Sign in with
Sign up | Sign in

Google Chrome Falls Twice to Hack Challenges

By - Source: PCWorld | B 22 comments

Chrome is generally perceived as a secure browser and has usually performed well when confronted with hack attacks at CanSecWest.

As usual, Google prepped the browser with more than a dozen last-minute fixes just prior to the hacking contest, but that did not save Chrome from two successful cracks.

Security expert Sergey Glazunov compromised Chrome's sandbox with a zero-day exploit. He won Google's Pwnium prize for a full Chrome exploit under Windows 7 and collected $60,000 reward. Security company Vupen was also successful in cracking Chrome shortly after Glazunov had announced his exploit. The quick fall of Chrome may have been bad PR for Google, but the company was quick to issued a patch that fixes the vulnerability in the stable version of Chrome, which now carries the version number 17.0.963.78.

Vupen's reward is unclear at this time. The company said that it is considering participation in the Pwn2own contest at CanSecWest with exploits for all major browsers.

Discuss
Display all 22 comments.
This thread is closed for comments
Top Comments
  • 28 Hide
    alidan , March 9, 2012 3:23 PM
    why bad pr....

    bad pr would be an exploit from last year still doable this year.
  • 26 Hide
    iceman1992 , March 9, 2012 3:11 PM
    very fast patching. great job google!
  • 16 Hide
    Anonymous , March 9, 2012 4:40 PM
    drwho1In my experience with this browser, it is very vulnerable to VIRUSES.Most of them are TROJANS and most of that (at least on my experience) have been thru JAVA exploits.When I re-installed Windows 7 64bit I simply avoided (a have not installed) anything that would "require" JAVA to run thus eliminating a lot of unnecessary risks.Still, I got a virus after that and it was another Trojan (and I'm 100% certain) that it was thru this browser. The truth is that sadly there will always be some moron (very intelligent moron) that will be creating some new way to harm others. Staying away of known (even if look friendly) or especially if they look "too friendly" and "helpful" because most times than not, that's precisely how this threats are masked.


    You can't really blame chrome for someone using java exploits.
Other Comments
  • 26 Hide
    iceman1992 , March 9, 2012 3:11 PM
    very fast patching. great job google!
  • 28 Hide
    alidan , March 9, 2012 3:23 PM
    why bad pr....

    bad pr would be an exploit from last year still doable this year.
  • 4 Hide
    freggo , March 9, 2012 3:48 PM
    I agree with alidan.
    It's kinda like the NASA approach. If we fail, we fail very publicly; and then fix the problem.

    The bad part is not having a bug or vulnerability in a piece of software (with the size and complexity of today's programs that's virtually unavoidable) but taking forever to admit it is there (as advised by In-House counsel my guess) and than taking even longer to fix it.

    Take any version of Windows for example :-)


  • 15 Hide
    captaincharisma , March 9, 2012 4:18 PM
    this is not bad PR by doing this they saved themselves from really bad PR down the road
  • 14 Hide
    rex86 , March 9, 2012 4:20 PM
    It's OK for a software to be have some security weaknesses. It's NOT OK if those weaknesses are left unpatched.
  • 13 Hide
    mikeynavy1976 , March 9, 2012 4:28 PM
    This is already bad PR. The title of the story says it all. Instead of focusing on Google's immediate patching abilities, the media immediately calls them out. "Google Chrome Falls Twice to Hack Challenges" doesn't sound "positive". A lot of people know Google's strategy for offering money to challenging hackers to compromise their product so as to improve it. Many more will, without reading the article, hope or think that it is Google challenging that their product is invincible only to get nailed twice.
  • 14 Hide
    gm0n3y , March 9, 2012 4:30 PM
    freggoI agree with alidan. It's kinda like the NASA approach. If we fail, we fail very publicly; and then fix the problem.The bad part is not having a bug or vulnerability in a piece of software (with the size and complexity of today's programs that's virtually unavoidable) but taking forever to admit it is there (as advised by In-House counsel my guess) and than taking even longer to fix it.Take any version of Windows for example :-)

    I agree. Having bugs is a natural part of software development. Recognizing them and fixing them is what's important.
  • 16 Hide
    Anonymous , March 9, 2012 4:40 PM
    drwho1In my experience with this browser, it is very vulnerable to VIRUSES.Most of them are TROJANS and most of that (at least on my experience) have been thru JAVA exploits.When I re-installed Windows 7 64bit I simply avoided (a have not installed) anything that would "require" JAVA to run thus eliminating a lot of unnecessary risks.Still, I got a virus after that and it was another Trojan (and I'm 100% certain) that it was thru this browser. The truth is that sadly there will always be some moron (very intelligent moron) that will be creating some new way to harm others. Staying away of known (even if look friendly) or especially if they look "too friendly" and "helpful" because most times than not, that's precisely how this threats are masked.


    You can't really blame chrome for someone using java exploits.
  • 0 Hide
    stingray71 , March 9, 2012 4:44 PM
    You'd expect that sorta of title from an Apple bias site. In reality, I applaud what Google is doing. Glad I made the switch to Chrome few months ago.
  • 5 Hide
    Raidur , March 9, 2012 4:54 PM
    Add a high prize like this and you'll have quite a participation. Not very surprised it happened this fast.
  • -4 Hide
    blazorthon , March 9, 2012 5:14 PM
    Now if MS would fix stuff this fast, or at least within a month or twelve of problems surfacing.
  • 6 Hide
    COLGeek , March 9, 2012 5:25 PM
    This is a great way for Google to generate buzz and to actually release better tools to the public. Congrats to the cyber-slueths!
  • 0 Hide
    cookoy , March 9, 2012 8:05 PM
    let's just hope that the next time these security firms or experts find some exploits in chrome, they would not keep it to themselves and just wait for the next google challenge before revealing their discovery to get rewarded
  • 2 Hide
    Vladislaus , March 9, 2012 10:01 PM
    jacekringGoogle doesn't code Java you know....and you can disable Java completely in the browser in the settings. Got to Options -> Under The Hood -> Privacy -> Content Settings -> Java and select do not allow any site to run Java Script.But frankly, you are getting those Trojans because you visit to many free porn sites....(j/k)

    Java and Javascript are two completely distinct languages. Also both are executed in different manners. JavaScript is executed by the browser, Java is executed in the browser usually by a plugin.
  • -2 Hide
    jhansonxi , March 9, 2012 11:42 PM
    IE9 security was breached on Win7 SP1 by the same group.
  • -6 Hide
    otacon72 , March 10, 2012 3:15 AM
    Defend Chrome all you want...it still sucks..lol
  • 0 Hide
    RogueKitsune , March 10, 2012 5:33 AM
    I like what how fast Google pushes bug fixes out to stable chrome, but i still prefer my nightly builds of 64-bit Firefox (I even got Netflix to work in it somehow ^_^)
  • 1 Hide
    Anonymous , March 10, 2012 12:01 PM
    Just pick a browser. Your not going to find one that is perfect.
  • 1 Hide
    amstech , March 10, 2012 2:32 PM
    The best will always be silent.
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter