Google issues last-minute Chrome fixes before Pwn2Own

Day before hacking contest starts, fixes 25 flaws and pays out $16K in bounties

Google patched 25 vulnerabilities in Chrome today in one last update before the Pwn2Own hacking contest starts Wednesday in Canada.

The company has a lot on the line at Pwn2Own, which runs March 9-11 at the CanSecWest security conference in Vancouver, British Columbia.

The first researcher to hack Chrome on Wednesday will be paid $20,000 by Google . If no one breaks the browser that day, the rules change and Google will fork over $10,000 for a successful exploit on Thursday or Friday, with Pwn2Own sponsor HP TippingPoint ponying up another $10,000.

Other browsers that researchers will tackle at Pwn2Own include Apple's Safari 5, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.

Tuesday's 25-patch update fixed 15 vulnerabilities rated "high," the second-most-severe ranking in Google's scoring; three labeled "medium"; and seven pegged as only "low."

None of the vulnerabilities was ranked "critical," the category essentially reserved for bugs that may let an attacker escape Chrome's anti-exploit "sandbox." Google has patched two sandbox-escape bugs this year.

Today's Chrome update was the second in the last eight days: Google patched 19 browser bugs on Feb. 28.

Three of the vulnerabilities were identified as "stale pointer" bugs, a term that describes flaws in an application's -- in this case, Chrome's -- memory allocation code. Google has patched numerous stale pointer bugs in the last two months.

Other flaws fixed today were credited to a wide range of the browser's components, including its V8 JavaScript engine, the code that processes video, and WebKit, the open-source browser engine that both Chrome and Apple's Safari use as their foundations.

As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.

Google paid out a record $16,174 in bounties for finding and reporting 15 of the vulnerabilities patched today. Five different researchers received checks, with frequent-contributor Sergey Glazunov taking home $6,500 and Daniel Divricean earning $3,174.

So far this year, Google has spent nearly $50,000 on bug bounties.

Along with the security update, Google also upped Chrome's stable channel -- the browser comes in three editions, stable, beta and dev -- to version 10. The upgrade to Chrome 10 came less than five weeks after Google boosted the stable channel to version 9 .

Chrome 10 includes a new JavaScript optimization technology, dubbed "Crankshaft," that boosts the browser's JavaScript rendering engine's speed in some benchmarks. Google debuted Crankshaft in the dev channel last December, and in the beta line last month.

According to Computerworld's tests, Crankshaft increases Chrome's score on Google's own V8 JavaScript benchmarks by 64%, but doesn't improve the browser's score on the more widely used SunSpider test suite.

Other additions to Chrome 10 include site password synchronization, and the first appearance in a stable build of an anti-exploit "sandbox" to isolate the integrated copy of Adobe's Flash Player.

Google has been releasing rougher versions of Chrome with a Flash sandbox since early December 2010.

Chrome 10 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftbrowsersGoogleApplesoftwareapplicationsmozillaMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?