14 DAY TRIAL // Pwn2Own proved to be quite a boon for Google if only because it found itself forced to run its own similar competition, focusing on Chrome alone, to ensure that any exploits that are discovered are actually revealed to the Chrome team.
Pwnium, Google's competition, only had two entries, just like Pwn2Own in fact, but both of them were awarded the highest prize since they managed to break through or avoid Chrome's sandbox by using Chrome bugs alone.
Google was quick to reveal the exploits and patch them, both were fixed within 24 hours even though only the exploits' creators and Google actually knew about them, to Google's knowledge.
The company isn't detailing the bugs that led to the exploits or exactly how the exploits work. It said it would do so once most Chrome installs in the wild are patched.
But the Chrome team did reveal that the competition was a massive success, in that the exploits were so original, the developers were able to learn from them and create new ways of making the sandbox even harder to break via any other bug.
"Since the full exploits were disclosed, we were able to study them and add a range of additional defensive measures based on what we saw. These measures will make Chrome more secure from any similar hacks in the future. We’ll publish write-ups to honor these two highly creative works in the coming weeks," Google explained.
Google also revealed that it received information from the Pwn2Own organizers and that the bug used there to break Chrome was actually in Flash and not in the browser. Adobe is already working on a fix, but in the meantime, all browsers are vulnerable.
Google had one more tidbit of information to provide, though it's not exactly new info, the Pepper API version of Flash is coming along nicely. Once it's ready, Chrome will be able to offer a version of the Flash plugin contained in the proper Chrome sandbox. Chromebooks already use the Pepper version of Flash.