In Under 10 Hours, Google Patches Chrome To Plug Hole Found At Its Pwnium Event

An anonymous reader writes "Last night, Google held its Pwnium 2 competition at Hack in the Box 2012, offering up a total of $2 million for security holes found in Chrome. Only one was discovered; a young hacker who goes by the alias 'Pinkie Pie' netted the highest reward level: a $60,000 cash prize and a free Chromebook (the second time he pulled it off). Google today patched the flaw and announced a new version of Chrome for Windows, Mac, and Linux."

What about Java?

[roidzrus]

Oracle could take a lesson from this.

Re:What about Java?

[characterZer0]

Why? Oracle does not care about Java on the client, only about Java on the server. Why should they care about flaws in applets, it is unrelated to their business.

Re:What about Java?

[WD]

As soon as Oracle stops enabling a web browser plug-in with the Java installer, then your point may be valid. But as things currently are, they better damn care about vulnerabilities that affect applets! (which is the whole point of the OP)

Re:What about Java?

[davester666]

Why? Describe what penalty and/or downside Oracle would face if say, hundreds of thousands of computers become part of botnets due to a flaw in the Java plugin.

Re:What about Java?

[cbhacking]

Potential class-action lawsuit and/or government fines in countries where warranty and suitability for a purpose can't be completely disregarded? Hell, possibly even a class-action in the US, where you don't even really need the law on your side if you can simply show that an action that a company took, or failed to take, had a known risk of harm to you and did in fact result in harm?

Or there's the risk of big and highly-visible companies (think Google) publically announcing that they're getting rid of Java because they see it as a security threat, similar to what happened when some Google computers were exploited due to an IE6 vuln. I realize that in Google's particular case, getting rid of Java entirely is highly unlikely, but if they simply make the effort to publicly tar-and-feather it as insecure - which they could do easily, for example by displaying a warning on the search results page if they detect the Java plugin on your browser - that would hurt Oracle's reputation badly even if it were specific to the applet plugin.

Speakingof los of reputation, companies may decide that if Oracle can't keep the applet sandbox secure, then maybe they can't be trusted to keep their enterprise products secure either... and hey look, there's at least a few competing systems out there for pretty much every product or service Oracle offers. If Oracle came to be known as a company that can't ensure reasonable security, that will make them a lot less attractive to the prospective customers of their more expensive products too.

Re:What about Java?

[hairyfeet]

Frankly Java doesn't bother me as if you aren't working with the enterprise or with a few apps like GoToMyPC its easy enough to avoid, its the Adobe products that bite home users square in the ass. When you look at the combined number of bugs out there for Flash and Reader Adobe has been pretty piss poor when it comes to security yet sadly there are no replacements in sight.

HTML V5 is frankly half ass and piss poor, it sucks CPU cycles like a drunk sucking down free drinks and without GPU acceleration is completely unusable on anything low power, not to mention it doesn't even cover half the use cases of Flash, and all of the PDF readers other than Adobe end up choking on PDFs made by Adobe Acrobat thanks to all the funky features the free versions never seem to get around to implementing.

So while I'll happily give credit to the Google team and hope their patch makes it up the Chromium branch to all the variants quickly there is plenty of other bad software out there besides Java and unlike Java a lot harder to just avoid.

Re:What about Java?

[knigitz]

Wait, are you suggesting that all those java applications that businesses are using that require java to be installed on client PCs do not affect the bottom line? Do you also believe in the Easter bunny?

Re:What about Java?

[roidzrus]

Frankly Java doesn't bother me as if you aren't working with the enterprise or with a few apps like GoToMyPC its easy enough to avoid, its the Adobe products that bite home users square in the ass. When you look at the combined number of bugs out there for Flash and Reader Adobe has been pretty piss poor when it comes to security yet sadly there are no replacements in sight.

HTML V5 is frankly half ass and piss poor, it sucks CPU cycles like a drunk sucking down free drinks and without GPU acceleration is completely unusable on anything low power, not to mention it doesn't even cover half the use cases of Flash, and all of the PDF readers other than Adobe end up choking on PDFs made by Adobe Acrobat thanks to all the funky features the free versions never seem to get around to implementing.

So while I'll happily give credit to the Google team and hope their patch makes it up the Chromium branch to all the variants quickly there is plenty of other bad software out there besides Java and unlike Java a lot harder to just avoid.

While for the current exploit, simply disabling Java from your web browser should suffice; try uninstalling it. You'll find that even the latest version of Photoshop, which doesn't even seem to have any dependency on Java, still somehow requires it to install. Matlab, Maple, and plenty of other software has Java as a dependency. I agree with you on HTML5, though. I can't even get font antialiasing to reliably work or antialiasing on any angled edge.

Re:What about Java?

[characterZer0]

You can install Java without installing the browser plugin.

Re:What about Java?

[allcoolnameswheretak]

You seem to have failed to notice how energetically Oracle is promoting JavaFX and pushing the technology forward.

Re:What about Java?

IE 9 accelerates it well and so does the latest build of Firefox. Chrome does not accelerate half the stuff unless you go in and do it manually.

Re:What about Java?

[Billly+Gates]

Java is HUGE at the office and wont go away anytime soon. People still think of Netscape java 1.2 applets running in all gray glory from last century when think of Java. What they do not see is how Bank of America, Chase, ManPower, Seibel, Kronos, and many and I mean many corporate portals use it

It gets worse. They use Java to manipulate +Com objects through security exploits in the RMI. So a patched Java is not acceptable as it would close the hole HR needs to do the payroll so the app can talk to excel with full administrator privileges. Yes I did say admin which is why it cant' run on Windows 7 and requires XP and java 1.4.1. Not 1.4.0, not 1.4.2, just just 1.4.1 with its plus +30 security holes.

As a consultant or IT shop like Harry the best you can do is please to finance who say there is no compelling business case to be secure as they also use these IE 7 apps and are afraid of change too and like things fine just the way they are thank you very much!! ... aren't you a cost center anyway? ... thats what I thought we are a real business and have important things to go do go away etc.

Java 8 is almost out and I wonder what is going to happen? I only have java 6 on this desktop (plugins DISABLED!).

Re:What about Java?

[roidzrus]

The only solution is to ban Java in schools and set up a government agency to monitor Java tutorials online and disable them. We may never see the fruits of this work, but maybe some day, our children's children will live in a world where no eight year old boy ever has to get exploited by a rogue Java applet.

Re:What about Java?

[Billly+Gates]

Worse I taught a year or two ago. A favorite malware serving site is www.coolflashgames.com or www.coolgames.com (One of the sites). There are few that are great and a few malware ones slip in.

The school administrator had to impose rules on goign to that site for security reasons. Some were for edutainment so we tracked them down and they were legit. Thank God we used Macs!

The rest of the wintel districts still use IE 6 and have not been patched in many many years sadly.

Re:What about Java?

[RaceProUK]

How? I've never seen the option.

Re:What about Java?

[tlhIngan]

HTML V5 is frankly half ass and piss poor, it sucks CPU cycles like a drunk sucking down free drinks and without GPU acceleration is completely unusable on anything low power

That's not an HTML5 problem. That's a web browser problem. If the web browsers aren't offering you enough controls to adjust how the HTML5 stuff works, find another. Or bug them to fix their Javascript speed and such.

The main reason HTML5 is better is you're not beholden to Adobe to fix Flash issues. Instead, between Chrome, IE, Firefox and Safari, either they will implement controls internally or offload it to plugins. Like how every browser can have popup blockers now, they can implement HTML5 object blockers as well.

Re:What about Java?

[hairyfeet]

I'm sorry but bullshit. I can take a low power nettop or netbook and use the browser of YOUR choice and HTML V5 will still suck more balls than a bangkok whore. In fact I'll be happy to take the Pepsi challenge and put HTML V5 against flash with no GPU accelerated SD video and record the results, HTML V5 is a fucking piggie and the web is full of complaints just like mine. if you think it works its because you are running it on a high power multicore or have GPU acceleration for H.264 as HTML V5 is just a badly coded mess.

And to me the worst fucking part is the whole switch didn't happen because anybody gave a rat's ass about performance or security, its because Steve Jobs wanted more control of his fucking appstore and knew HTML V5 wasn't in any way, shape, or form a competitor of native apps while flash would have allowed some people to just bypass the fucking appstore for gaming.

Yeah sorry, but HTML V5 is about as appealing as deep fried tampons.

Quick

New version of Chrome within 24 hours... wow.

Pinkie Pie?

[Vylen]

So a My Little Pony hacked up Chrome?

I await the fan art for this visual image!

Re:Pinkie Pie?

What can we say, that reputation for breaking the fourth wall includes sandboxes.

Sterling work here.

Re:Pinkie Pie?

[sandytaru]

The laws of physics don't apply to Pinkie Pie. Neither do the laws of programming.

Re:Pinkie Pie?

So a My Little Pony hacked up Chrome?

Eeyup. This is actually the second time Pinkie's done this sort of thing, although Google's response time is about 20% cooler than it was last time around.

I await the fan art for this visual image!

Okie dokie lokey! Hold onto your hooves, 'cuz here we go!

Pinkie Pie Breaks The Fourth Wall For The Last Time (Warning: Dubstep)

Cupcakes (Warning: Cupcakes.)

Re:Pinkie Pie?

Cupcakes (Warning: Cupcakes.)

Every time you post this, 5 bronies kill themselves.

Re:Pinkie Pie?

http://wikia2011.wikia.com/wiki/File:Rainbow_dash_awesome_face.png

Re:Pinkie Pie?

Cupcakes (Warning: Cupcakes.)

Every time you post this, 5 bronies kill themselves.

Which makes the world 20% Cooler.

Fixed that for ya. Andrew WK showed up at Canterlot Gardens, for Celestia's sake!

Re:Pinkie Pie?

Hahah, butthurt bronies with modpoints!

Re:Pinkie Pie?

(I'd have modded the first 20% cooler guy back up. As a brony, I thought it was hilarious. If we can't even laugh at ourselves, how can we giggle at the goatse?)

Re:Pinkie Pie?

[nevermore94]

I don't know about My Little Pony, but I do know that Pinkie Pie is the nickname that Skippyjon Jones mom calls him in the book "Skippyjon Jones: Lost in Spice" that I read my daughter weekly before going to bed, lol. I think that the name comes from his overly large pink inside pie shaped Siamese cat ears.

Proving once again..

..that Pinkie Pie is best pony.

Pinkie Pie's day job

[Trax3001BBS]

Hacking Google for fun, profit and to the benefit of other's.

Re:Pinkie Pie's day job

Hacking Google for fun, profit and to the benefit of other's.

Other's what?

I do wonder

[Trax3001BBS]

How hard Pinkie Pie had to fight not use their real name, or if Google just let it slide.

Re:I do wonder

[wierd_w]

The answer is simple.

Pinkie Pie simply makes use of exploit code to circumvent google's "real name" requiremets for google services. It was, in fact, by getting good at retaining his pseudonym that he became skilled enough to enter these competitions. ;D

(And I totally pulled that out of my ass. For my next trick..)

Re:I do wonder

If they released his/her real name, they would have to worry about higher bidders :P

Second time is very good for him.

[epSos-de]

Who would have thought that legal hacking can make you rich faster than a day job. I bet he can live quite OK with the prize money, until the itch for luxury will create more need for money.

Re:Second time is very good for him.

[cbhacking]

60K USD isn't exactly "make you rich" territory in the US, but it's a hell of a lot of money for a teenager. That's pretty close to the median annual salary. It's easily enough to get you through college if you don't go somewhere expensive (do it twice, like he did, and you're looking at enough money for an unsubsidized Ivy League education if you're careful about other expenses). It's enough money to start up a very small business, or enough to buy a modest house in the less expensive parts of the country.

Even assuming that his expenses are very low, it's probably not enough to live on as an investment. If he can pull it off a few more times, though, it certainly could be (again, assuming a modest standard of living and some smart investing). It's definitely enough to live on until he can expect to get a good job (with skills like that, there are a *lot* of good jobs available, either in a big company that hires in-house security people like Google, or as a consultant).

As for the "itch for luxury", not everybody is subject to that. I make, after tax, about 3x what I live on, and that's been true for the 2.5 years since I graduated. I still live more-or-less like a college student, though. I drive a nicer car now than I did back then, and I eat fancier food and have a bigger apartment, but all those extra luxuries combined add up to far less what I was spending in school (and my school was a high-quality but public university, which I was able to make it through without loans; not exactly super-expensive).

Re:Second time is very good for him.

[Billly+Gates]

Oh please and a spoiled American. You want to talk about how much 60k a year is? How about make $10 a day working 12 hours as fast as body can do at Foxxcon in China sound? To them $30,000 is A TON OF MONEY.

Sure you can't buy yatchs with that but I have made far less money and struggled like millions of other people reading this in the recent economic downtown. I would feel like a king for $60k a year! ... now if you buy 60k cars, $300,000 homes, eat out 5 times a week, put all your expenses on a credit card with 30.5% interest, and take $10,000 vacations each year I would have to say the reason you are broke is not because you make a poor measily 60k a year. The reason is you have a spending problem!

With a nice $10,000 used car, $190,000 home, eating out twice a week, and only using a credit card in emergencies I have to say that is a TON of money and anyone making that should be greatful just to have a job. Too many are making $15,000 a year who used to make $60,000.

For a kid without a family, mortgage, and a life in front of him that is A TON of money. You can live rent free for 2 whole years, work another job, or get a degree with that and pull in more. Good for him and thanks Google for being generous.

Re:Second time is very good for him.

Who would have thought that legal hacking can make you rich faster than a day job.

Me. I also realize that legal gambling can also make you rich faster than a day job. Let's look at how many other contestants there were? Divide the 60k by them, and those are your chances of winning. Oh, you know your exploit works? What's to say it hasn't been patched already? Yes, you can make money doing it, but you're better off with a day job, or selling the exploits on the black market.

Look, this is all that's wrong with software today. How many fucking times do we have to learn this lesson? Network Admins used to run the firewall wide open and only blacklist "malicious ports". ActiveX used to let any website run any executable code they wanted, now we do the opposite -- Only run signed executables. NoScript is being adopted so that we can whitelist the sites that need Javascript instead of running all JS from any site. Don't Blacklist. Whitelist. Write code, then PROVE it's secure before including it. Valgrind, input fuzzing, code coverage, unit tests, etc. It's not rocket science, these tools exist and can help to a great degree -- You can actually write secure code. I write everything twice: Once to get the code out of my head, and again to lock it down and harden it. I've been doing it since the 80s in assembly -- I could PROVE that it handled every input correctly. Each line of code, every loop, every function I try to exploit.

You have to be a hacker to write secure code, but it's NOT IMPOSSIBLE -- It's just math, we can actually make provably secure code. The halting problem doesn't exist for finite problem sets. The problem is that NO SOFTWARE (except perhaps NASA's) is developed to such a high bar. Every single time I've used an external library for anything -- Even PNG image loading (official libpng) -- It's had an exploit. I've never had my own code be the exploit vector in over three decades.

Every Change causes a cascading Blacklist in my code "UNTESTED". For my personal code, I only release software that I can prove is secure. If this means it takes me longer to produce the code, then so be it. If this means I have to re-invent the wheel (make my own PNG import code) then so be it. I realize it's not practical in most instances due to time or budget expense, but really, didn't you every just want to write ONE program that was actually secure?! Haven't you ever just wanted to KNOW there's no way it's your fault that someone's getting exploited? There is no honor among software developers.

Re:Second time is very good for him.

Great ! They find and fix a security bug. fast, that stops unknown people from potentially misusing acquired data.
Now how do we protect ourselves from Google and profit from it ?

Re:Second time is very good for him.

[StormReaver]

$60,000 is not a retirement fund. He can live quite okay on that for up to a year, depending on where he lives. In some places, like California, he can live quite well for a few weeks.

Re:Second time is very good for him.

[mattack2]

How cute that you think that a $300K home is a "rich" home. There have been a _few_ homes in the $300Ks in the past few years that I've seen, but pretty much $399K starting, and that's for 1 or 2 bedrooms, 1 bath. Even those are starting to go well into the $400Ks.

Firefox 16 was pulled down

Currently http://getfirefox.com is again pointing to Fx 15. I wonder if it was related to this at all?

Crack on demand

[Xylantiel]

I think this demonstration of crack-on-demand is not really a good thing for chrome. This means that cracks for chrome are not worth too much more than 60k on the black market. That doesn't seem like a very high price.

Re:Crack on demand

[photon317]

Maybe some people have standards and would rather participate in Google's process instead of feed black-market attackers for profit? Or if you want to continue to be cynical, you could say that the name recognition and possible future effects on a career are better this way than the black market route, and that's worth more than the $60K.

Re:Crack on demand

[Xylantiel]

Sure "some" people do. The point is that if someone will do it for 60k plus props, then there are plenty of others that can do it for nefarious purposes. Also I'm not just being cynical, there is a practical component. Looking at it from the practical security standpoint this indicates a market value of a given type of crack, and therefore the approximate cost of such an attack to the hypothetical adversary in your security evaluation. Everything is vulnerable to a "motivated enough" attacker. Security is keeping the expected cost of the crack below the benefit (motivation). My cynicism comes in when I say that $60k+props seems like a pretty darn low cost for a hole (escape from sandbox) in a high-profile browser touted for its security. More cynicism comes in by the assumption that this crack is just the product. The critical issues are in the way the crack was found, which is not mentioned. I would have more confidence if this Pinkie Pie person were well-known for all the bugs they have fixed in chromium, and they just held onto one for the contest. A cause of concern is that the exploit sounds awfully similar to the previous one (using a render bug to access the IPC), indicating that there is a whole family of possible exploits of which these may just be two examples.

Cunning plan

i) Create known flaw - a 'bug'
ii) challenge others to find bug
iii) fix 'bug' very quickly
iv) profit - as you Do Know Evil

Re:Cunning plan

[MtHuurne]

Because the alternative:

i) write the code as secure as they can
ii) challenge others to find bug
iii) issue a press release that despite high bounties, no-one could break their browser

...doesn't require such subterfuge, is $60K cheaper and is also good publicity.

Besides, who says a deliberately injected flaw would be found first by someone attending the event? If it is not found, the plot fails, while if it is found first by a black hat they could be facing very bad publicity if it's being exploited in the wild.

Re:Cunning plan

Profit is v, iv is ???
 
I'd say yov must be new here, but yovr vse of roman nvmerals indicates otherwise.

Re:Cunning plan

[LordLimecat]

I must have missed the part where Google is making bank off of their free browser.

Good to see

[dubbreak]

It's good to see Google is able to get patches out this quick. I've worked in small businesses that same day fixes were doable but a challenge and a government office with so much red tape pushing something to production that quick would have been impossible. I bet neither MS nor Apple could pull that off.

Looks like Google is keeping it's hacker culture alive rather than becoming a slow moving behemoth like their competitors.

Re:Good to see

[edibobb]

I agree. It's nice to see competence and common sense in a large company.

Re:Good to see

[cbhacking]

MS certainly, and Apple probably, have the technical expertise to do so. Of course, there are usually other barriers. The problem isn't necessarily red tape, either... Chrome is a fairly young product, and has very little legacy code relying on its functionality. Even so, I question whether they did anything close to a full regression test on this patch. That's not to say that I expect the patch to have caused regressions; I just doubt that they can say, with full confidence, that it didn't. For something like IE, here there is a *huge* amount of third-party legacy code, some of it very crufty yet effectively unreplaceable, finding the root cause of the problem and writing the patch are trivial compared to the time that MS absolutely must spend on regression testing. There have been times in the past where a patch for a serious issue was made available quickly (within a day or so) as an opt-in hotfix, but typically they can't do a full "push to production" (i.e. make it an automatic update) in less than about a week.

The hacker/cowboy-coder culture often serves young products well, but it doesn't work once the product matures and develops a legacy. Assuming Chrome succeeds at making serious inroads in business, which is quite possible over the next few years (whether that's Google's current main goal for it or not), Google will have to slow down their "push to production" patch speed a little.

Re:Good to see

[BagOCrap]

The hacker/cowboy-coder culture often serves young products well, but it doesn't work once the product matures and develops a legacy. Assuming Chrome succeeds at making serious inroads in business, which is quite possible over the next few years (whether that's Google's current main goal for it or not), Google will have to slow down their "push to production" patch speed a little.

Mod parent insightful, please.

Re:Good to see

[DerekLyons]

It's good to see Google is able to get patches out this quick.

It was a planned event - and thus Google probably had a team ready to go into action if/when an exploit was found. So, not really all that impressive at all. And it's very doubtful they had time to properly QA the patch given the speed of deployment.
 

Looks like Google is keeping it's hacker culture alive rather than becoming a slow moving behemoth like their competitors.

Looks more like Google has learned the PR culture well - much like it's competitors. Look around at Google's overall offerings with open eyes, and you'll see the behemoth shambling quite clearly.

Re:Good to see

QA for an exploit patch (especially when the exploit isn't the result of a deep design flaw, but just a simple oversight) is not that hard. You take the shipping branch, add the fix, test the single feature potentially affected by the fix, and ship.

If you have a build system capable of producing repeatable builds with all dependencies controlled (and any respectable company should, though sadly most companies are not respectable), then QAing a small (but critical) patch to a shipping product is a simple matter.

Re:Good to see

[Billly+Gates]

IE is here to stay in the office!

Firefox was just starting to get some traction with 3.6 before all hell broke loose with the rapid release. Business needs something that is the same year after year after year that can be locked down at the admin level and just go away out of sight and out of mind. App vendors need to certify it and right now only IE offers that. I read here about intranet developers furious at Mozilla for they hate writing IE 6 code in 2011 but now are permanently stuck as they wont no if the next version of FF wont break something and hold them liable.

When the developers can be sued for what the browser makers update it puts huge pressure to have a common standard that does not change. That standard is IE 6 and in this decade it will be IE 8. After all that money spend upgrading they sure as hell will fight HTML 5 tooth and nail to keep things the way they are now. Sorry but Chrome aint going near any enterprise soon.

Re:Good to see

[kiwimate]

That this got modded to +4 Interesting says all one needs to know about Slashdot's readership in late 2012.

1. Ever heard of emergency changes?
1. (a) Ever heard of "we know we have this event specifically designed to elicit bug reports, so hey, let's put in a special procedure to integrate fixes ASAP, 'cause then we'll look all cool and stuff"?
2. Ever heard of regression testing? (That's okay, judging by Google's perpetual beta status for everything, they haven't either.)

Re:Good to see

Our enterprise (100k seats, $1bn turnover) just pushed Chrome to all of its end users.

So you're wrong.

