Google has wasted no time fixing the security vulnerabilities exploited during last week’s CanSecWest Pwnium hacker contest.
The company shipped Chrome version 17.0.963.79 on (Windows, Mac, Linux and Chrome Frame) as a “critical” update and confirmed the $60,000 cash award to the researcher who asked to be identified only as PinkiePie.
Google is withholding technical details of the vulnerabilities and exploit technique, which has been described as “a beautiful piece of work.”
- [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.
[ SEE: Ten little things to secure your online presence ]
During the contest, PwniePie told me he exploited three different Chrome vulnerabilities but Google’s advisory on the fix only lists two bugs and a solitary CVE identification.
PinkiePie’s submissions followed a similar drive-by download/code execution issue that won Russian researcher Sergey Glazunov the maximum $60,000 award. Both hacks included a full bypass of the Chrome sandbox.
Google’s Jason Kersey said the two Pwnium vulnerability submissions are “works of art that deserve wider sharing and recognition.”
“We plan to do technical reports on both Pwnium submissions in the future,” Kersey said.
A third Chrome hack, believed to be linked to the Flash Player plugin, remains unpatched.
Previous Pwn2Own/Pwnium coverage: