14 DAY TRIAL // Google has released updates for the Chrome stable and beta versions in order to patch the WebKit vulnerability used at Pwn2Own to hack into the BlackBerry.
Last week, a trio of security researchers made up of Vincenzo Iozzo, Ralf Philipp Weinmann and Willem Pinckaers, won one of the $15,000 Pwn2Own prizes after hacking into a Blackberry Torch 9800 running Blackberry 6 OS.
In order to carry out the successful attack that stole contacts and images from the device the team had to chain together exploits for two vulnerabilities.
One of them was an integer overflow in the WebKit layout engine used by the BlackBerry browser, but also Apple's Safari and Google Chrome.
CNET quotes Aaron Portnoy, the head of the Zero Day Initiative (ZDI) program that sponsors Pwn2Own, as claiming the same trio signed up to attack Chrome, but withdrew to focus on BlackBerry.
If this is true, it's possible that they might have planned to use the same WebKit vulnerability to hack into Chrome. However, the browser's sandbox makes much more difficult to execute arbitrary code on the system once a vulnerability is exploited.
In fact, no one has stepped forward so far to showcase an exploit that is able to break out of the Chrome sandbox and do something meaningful on the OS.
On Friday, Google updated Chrome stable and Beta to version 10.0.648.133 which fixes the CVE-2011-1290 WebKit vulnerability.
The flaw is described in the release notes as a high-risk "memory corruption in style handling" and the credits read "Vincenzo Iozzo, Ralf Philipp Weinmann and Willem Pinckaers through ZDI."
Furthermore, the vulnerability was rewarded with a $1,337 (leet) prize through the Chromium Security Rewards program.
The latest version Google Chrome for Windows can be downloaded from here.
The latest version Google Chrome for Linux can be downloaded from here.
The latest version Google Chrome for Mac can be downloaded from here.