch is pushed out via the browser's silent/automatic update mechanism.follow Ryan Naraine on twitter

According to Google's advisory, the flaws related to universal cross-site scripting (UXSS) and bad history navigation.

  • [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.

Glazunov's exploit also bypassed the Chrome sandbox to execute code with full permissions of the logged on user.

The Google browser was also popped by a hacking team from VUPEN and there's speculation that a vulnerability in the Flash Player plugin was exploited in that attack.  VUPEN co-founder Chaouki Bekrar told me that the flaw existed in the default installation of Chrome but he declined to say if the faulty code was created by Google or a third-party vendor.

The Flash Player plugin in Chrome runs in a weaker sandbox than the full browser and has always been a tempting target for attackers.

Google is working on putting Flash within the more robust plugin and I'd told this will happen before the end of this year.

ALSO SEE:

  • Pwn2Own 2012: Google Chrome browser sandbox first to fall
  • CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
  • Charlie Miller skipping Pwn2Own as new rules change hacking game
  • CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover
  • Topics: Security, Apps, Browser, CXO, Google

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

    Talkback

    13 comments
    Log in or register to join the discussion
    • Kudos Google...

      Two things have impressed me. First, that Google responded so quickly to patch a discovered vulnerability, unlike some other companies. (Adobe, M$FT) Secondly, the behind-the-scenes update mechanism that Google employs makes getting these patches seamless. All software should follow that example, not just web browsers.
      rplace@...
      • Why have they not patched earlier explots in Chrome then?

        it would appear that Google'$ "behind-the-scenes update mechanism" is failing them, and the users of their products.,
        :|
        Tim Cook
        • Why?

          Please do explain how its failing, detail?
          daikon
      • Almost as easy...

        Unlike the bad guys you refer to (Adobe, M$FT), Google's Chrome is probably not going to break the compatibility of some mission critical software at a 400.000 employee bank. It all would be very easy if no testing would be needed -anywhere!
        caygill
      • I wonder???

        Isn't one of these items the one that M$FT warned us and Goo&gle about , a month or so ago? Some Goo&gle fans said it was not possible and was Microsoft's problem??? Well we don't have to Goo&gle it anymore to find out!!





        4
        eargasm
    • Google rushes out Chrome patch for Pwnium zero-day flaws

      Kudos to the Chrome team.
      daikon
    • That's fast!

      However, the vulnerability that VUPEN used to hack Chrome yesterday was not patched. And the vulnerability that VUPEN used to hack Chrome last May, 2011, has not been patched yet either.

      One wonders how many unreported IE, Firefox, Safari and Opera vulnerabilities VUPEN (and similar outfits) has created exploits for. Not to mention Flash Player and Java. And does VUPEN also discover/buy vulnerabilities to create exploits for Mac OS X and desktop Linux?
      Rabid Howler Monkey
      • You mean...

        [i]And does VUPEN also discover/buy vulnerabilities to create exploits for Mac OS X and desktop Linux?[/i]

        You mean did some of their pals get busted in that Russian raid last year? Good question.
        ScorpioBlack
      • How do you know that for sure?

        I'm not in the loop, so I'm honestly asking the question, not just trolling. How do you know that none of the Chrome updates since last year have addressed the VUPEN exploit, or that the patch released today didn't potentially address the Flash exploit as well? I know VUPEN didn't hand over their exploits to Google, but they basically told them where to look.
        LoveMyNexus
    • most importnat thing is missing

      Is Google also patching its sandbox which was supposedly also bypassed by Glazonov?
      IE9
    • I still love you, Chrome...

      Vulnerabilities... What doesn't have them? They do need to patch it, and every other major company on earth needs to be constantly vigilant as well.

      It's the game we play by having modern toys, and no one is truly immune (Regardless of marketing "geniuses" or "fanboys" telling you that).
      thoiness
      • Well..

        [i]Regardless of marketing "geniuses" or "fanboys" telling you that[/i]

        Since you're talking about yourself, we'll keep that in mind.
        ScorpioBlack
        • Well...

          I know you are, but what am I?
          tarscrap