14 DAY TRIAL // Google has updated the stable channel of Chrome to 33.0.1750.152 for Mac and Linux and 33.0.1750.154 for Windows to address the vulnerabilities presented by contestants at Pwn2Own 2014.
Just before the competition started, Google updated Chrome to address a total of 7 security holes. After the first day of Pwn2Own, it appeared that the fixes made by Google might have prevented researchers from pwning the web browser.
However, on day two, experts from Vupen and an anonymous researcher presented vulnerabilities that could be exploited for code execution.
The anonymous participant broke Chrome with two exploits: a memory corruption in V8 and a directory traversal. These security holes enabled him to execute code outside the sandbox. The expert has been rewarded with $60,000 (€43,000) for his findings.
Vupen, the team that managed to take a large portion of the total prize money of $850,000 (€613,000), hacked Chrome with a use-after-free in Blink bindings and a Windows clipboard vulnerability. For executing code in Chrome outside the sandbox, Vupen has been rewarded with $100,000 (€73,000).
“We’re delighted at the success of Pwn2Own and the ability to study full exploits. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future,” said Anthony Laforge, technical program manager at Google Chrome.
“We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwn2Own submissions in the future,” Laforge added.
All web browsers have been hacked at Pwn2Own, the competition that took place alongside CanSecWest in Vancouver. The only piece of software that hasn’t been broken is Oracle Java, but that’s most likely because none of the contestants bothered with it. The prize for hacking Java has been only $30,000 (€22,000).
Also, no one managed to walk away with the $150,000 (€111,000) offered in the “Exploit Unicorn” challenge to anyone who could demonstrate SYSTEM-level code execution on Windows 8.1 x64 on IE 11 x64 with EMET bypass.
As far as Microsoft and Firefox are concerned, they will probably not fix the vulnerabilities presented at Pwn2Own as quickly as Google has. Microsoft might roll out fixes in April, while Mozilla might only address the issues with the release of Firefox 28.
Users are advised to update their Chrome installations as soon as possible. You can download the latest versions for all platforms from Softpedia.
Download Google Chrome for Windows