X

Quick fix: Pwnium exploit of Chrome patched within 24 hours

Google says that the exploit Chromium contributor Sergey Glazunov discovered has already been fixed. It has also patched another exploit announced at Pwn2Own 2012.

Don Reisinger
CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
2 min read

Less than 24 hours after Sergey Glazunov became the first person to win $60,000 for finding a full exploit in Google Chrome, the search giant has released a patch to address it.

Google announced that it had released the patch on its Chrome Releases blog yesterday. According to the post, Google plans to keep the nature of the exploit private "until a majority of our users are up to date with the fix." For now, the vulnerability is known as "Critical CVE-2011-304G: UXSS and bad history navigation."

Glazunov's "Full Chrome Exploit" was announced earlier this week by Google's Sundar Pichai on his Google+ page. According to Justin Schuh of the Chrome Security team, the exploit completely bypassed the browser's sandboxing security, and allowed anyone to execute "code with full permission of the logged-on user."

Google launched its Pwnium contest in late February with promises of awarding up to $1 million to those who can find security holes in Chrome. The highest $60,000 prize is given only to those who can obtain "Chrome/Windows 7 local OS user account persistence using only bugs in Chrome itself." A $40,000 prize will be awarded to individuals who can target Chrome with one of its own bugs, plus others found in the operating system. Google's $20,000 award is given to those who can find issues without using bugs in Chrome.

"We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely '0-day,' i.e. not known to us or previously shared with third parties," Google wrote in its blog announcing the contest. "Contestant's exploits must be submitted to and judged by Google before being submitted anywhere else."

Interestingly, not everyone was so quick to take advantage of that offer. Earlier this week, a company called VUPEN, which finds security holes and exploits and sells them to government customers, announced that it had used two zero-day vulnerabilities in Chrome to take control of a fully patched Windows 7 Service Pack 1 computer. Rather than submit the exploit to Pwnium, however, VUPEN announced it at the Pwn2Own 2012 event in Vancouver.

Google's vice president of Chrome, Linus Upson, took to his Google+ page yesterday to express displeasure with VUPEN's move, saying that it was a "shame" the company "makes their money by finding exploits, keeping them secret, and selling them to governments for offensive purposes."

In an e-mailed statement to CNET yesterday, a Google spokeswoman confirmed that the company has "gotten out a fix to protect our users before we even have any details about the other exploit at Pwn2Own.

VUPEN did not immediately respond to CNET's request for comment on Upson's comment.