Last night, Google held its Pwnium 2 competition at Hack in the Box 2012, offering up a total of $2 million for security holes found in Chrome. Only one was discovered; a young hacker who goes by the alias “Pinkie Pie” netted the highest reward level: a $60,000 cash prize and a free Chromebook.
Google today patched the flaw and announced a new version of Chrome for Windows, Mac, and Linux. You can grab the latest release using the browser’s built-in silent updater, or you can download it directly from google.com/chrome.
In its disclosure, the search giant confirmed the security flaw and reaffirmed the need for its Pwnium competition:
Congratulations to Pinkie Pie, returning to the fray with another beautiful piece of work! We’re delighted at the success of Pwnium 2, and anticipate additional hardening and future improvements to Chrome as a result of the competition.
The official Chrome version 22.0.1229.94 changelog is very short, as it only lists a patch for the single security hole found at Pwnium 2:
- [$60,000] Critical CVE-2011-2358: SVG use-after-free and IPC arbitrary file write. Credit to Pinkie Pie.
The Chromium blog has more technical details:
This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox. Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a “full Chrome exploit,” a $60,000 prize and free Chromebook.
Today’s release means Google patched the flaw in less than a day (fewer than 10 hours, if we want to be more specific). The search giant did the same thing at the first Pwnium contest earlier this year. Back in March, Pinkie Pie and Sergey Glazunov each earned $60,000 for exploits that bypassed Chrome’s security sandbox, and Google fixed them both very quickly.
Google launched the Pwnium competition as an alternative to the Pwn2own contest, from which it withdrew its sponsorship this year. Mountain View was upset because the 2012 rules did not require full disclosure of exploits from winners (specifically exploits to break out of a sandboxed environment).
Pwn2Own defended its decision, saying that it believed no hackers would attempt to exploit Chrome if their methods had to be disclosed, but Google disagreed and offered up $60,000 for Chrome-specific exploits. Google also promised that non-Chrome vulnerabilities used would be immediately reported to the appropriate vendor. So far, however, hackers attending both Pwniums only bother showing off Chrome-specific flaws.
Image credit: Nate Brelsford