This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Google patches Chrome ahead of Pwnium and Pwn2Own contests

Share this article:
Chrome cracked at Pwn2Own and Pwnium contests
Chrome cracked at Pwn2Own and Pwnium contests

Google has patched ten vulnerabilities in its Chrome browser ahead of the annual ‘pwn2own' hacking contest today.

The updates address a number of issues, with six flaws rated as ‘high', and come ahead of the contest that begins tonight and over the next few days, alongside the CanSecWest conference in Vancouver.

According to a blog post by Chris Evans of the Google Chrome Security Team, it has teamed up with Pwn2Own organisers from HP's Zero Day Initiative (ZDI) to work on the rules and "underwriting a portion of the winnings for all targets".

He said: “The new rules are designed to enable a contest that significantly improves internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards.”

HP's ZDI said that more than $500,000 can be won at this year's contest, with the first contestant to successfully compromise a selected target winning the following prizes in the web browser category: Google Chrome on Windows 7 ($100,000 - £66,000); IE10 on Windows 8 ($100,000 - £66,000); IE9 on Windows 7 ($75,000 - £50,000); Mozilla Firefox on Windows 7 ($60,000 - £40,000); and Apple Safari on OS X Mountain Lion ($65,000 - £43,000).

In the web browser plug-in category, using Internet Explorer 9 on Windows 7, the prizes will be $70,000 (£46,000) for Adobe Reader XI, $70,000 (£46,000) for Adobe Flash and $20,000 (£13,000) for Oracle Java.

The organisers said that as browser plug-in vulnerabilities have become increasingly popular in exploit kits and malware and affect a large percentage of the internet community and are quickly weaponised by attackers, it added a separate category.

“We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year's competition,” it said.

The targets will be running on a fully patched version of Windows 7, 8 and OS X Mountain Lion and all targets will be installed in their default configurations. As always, the vulnerabilities utilised in the attack must be unknown and not previously reported to the vendor and if a sandbox is present, a full sandbox escape is required to win.

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program.

Google also hosts the Pwnium 3 contest alongside Pwn2Own, featuring the Chrome OS. It said that it will issue rewards for Chrome OS at the following levels, up to a total of $3.14159 million (£208,210,063): $110,000 (£72,000) for a browser or system level compromise in guest mode or as a logged-in user, delivered via a web page; and $150,000(£99,000) for a compromise with device persistence - guest to guest with interim reboot, delivered via a web page.

This will take place tomorrow and the attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. “We believe these larger rewards reflect the additional challenge involved with tackling the security defences of Chrome OS, compared to traditional operating systems,” said Evans.

According to the Register, unlike previous editions of the event, a prize for hacking into smartphones will not be a feature of this year's competition.

At last year's contest, Chrome was first to fall after it was compromised by a group of researchers from French security firm Vupen, after it was earlier compromised as part of Google's own Pwnium contest.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Samsung Galaxy S5 fingerprint scanner 'easily hacked'

Samsung Galaxy S5 fingerprint scanner 'easily hacked'

Single step authentication on Galaxy leaves PayPal accounts open to abuse say German researchers.

MSWin 8.1 users must update or lose security patches

MSWin 8.1 users must update or lose security ...

Organisations run the risk of being left defenceless against attackers unless they upgrade from MS Win 8.1

Communication gap indentified between IT and management

Communication gap indentified between IT and management

Bad news is filtered out of communicaiton to the C-suite and 63 percent of IT staff only start talking after a breach has taken place.