Google's Chrome OS partially hacked

While the Linux-based operating system wasn't really cracked at Pwnium, Google has decided to award a hacker $40,000 for finding an unreliable Chrome OS exploit.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

As computer security guru Bruce Schneier likes to say, "security is a process, not a product". He was proven right again when Google announced that, while its Linux-based Chrome OS hadn't been cracked in its Pwnium Chrome OS contest, one hacker was successful in creating an unreliable exploit.

While not cracked open, a hacker was able to pry a bit at Chrome OS in Google's recent Pwnium competition.
Image: Google

Specifically, the hacker known as Pinkie Pie, who cracked the Chrome web browser on Windows last year in Google's security contest, "submitted a plausible bug chain involving video parsing, a Linux kernel bug, and a config file error. The submission included an unreliable exploit demonstrating one of the bugs."

Google also thanked him "for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures, and keep users safe."

For this, Pie was awarded $40,000. A true browser- or system-level compromise would have been worth $110,000, and one that persisted after a reboot would have brought a talented hacker $150.000.

Google released a new version of Chrome OS, 25.0.1364.173, which patched these potential problems on March 15. We don't know exactly what these bugs were. The exact details are only available, at this time, to Chromium developers. We do know that one had to do with an overflow in the Graphic Processor Unit process, and the other involved the Time-of-Check/Time-of-Use and counting overflows in Intel i915 graphics driver.

That said, Google, well aware of Schneier's rule, added that, "While these security gatherings and live competitions are fun, we also want to highlight the ongoing Chromium Vulnerability Reward Program, which covers not only the Chrome desktop browser, but also all Chrome OS components and Chrome on mobile devices. We've given away more than $900,000 in rewards over the years and we're itching to give more, as engaging the security community is one of the best ways to keep all internet users safe."

Related stories

Editorial standards