June 14, 2021

Google Updates Chrome and then Updates it Again

(LiveHacking.Com) – Google has released two quick successive updates to its Chrome browser following multiple vulnerabilities found and exploited during Pwnium. In recent years Google has sponsored rewards for Chrome exploits demonstrated during the CanSecWest security conference, and this year was no different. The idea is to rewards those that develop a fully functional exploit as to do so is significantly more work than just finding and reporting a potential security bug. Google made a pot available of $1,000,000 with the top prize being $60,000 for a full Chrome exploit demonstrated on a fully patched Windows 7 machine.

The first release by Google was 17.0.963.78 to fix a vulnerability discovered by Sergey Glazunov. The critical vulneravility, which used errors in the UXSS and the handling of history data, earned Sergey the top amount of $60,000.

Two days later Google issued 17.0.963.79 to fix a vulnerability found by PinkiePie (aka PwniePie) for an errant plug-in load and GPU process memory corruption. Jason Kersey from the Google Chrome team is quoted as calling the exploit “a beautiful piece of work.”

The full list of changes as listed by Google are:

  • [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.
  • [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.

We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for both CVE-2011-3046 and CVE-2011-3047 in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwnium submissions in the future.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks