Google zaps 'PinkiePie' zero-day flaws in Chrome

Google has wasted no time fixing the security vulnerabilities exploited during last week's CanSecWest Pwnium hacker contest.

The company shipped Chrome version 17.0.963.79 on (Windows, Mac, Linux and Chrome Frame) as a "critical" update and confirmed the $60,000 cash award to the researcher who asked to be identified only as PinkiePie.

Google is withholding technical details of the vulnerabilities and exploit technique, which has been described as "a beautiful piece of work."

• [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.

[ SEE: Ten little things to secure your online presence ]

During the contest, PwniePie told me he exploited three different Chrome vulnerabilities but Google's advisory on the fix only lists two bugs and a solitary CVE identification.

PinkiePie's submissions followed a similar drive-by download/code execution issue that won Russian researcher Sergey Glazunov the maximum $60,000 award.  Both hacks included a full bypass of the Chrome sandbox.

Google's Jason Kersey said the two Pwnium vulnerability submissions are "works of art that deserve wider sharing and recognition."

"We plan to do technical reports on both Pwnium submissions in the future," Kersey said.

A third Chrome hack, believed to be linked to the Flash Player plugin, remains unpatched.

Previous Pwn2Own/Pwnium coverage:

Teenager hacks Google Chrome with three 0day vulnerabilities

Pwn2Own 2012: Google Chrome browser sandbox first to fall

CanSecWest Pwnium: Google Chrome hacked with sandbox bypass

Charlie Miller skipping Pwn2Own as new rules change hacking game

CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

How Google set a trap for Pwn2Own exploit team

Researchers hack into newest Firefox with zero-day flaw

Video: Microsoft responds to Pwn2Own IE hack