Re:Good to see

[Billly+Gates]

?? So what happens when an update comes along and breaks your intranets? Are you prepared to handle that? Who do you call for support? What if you go back and instill ADMX tools for deployment yet a critical security hole is discovered? Do you have time to test all your applications and websites before updating?

With IE you install it and use it for 8 years and run occasional security updates. That is it.

Re:Good to see

[ruir]

The reality is that MS and Apple know fairly well that in the long run is counter-intuitive to post small 0-day patches. They know fairly well they are easy to reverse engineer and thus, more people will be aware of the flaw and will develop more exploits.

Re:Good to see

[clark0r]

i see what you did there :)

Re:Good to see

Eh, no. Linux kernel vulnerabilities are fixed and pushed out often within a day or two after announcement of the vulnerability. Linux is over 20 years old and many businesses rely on it (indeed the Internet relies on it). Your legacy argument doesn't work.

Re:Good to see

[LordLimecat]

2. Ever heard of regression testing? (That's okay, judging by Google's perpetual beta status for everything, they haven't either.)/quote?
And yet Google's betas tend to be far more reliable and generally better than most competitor's releases.

The time taken to release the securty patch...

[nzac]

should be the main metric for security for web browsers (and other software exposed to the internet).

It would difficult to argue that there are not security holes in all browsers and that the holes can be found and exploited with sufficient resources. All of the security measures browser makers use at best make it harder to get a working exploit.
I think that that closing the wholes as fast as possible lowers the expected profit for finding an exploit and lowers the time the user is exposed and that this is more effective than sandboxing and memory randomization to providing a secure browser.

Non-existant QA?

[jmac880n]

While the turn-around time is impressive, it could not possibly have undergone extensive QA testing...

I understand that some bugs can have such OBVIOUS solutions - what could POSSIBLY go wrong with the fix???

Re:Non-existant QA?

[Vylen]

Depends on what was modified.

Identify the module(s) impacted by the change required for the fix. Apply the fix. Test the fix works, then regression test the modules. Given small system then there's probably no problem for a 10 hour turn around - right?

Re:Non-existant QA?

Sounds like this was some missing error checking on the IPC messages between sandbox and main browser components, so this is pretty easy to fix. I wonder what the turnaround time will be when the exploit reprograms the GPU to write directly back to memory, bypassing the IPC and sandbox entirely. Chrome security is a paper bag as long as they allow 3d graphics from untrusted code.

Re:Non-existant QA?

So the obvious answer is that someone at Google was already aware and already had a fix underway.

Re:Non-existant QA?

[MtHuurne]

This is Google, they do a lot of automated testing and they're good at distributing workloads, so it's likely it did undergo extensive testing in a very short time. Also testing is all about managing risk: what are the chances of this fix introducing something that is worse than the issue itself? This pair of bugs allows an attacker to inject code and escape from the sandbox, which clearly falls into the Bad Things Category.

Re:Non-existant QA?

[swillden]

While the turn-around time is impressive, it could not possibly have undergone extensive QA testing...

You mean it could not have undergone extensive QA testing by humans. Google has really excellent automated testing infrastructure, at all levels of unit, functional, integration and system tests.

Re:Non-existant QA?

QA can be done in parallel very well. Both automated as well as manual. Just think of, like, 10000 servers and 10000 people working for an hour.

works if you have exhaustive unit tests

[Chirs]

If the fix changes a behaviour in a corner-case not caught by a unit test then your module regression test isn't worth much anymore.

Re:works if you have exhaustive unit tests

[GeekBoy]

Better to patch a vulnerability with the small possibility of having to issue another patched version to correct a corner case than to leave a vulnerability out there.

Re:works if you have exhaustive unit tests

[Rockoon]

It is precisely your sort of careless haphazard thinking that keeps businesses away from Google products.

"What do you mean we can't run our business until Google pushes out a patch for the patch? GeekBoy, your advice to switch to chrome just cost us 10 million dollars! You are fired! Get out now!"

Re:works if you have exhaustive unit tests

[jibjibjib]

If a piece of software is critical to your business, you test updates and patches before deploying them, and you make sure you have the ability to roll back to a previous version if something ends up not working.

This advice is not specific to Google products.

Re:works if you have exhaustive unit tests

[cooldev]

Does Google give businesses the ability to test updates and do a controlled rollout of patches for Chrome? Based on a cursory search of the web the answer seems to be "No", but I could be wrong...

Updates happen always and automatically even if the user doesn't have Administrative privileges.

Re:works if you have exhaustive unit tests

Your search is too cursory. You can disable auto-update with a group policy and push updates MSI to clients manually.

Re:works if you have exhaustive unit tests

[GeekBoy]

Oh yes, because waiting 3-6 months to patch a vulnerability that can lead to exploited systems, infrastructure and ultimately your IP being sent to China or Russia is a better option.

I'm sure that if the cost of one web-browser not working is 10 million dollars, the cost of eliminating rootkits/trojans from all the desktops on your network, (and maybe some of the servers) is going to be so much less.

As mentioned below. If you are actually running your operations, instead of letting your users do it for you, you'll be managing testing and deploying yourself from a central system.

There's a market in exploits now

[Animats]

Back when people finding security holes had to beg to get vendors to fix them, the patch-and-release approach had a chance of working. Now that there's an active market in security holes, someone who finds one can make more money selling it to the attack side.

60K vs. median annual wage/income

[DragonWriter]

60K USD isn't exactly "make you rich" territory in the US, but it's a hell of a lot of money for a teenager. That's pretty close to the median annual salary.

If by "pretty close" you mean "well above".

For 2010 (the most recent year for which statistics are available; the 2011 statistics should be available this month), the Social Security Administration figures show the median annual wage in the US as $26,363.55, and the average annual wage as $39,959.30.

So, $60K is more than twice the median annual wage and more than 1.5 times the average annual wage. Its also a more than the median household income ($50,054 in 2011, per the U.S. Census Bureau).

Re:60K vs. median annual wage/income

[Billly+Gates]

Those statistics really show a disturbing trend. The death of the middle class and the very rich who bring up that average so high. They are already buying houses in cash in an effort to raise rent prices and also use their wealth to collect rents on food and oil prices on those who do not have anything.

I can't see how anyone besides a single person living a very humble and low end lifestyle can survive at $26k a year! I would have to live with my parents if I earned that just to pay off my student loans. I would go hungry fast every car, insurance, rent, and student loans came in. Like maybe $10 a day max!

Re:60K vs. median annual wage/income

if by "is" you mean "is not after taxes are considered"

#moron

Re:60K vs. median annual wage/income

[subreality]

$60k is doing good, but he's done it twice this year. $120k per year is not bad at all if he can keep it up.

Re:60K vs. median annual wage/income

That's scary. Your country's median is below our minimum wage. :( I thought Americans were better off than that.

Edit: just realised that I'm an AC and that may not have the opportunity to write back. Country is Australia, minimum wage for a full-time adult (over-21) worker is $31,523.

Re:60K vs. median annual wage/income

To continue on the irrelevant derail for one more minute - the other half of the equation you are forgetting is the real purchasing power. How much is the monthly rent on a 2 bedroom appartment, 4L of milk, kilo of hamburger or 4L of gassoline. If the answers are more than $1000 (depending on region), $3.50 or $7 then your $31,523 isn't as good as you think it is. Also, what percentage of that $31,523 do you actually keep after income taxes/payroll withholding. The average, single, no-kids american worker would take home about 80% of their paycheck if they made $30k. They'd take home even more if they lived in one of about 10 states with no income tax.

Australia may be far better than America at many things, potentially including standard of living, however to say that $31,523 in Australia is equal to $31,523 in America is just plain ignorant. $50k in Bermuda is close to the poverty level. Net purchasing power is the measure that matters. According to the IMF, the United States is 6th in the world for per-capita purchasing power at $48,328 and Australia is 13th at $40,827. I usually identify as a democrat, and I certainly don't support the tea party, but I would just like to point out that if you set a minimum wage of $20/hr, your big mac which used to cost $4, will now cost $8 or $10 because it costs so much more in labor. There is no simple answer to standard of living as anything that involves just paying more for X is only inflation.

Re:60K vs. median annual wage/income

Well, there are definitely cost of living considerations, I never claimed minimum AU wage would be easy street. It's minimum wage, it's intended to ensure you can pay rent/buy essentials/raise a family and so on. For your questions: rent is one of those piece of string questions. If you live in the middle of Sydney it would cost a fortune (think Manhattan in NYC), if you live outside of Sydney/Melbourne/Canberra it will cost a lot less. Range is $700-$3000. $4L of milk is $4, a kilo of lean mince meat (I think that's what you mean?) is $7, petrol is $1.40/L so $6.40 for 4L. Somebody on minimum wage would take home all of their pay (tax on minimum wage is $1000/year), they're classified as a low-income earner so they'd attract a few thousand dollars annually of income support/family (if any)/healthcare payments, concession cards and so on. There's no state income tax, only federal.

You haven't really picked the best bundle for comparison, though. Things that are expensive in Australia: petrol, electricity due to monopolies, supermarket goods, houses in Sydney :(, tradesman labour is a ripoff due to the mining boom. Imported cars are a joke because BMW, et al., see us as easy pickings. Anything sold by an American company is usually priced 50% higher (in US$) because that's 'what the market will bear'. Imported whitegoods might be doubled compared to the UK/US. Like Scandinavia, it's a real hassle fighting against opportunistic pricing because companies think Australians can afford it. Things that are cheap: overseas holidays, anything bought on the internet.

