back to article Google blats bugs in Chrome - days before $560k hacking contest

Google patched 10 security vulnerabilities in its web browser Chrome on Monday - two days before the start of Pwn2Own, the annual hacking contest in which experts race to compromise software to win prizes. The latest update fixes flaws in Chrome's Windows and Linux builds. Six of the 10 holes addressed are rated as "high" risk, …

COMMENTS

This topic is closed for new posts.
Devil

Meanwhile...

They have managed to update their IOS version to prevent hackers using it as an attack vector by simply stopping it working altogether! Clever Google!

1
4
Anonymous Coward

Re: Meanwhile...

You know that Chrome on iOS isn't actually chrome right?

Google have to use the OS version of WebKit, and it's not allowed to use Apple's Nitro JS, nor can it use Google's own V8 JS engine.

It's a VERY basic browser ontop of a intentionally gimped Safari to ensure that Apple always has the best iOS browser.

9
1
FAIL

Re: Meanwhile...

They still managed to break it!

1
0
Trollface

Re: Meanwhile...

That's what you get for taking the Apple!

0
0
Anonymous Coward

Re: Meanwhile...

How come you get more money for owning Chrome when it has had many times more vulnerabilities than IE?

0
3
Bronze badge

Re: Meanwhile...

How come you get more money for owning Chrome when it has had many times more vulnerabilities than IE?

Because, evidently, you receive money for actually exploiting, not counting them. What a nuisance! Otherwise, RICHTO would be more rich(to) than Roman Abramovich by now.

0
0
Anonymous Coward

Re: Meanwhile...

Well, many times more vulnerabilities to exploit obviously means a lot more ways of exploiting....

You can't even use the old Open Source gem here, and claim its some how mysteriously more secure because everyone can see the source code....

0
0
Bronze badge

Re: Meanwhile...

Providing you talk about comparable software, not a full GNU/Linux distro with 10s of thousands of packages vs. a bare MS Windows with just a few of them. It also makes sense if one doesn't mix the severities.

Not every vulnerability is exploitable so you can get money for it at the pwn2own . Some marked as "potentially" exploitable, some are DoS, some require more additional factors, like physical presence, user's account etc.

You can't even use the old Open Source gem here, and claim its some how mysteriously more secure because everyone can see the source code....

Okay, your irony is inappropriate, unless you or someone else gets money from Google. BTW, how do MS sponsor this curiosity?

0
0

There's some unhappy folks out there now.

I'll be honest I didn't bother to check whether the fixed exploits were already publicly known but if they weren't then I feel sorry for anyone who independently found those exploits and were planning to use them at the contest. They've just wasted a whole lot of time.

1
1

Re: There's some unhappy folks out there now.

It works both ways however. The fact that the entrants spotted these vulnerabilities and planned to exploit them for monetary gain doesn't exactly cast them in the best light either.

They could have disclosed those bugs privately to the companies concerned before the competition and made nothing (or less, in Mozilla's/Google's case), but instead they chose to withhold said exploit for the chance to win.

2
2

Re: There's some unhappy folks out there now.

If legal monetary gain wasn't on offer, people wouldn't be trying to find bugs and claim prizes - prizes offered by the software publishers. All that you could do is legitimately disclose a bug to the publisher for a more modest reward or none at all and an obligation to keep the secret until fixed, or else criminally sell the bug to Russian and Chinese hackers. Or, for maximum money, do both.

I mean, -I- don't go looking for dangerous bugs in the web browser or virtual machine that I'm using. I might, if the rewards were better.

1
0
Silver badge

Re: There's some unhappy folks out there now.

Oh, so you think hackers only come from Russia and China?

1
0

Re: There's some unhappy folks out there now.

Well, if I was trying to sell details of a web client vulnerability to hackers, Russian and Chinese customers are who I'd think of contacting initially (wealthy Nigerian princes - less so), but if I was in that business, I'd probably have a better idea of who's paying big money. And supposedly the Chinese government in particular is investing generously in the field, but, as it happens, I don't have anything to offer to them. Which is probably just as well for me.

0
0

Java Explained

I now understand why Oracle has been coming out with so many Java updates in the last month.

0
0
Silver badge

Re: Java Explained

The little dutch boy is trying to plug the security holes but the dike is a bursting.

0
0
Silver badge

Re: Java Explained

Oracle are intending to find the security holes in Java themselves and claim the money - it's part of their business plan

0
0

Dunno about bugs but ...

... having been forced not to make money over illegal pharma adverts, they've switched to coining it over adverts for ivory sales.

http://www.bbc.co.uk/news/science-environment-21673422

1
0
Silver badge
FAIL

wow

>Tellingly, Java exploits also earn less than a third of the $70,000 prize for exploiting either Adobe Reader or Flash plugins

Wow to any Oracle employees reading this your company now rates below even Adobe in security. Welcome to the bottom. Guess Larry is too busying sailing his mega yachts and jacking up licensing fees to worry about inconvenient things like security.

1
0
Silver badge

Re: wow

Unbreakable hahahahahahahah epic marketing fail.

2
0
Anonymous Coward

Re: wow

Yep - Oracle DB = hundreds of vulnerabilities. SQL Server over the last decade = less than 10!

0
0
Bronze badge

Re: wow

Yes, Microsoft is yet again about quality, not quantity. Memento Slammer?

0
0
Silver badge

Re: wow

Wow never thought I would be defending Microsoft (check my post history lol) but even I have to admit due to things like slammer Microsoft have come along way regarding security best practices etc. Oracle on the other hand hasn't gotten the memo most of the rest of the industry has. Oracle unlike most other companies does seem to be able to get away with ignoring their customers except to increase fees yearly.

0
0
Anonymous Coward

Re: wow

Remember the Morris worm?

0
0
Silver badge

The edge to java

One nice thing about including at least some cash for Java is it will draw more security guys as everyone and their brother seems to have a zero day for Java these days. The only bad thing is they will only pay it once. If they had to pay 20k for every unpatched exploit in Java right now that half a million in prize money would disappear fast.

0
0
Anonymous Coward

mobiles not in

at the behest of the sponsors??

0
0
Silver badge
Trollface

Re: mobiles not in

If Microsoft was smart they would also host a contest like this solely for their mobiles. Considering how few security professionals have even seen a windows phone in the wild they would probably emerge unscathed.

0
0
Anonymous Coward

Re: mobiles not in

It is already widely known that MS Mobile platforms are extremely secure. Windows Phone is currently undergoing FIPS certification....

0
0
This topic is closed for new posts.

Forums