Google patches Chrome bug from fizzled Pwn2Own hack

Credit to Author: Gregg Keizer| Date: Thu, 30 Mar 2017 12:03:00 -0700

Google yesterday updated Chrome to patch several vulnerabilities, including a bug in the browser’s JavaScript engine that a Chinese team tried to exploit at a recent hacking contest.

The update to version 57.0.2987.133 contained fixes for five vulnerabilities, one marked “Critical” — the most serious rating in Google’s system — and the others tagged “High.”

Of the four vulnerabilities ranked High, one was attributed to “Team Sniper,” one of five groups from Chinese company Tencent Security that participated in this year’s edition of Pwn2Own, one of the world’s best-known hacking contests. Pwn2Own ran March 15-17 alongside the CanSecWest conference in Vancouver, British Columbia.

Team Sniper took aim at Chrome on the first day of the challenge, hoping to grab the $80,000 prize for hacking Google’s browser. But the Chinese researchers fell short. “Unfortunately, they could not get their exploit chain working within the allotted timeframe, resulting in a failure,” said TippingPoint, a division of Trend Micro and Pwn2Own’s sponsor, at the end of Day 1.

Google noted that the bug used by Team Sniper was an “out-of-bounds memory access [vulnerability] in V8,” Chrome’s JavaScript engine. As is Google’s practice, it did not divulge any other information about the flaw. After several weeks, or even months — enough time for most users to update the browser — Google usually lifts the embargo on the bug report and its technical data.

No other individual researcher or team of hackers attempted to crack Chrome at Pwn2Own. Several successful attacks were conducted against other browsers during the contest, however, including five that compromised Microsoft’s Edge, four that broke Apple’s Safari and one which hijacked Mozilla’s Firefox.

Mozilla patched the Firefox flaw just a day after the vulnerability was exploited at Pwn2Own.

http://www.computerworld.com/category/security/index.rss