Google's Chrome OS partially hacked

Google's Chrome OS partially hacked

Summary: While the Linux-based operating system wasn't really cracked at Pwnium, Google has decided to award a hacker $40,000 for finding an unreliable Chrome OS exploit.

SHARE:

As computer security guru Bruce Schneier likes to say, "security is a process, not a product". He was proven right again when Google announced that, while its Linux-based Chrome OS hadn't been cracked in its Pwnium Chrome OS contest, one hacker was successful in creating an unreliable exploit.

chrome-logo
While not cracked open, a hacker was able to pry a bit at Chrome OS in Google's recent Pwnium competition. (Image: Google)

Specifically, the hacker known as Pinkie Pie, who cracked the Chrome web browser on Windows last year in Google's security contest, "submitted a plausible bug chain involving video parsing, a Linux kernel bug, and a config file error. The submission included an unreliable exploit demonstrating one of the bugs."

Google also thanked him "for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures, and keep users safe."

For this, Pie was awarded $40,000. A true browser- or system-level compromise would have been worth $110,000, and one that persisted after a reboot would have brought a talented hacker $150.000.

Google released a new version of Chrome OS, 25.0.1364.173, which patched these potential problems on March 15. We don't know exactly what these bugs were. The exact details are only available, at this time, to Chromium developers. We do know that one had to do with an overflow in the Graphic Processor Unit process, and the other involved the Time-of-Check/Time-of-Use and counting overflows in Intel i915 graphics driver.

That said, Google, well aware of Schneier's rule, added that, "While these security gatherings and live competitions are fun, we also want to highlight the ongoing Chromium Vulnerability Reward Program, which covers not only the Chrome desktop browser, but also all Chrome OS components and Chrome on mobile devices. We've given away more than $900,000 in rewards over the years and we're itching to give more, as engaging the security community is one of the best ways to keep all internet users safe."

Related stories

Topics: Security, Browser, Google, Laptops, Linux

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

57 comments
Log in or register to join the discussion
  • Kudos to all involved

    Google will fix this quickly and Chrome OS users will benefit.
    toddbottom3
    • Oh....

      .... Jeez. What a fanboi!
      Google is incompitent for allowing this to happen.
      Gisabun
      • This is a indicator for a competent Google

        MS is trying to hide or fight back to hackers, but Google award hackers for hacking.

        Who's products will be more secure in the future?
        SmilingGuy
        • In this case

          Try hacking Google's search advertising engine and see if they reward you then.

          Chrome has no commercial significance, so they don't care.
          Henry 3 Dogg
      • Lord of the Rings

        What was the name of that miserable character that crawled and mumbled his deranged thoughts to himself all through ...the gnarled, dried up and deranged one? Ah ... Gollum.
        oldvices@...
  • Chromebooks selling worst than the Suface

    http://bgr.com/2013/03/18/google-chromebook-sales-rumor-383110/

    How did you miss that one SJVN?

    But chromebooks are great... it will kill windows 8 hahaha you're funny.
    Simon Tupper
    • Wow, if true, that's really bad news

      Is this just the Pixel or does this include units that sell at half the price of the Surface RT?
      toddbottom3
      • sales strong enough

        Clearly Google is happy with the sales figures or they wouldn't release the Chromebooks in 7 more European countries.
        kleykenb
      • Just a rumor

        The Article Simon Tupper quoted from is posted as a rumor. That means it might not have any validity. The blogger wasn't willing to vouch for it's accuracy.

        The Articles comments seem to indicate that it is just true of the Pixel (a Cloud Only device priced higher than most laptops).

        The biggest problem reported for Chromebooks is that there is more demand than there is production. There is a waiting list. That would be only true for the low end ones, though. Samsung and Acer have been selling all they can make. Stores don't have them on the shelves for very long either.

        From that, you can make your own deductions. As there aren't really a whole lot of Chromebooks made, you could decide either way.

        For me, it sounds like Google has a hit. It is though a hit I don't need.
        YetAnotherBob
    • Maybe because "Unnamed sources=Unreliable sources"

      From your link:
      "Unnamed sources have told Digitimes that sales of Google Chromebooks have only totaled around 500,000 so far, which gives the Chrome OS less than a 1% share of the notebook market."

      The numbers reported by SJVN were from a named source: Amazon. Maybe your 'Unnamed source" conveniently forgot to include Amazon sales?

      How did you miss that one?
      anothercanuck
      • i did not see any buzz about chromebooks

        Except on some websites, forums and in SJVN's articles
        Simon Tupper
      • Ha

        There are roughly 320k of them in schools alone! That is 150 to 160 per school and at 2k schools using them, that's unite a few.

        I think the unnamed sources are Phil Schiller and Steve Balmer.

        Seriously, think about it, Samsung flat out took a dump on Windows 8 but, never made a single sound about their chromebook sales. So, why do you suppose that is?
        slickjim
        • WRONG .... most schools purchased ONE for testing ...

          ... and Google claimed that as a huge sale.

          This was was discussed to hell and ignorant are still claiming schools made huge purchases.
          wackoae
    • That's not accurate

      They sell out at Best Buy and sell well at Amazon... On top of that, they are always going out of stock at Google so, I seriously doubt there is any validity to this claim.
      slickjim
      • If people stand in line for a product and it sells out

        Then people wait in line tell themselves "wow it sold out fast, it must be a big seller. Then they tell their friends who might also their some of their friends and BOOM with a simple planned shortage you can earn a lot of attention... nothing new... I learned that in macroeconomics in college... I have not been impressed by a product being sold out since then..
        Simon Tupper
        • when you write and explain something at someone..

          I should have read before posting.
          Simon Tupper
      • "They sell out at Best Buy and sell well at Amazon..."

        Can we have some links and actual numbers? SJVN lives in an alternate reality. I would like to see some numbers. Everytime I'm at BB NO one is looking a Chromebooks, and the 20 we had here are collecting dust.
        ScanBack
    • That seems unlikely

      That seems rather unlikely. The Samsung Chromebook is #6 on Amazon's best seller list for all computers and accessories, while I can't find Surface anywhere in the top 100. Surface ranks #45 in the top tablets, meaning that it's not even very popular as a tablet on Amazon, while the Samsung Chromebook has topped its category for months on end.

      Of course, Amazon isn't the entire market, but these stats are so far from what that "sales rumor" claims that I don't take it seriously.
      daengbo
  • Stupid Upper Class US CEO's

    "Pie was award $40,000", so smart of Google. Any other US company would have put him away for 30 years and taken everything his family and children would ever, ever in their lifetimes, own. That's why they are defenseless and Google is solid.
    mbondr