Google patches Chrome ahead of Pwnium and Pwn2Own contests
Chrome cracked at Pwn2Own and Pwnium contests
Google has patched ten vulnerabilities in its Chrome browser ahead of the annual ‘pwn2own' hacking contest today.
The updates address a number of issues, with six flaws rated as ‘high', and come ahead of the contest that begins tonight and over the next few days, alongside the CanSecWest conference in Vancouver.
According to a blog post by Chris Evans of the Google Chrome Security Team, it has teamed up with Pwn2Own organisers from HP's Zero Day Initiative (ZDI) to work on the rules and "underwriting a portion of the winnings for all targets".
He said: “The new rules are designed to enable a contest that significantly improves internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards.”
HP's ZDI said that more than $500,000 can be won at this year's contest, with the first contestant to successfully compromise a selected target winning the following prizes in the web browser category: Google Chrome on Windows 7 ($100,000 - £66,000); IE10 on Windows 8 ($100,000 - £66,000); IE9 on Windows 7 ($75,000 - £50,000); Mozilla Firefox on Windows 7 ($60,000 - £40,000); and Apple Safari on OS X Mountain Lion ($65,000 - £43,000).
In the web browser plug-in category, using Internet Explorer 9 on Windows 7, the prizes will be $70,000 (£46,000) for Adobe Reader XI, $70,000 (£46,000) for Adobe Flash and $20,000 (£13,000) for Oracle Java.
The organisers said that as browser plug-in vulnerabilities have become increasingly popular in exploit kits and malware and affect a large percentage of the internet community and are quickly weaponised by attackers, it added a separate category.
“We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year's competition,” it said.
The targets will be running on a fully patched version of Windows 7, 8 and OS X Mountain Lion and all targets will be installed in their default configurations. As always, the vulnerabilities utilised in the attack must be unknown and not previously reported to the vendor and if a sandbox is present, a full sandbox escape is required to win.
Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program.
Google also hosts the Pwnium 3 contest alongside Pwn2Own, featuring the Chrome OS. It said that it will issue rewards for Chrome OS at the following levels, up to a total of $3.14159 million (£208,210,063): $110,000 (£72,000) for a browser or system level compromise in guest mode or as a logged-in user, delivered via a web page; and $150,000(£99,000) for a compromise with device persistence - guest to guest with interim reboot, delivered via a web page.
This will take place tomorrow and the attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. “We believe these larger rewards reflect the additional challenge involved with tackling the security defences of Chrome OS, compared to traditional operating systems,” said Evans.
According to the Register, unlike previous editions of the event, a prize for hacking into smartphones will not be a feature of this year's competition.
At last year's contest, Chrome was first to fall after it was compromised by a group of researchers from French security firm Vupen, after it was earlier compromised as part of Google's own Pwnium contest.