After emerging with its head held high from the PWN2OWN contest last week, Google has released an update for its Chrome web browser to correct a flaw found by a hacking team.
The international team didn't hack Chrome itself, but reportedly exploited its rendering engine, or WebKit, to hack a BlackBerry Torch 9800 on day two of the fifth annual contest, sponsored by software company TippingPoint , which specializes in hacker blocking.
On day one, no one attempted to hack Chrome -- despite increased prize money offered by Google -- but participants (officially called researchers instead of hackers) defeated the security features of Apple's Safari 5.0.3 and Microsoft 's Internet Explorer 8. In both cases, they reportedly remotely activated the calculator application and wrote a file to disk after exposure to a specially made malicious web page.
On day two, Apple's iPhone and the BlackBerry Torch 9800 were exploited. On the official Google Chrome Releases Blog, program manager Jason Kersey identified the flaw as "High Memory corruption in style handling" and credited Vincenzo Iozzo, Ralf Philipp Weinmann, and Willem Pinckaers, noting that the flaw was reported through TippingPoint's Zero Day Initiative, which rewards anyone who responsibly reports a flaw to software developers.
Those flaws are kept secret until they can be patched.
In addition to the $15,000 contest prize, the team was awarded $1,337 from Google, which has now handed out more than $100,000 as part of its Chromium Rewards program. Chromium is the open-source version of the Chrome browser.
Like Fort Knox
Charles King, principal analyst at Pund-IT, said he was surprised no one at least took a crack at a Chrome hack.
"I'm surprised that there wasn't at least one brave soul who gave it a shot," said King. "After all, $20,000 doesn't grow on trees. But it also points out the critical importance that researching and understanding security weaknesses exploits plays in an event like this. If a browser has no known exploits, it's the technological equivalent of Fort Knox -- of obvious value but not worth the effort when there are so many other tasty targets around."
But King said the hands-off status in the contest doesn't mean real hackers won't eventually find a weakness.
"That doesn't mean that it won't be cracked by someone, someday, but for now it's a safer bet than the recently updated Safari, which was cracked in five seconds, or Explorer, where security is integrated with the underlying OS," King said.
Posted: 2011-03-14 @ 4:22pm PT
Chromium is the open-source version of the Google Chrome browser, not Chrome OS! http://chromium.org