Google patches Chrome days before hacking contest

Only browser predicted to survive Pwn2Own gets 11 fixes

Google has patched 11 vulnerabilities in the Windows version of Chrome, including one that earned its finder the first $1,337 check from the company's new bug bounty program.

Like Apple , which updated Safari last week , Google beefed up the security of its browser just days before the Pwn2Own browser hacking contest was to kick off in Canada.

The update to Chrome 4.1.249.1036 fixes six flaws rated "high," the second-most-severe ranking in Google's four-step threat system; plugs three "medium" holes; and quashes two "low" bugs.

Danish vulnerability tracker Secunia rated the update as "highly critical."

Although Google typically hides technical details of the most serious vulnerabilities when it issues an update -- it blocks bug tracker entries to prevent attackers from using the information -- all of the 11 bugs are behind the wall this time.

"The referenced bugs may be kept private until a majority of our users are up to date with the fix," explained Orit Mazor, a technical program manager with the Chrome team, in a blog entry Wednesday.

A bug in WebKit, the open-source browser engine that powers Chrome as well as Safari, earned researcher Sergey Glazunov a check for $1,337, the maximum Google pays for vulnerabilities as part of a bounty program that debuted last January. Most flaws earn their finders just $500, but "particularly severe or particularly clever" bugs reap rewards of $1,337 each. The amount is a reference to "leet," a kind of geek-speak used by some researchers; there, "leet" is rendered as "1337."

Other vulnerabilities were credited to Mark Dowd, a noted browser and OS vulnerability researcher who is working under contract for Google; Robert "RSnake" Hansen, CEO of SecTheory; and Aki Helin of OUSPG (Oulu University Secure Programming Group), Oulu University in Finland.

Altogether, Google paid out $3,337 in bounties for the bugs it patched Wednesday.

Only the Windows "stable" channel -- a term Google uses in place of "final" -- was patched; the Mac and Linux versions of Chrome have not yet left the "beta" channel.

Google added several non-security features to Wednesday's update, including integrated language translation and new private browsing settings, that had made their way into the beta earlier this month.

Chrome is the second browser to be patched in seven days. On March 11, Apple fixed 16 flaws in Safari. Both browsers' updates were timely: Starting next Wednesday, Chrome, Safari, Microsoft 's Internet Explorer 8 (IE8) and Mozilla's Firefox will go head-to-head with an unknown number of hackers who will try to exploit unpatched vulnerabilities and win $40,000 in cash at Pwn2Own, the annual contest sponsored by 3Com's TippingPoint. On Thursday, Aaron Portnoy, a security research team lead at TippingPoint and the organizer of this year's Pwn2Own, predicted that Safari would fall to attack on the second of the contest's three days, while Chrome would be the sole survivor .

The last time Google patched the stable build of Chrome for Windows was in late January.

Chrome is now the third-most-used browser on the planet, having grabbed the No. 3 spot from Safari in December 2009, and as of last month, accounted for approximately 6% of all browsers in use, according to Web measurement vendor NetApplications.com.

Google Chrome can be downloaded for Windows XP, Vista and Windows 7 from the company's site. Users running the stable build will receive the update automatically.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityGoogle Chromeweb browserspwn2own

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?