This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Google patches Chrome ahead of Pwnium and Pwn2Own contests

Share this article:
Chrome cracked at Pwn2Own and Pwnium contests
Chrome cracked at Pwn2Own and Pwnium contests

Google has patched ten vulnerabilities in its Chrome browser ahead of the annual ‘pwn2own' hacking contest today.

The updates address a number of issues, with six flaws rated as ‘high', and come ahead of the contest that begins tonight and over the next few days, alongside the CanSecWest conference in Vancouver.

According to a blog post by Chris Evans of the Google Chrome Security Team, it has teamed up with Pwn2Own organisers from HP's Zero Day Initiative (ZDI) to work on the rules and "underwriting a portion of the winnings for all targets".

He said: “The new rules are designed to enable a contest that significantly improves internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards.”

HP's ZDI said that more than $500,000 can be won at this year's contest, with the first contestant to successfully compromise a selected target winning the following prizes in the web browser category: Google Chrome on Windows 7 ($100,000 - £66,000); IE10 on Windows 8 ($100,000 - £66,000); IE9 on Windows 7 ($75,000 - £50,000); Mozilla Firefox on Windows 7 ($60,000 - £40,000); and Apple Safari on OS X Mountain Lion ($65,000 - £43,000).

In the web browser plug-in category, using Internet Explorer 9 on Windows 7, the prizes will be $70,000 (£46,000) for Adobe Reader XI, $70,000 (£46,000) for Adobe Flash and $20,000 (£13,000) for Oracle Java.

The organisers said that as browser plug-in vulnerabilities have become increasingly popular in exploit kits and malware and affect a large percentage of the internet community and are quickly weaponised by attackers, it added a separate category.

“We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year's competition,” it said.

The targets will be running on a fully patched version of Windows 7, 8 and OS X Mountain Lion and all targets will be installed in their default configurations. As always, the vulnerabilities utilised in the attack must be unknown and not previously reported to the vendor and if a sandbox is present, a full sandbox escape is required to win.

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program.

Google also hosts the Pwnium 3 contest alongside Pwn2Own, featuring the Chrome OS. It said that it will issue rewards for Chrome OS at the following levels, up to a total of $3.14159 million (£208,210,063): $110,000 (£72,000) for a browser or system level compromise in guest mode or as a logged-in user, delivered via a web page; and $150,000(£99,000) for a compromise with device persistence - guest to guest with interim reboot, delivered via a web page.

This will take place tomorrow and the attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. “We believe these larger rewards reflect the additional challenge involved with tackling the security defences of Chrome OS, compared to traditional operating systems,” said Evans.

According to the Register, unlike previous editions of the event, a prize for hacking into smartphones will not be a feature of this year's competition.

At last year's contest, Chrome was first to fall after it was compromised by a group of researchers from French security firm Vupen, after it was earlier compromised as part of Google's own Pwnium contest.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

NCA wants security pros to become cybercrime fighters

NCA wants security pros to become cybercrime fighters

The UK's National Crime Agency is on the hunt for cyber security professionals to "join the fight against some of the world's most significant cyber criminals" on salaries ranging from ...

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...