PPP is an important consideration, but it still isn't the only thing that matters because some goods are purchased in nominal, international dollars. The rise of the Australian dollar has directly led to a fall in the cost of living for everybody living here. Healthcare costs are incuded in taxation (and total taxation wedge is slightly lower compared to the US) for us, and that's not a cost considered in PPP baskets. etc. etc. Also, with a $15/hour minimum wage a Big Mac costs $3.75 and a meal with one costs $5.75, just FYI.

This really wasn't intended to be a dick measuring thing, it just struck me how low the median is. We'd consider that sort of income disgraceful, and the reason there's strong support for the minimum wage is so that nobody has to live in poverty. Really, though, we're comparing the AU minimum wage against the US median. Australian median wage for 2012 is $67,700. Average wage is $73,632. Add a couple of thousand to convert to USD.

Re:60K vs. median annual wage/income

[cbhacking]

Yeah, I messed up, my bad. It's about median for tech sector jobs. It is, as other posters have pointed out, way above median overall. ... damn but the median is low, too. I live in a relatively affluent state (Washington, home of Microsoft, Amazon, Boeing, etc.) and am a lot less familiar with expected incomes in other parts of the country (the only other region I've looked at is the greater Bay Area in California, which is even more affluent but has an outrageous cost of living). I doubt you can buy a house anywhere within 50 miles (80km) of here for anything close to $120K, but I know there are places in the country where you could. Apparently, that's because that's all that the market will bear...

Getting people to work for you for free/cheap

[BeanThere]

Factoring all overheads (e.g. HR, office space, equipment), how much would a company like Google have to pay to hire a security team to do the amount of security testing work done collectively at this "competition"? Well above $2,000,000. A whole bunch of people do free testing, and one guy gets $60,000 'and a free Chromebook, wow' - not that impressive an amount, considering the amount of self-training and self-development you have to put it in to reach that level of expertise, and the amount of time needed to find a security problem. $60K is, what, maybe 6 months salary of hiring a person of that skill level to do similar work .. when you factor in overhead costs, maybe even just 3 or 4 months worth (Google would probably have been very lucky to hire someone to find that bug for that cost). Come on Google, you can afford to pay people properly for such valuable work .. I don't like these cheap tricks that companies like Google use to effectively get people to work for them for free or peanuts.

Re:Getting people to work for you for free/cheap

[ruir]

I actually dont think this competition is any substitute any day for regression testing....

Re:Getting people to work for you for free/cheap

I love how you say 'for free' when the numbers you cite are around half an annual income from said position.

I'm not sure how often these things are, once a year I assume, which means some of these hacks are available for a pretty big-ish time before the next event to show it off.
A large botnet owner could probably fork over more money in that time, good-bye that bug.
Another idea could be to sell the bug out to groups and say "make the best of it, it will be in the next event", he can get more money that way.

But in saying that, most of the people that seem to go to these events appear to be white and down to "25% gray" hacker types, probably unlikely to directly give code and methods out without proper consideration. Probably discuss it with some people and get others to test it.

Re:Getting people to work for you for free/cheap

In addition to the cash, Google is also providing a lot of publicity which can be hugely valuable.

Re:Getting people to work for you for free/cheap

[BeanThere]

Nobody claimed it was a substitute, so I don't know why you said that. Regression testing is something you do "anyway", so the question is, how much value does this add in addition to that, and the answer is 'a lot more than the cost of the competition' ... the amount of effective testing performed by competitors collectively is probably equivalent to an entire small team of $100K+/year experts working for months, not to mention the savings of not having damage caused by the exploit being used by someone maliciously.

Re:Getting people to work for you for free/cheap

[BeanThere]

Do you really think the hackers start looking for exploits when they arrive at the event? Don't be stupid - they obviously spend months searching for vulnerabilities before the competition - what do you think these hackers are, wizards that magically sit and in a few hours find an exploit? No, they work their butts off for months, at home in their free time.

Re:Getting people to work for you for free/cheap

[BeanThere]

It's valuable to "Pinkie Pie", but not the many other team members who put in collectively probably man-years worth of work and get zero publicity. And only because he was lucky enough to win at all, it could have gone the other way, i.e. put in months of work and get nothing. Would you work for months for nothing? Would you? Yes/no

Re:Getting people to work for you for free/cheap

Consider the press, resume bumps, and possible job offers...

More than just cash and goods will come from this.

Pinkie Pie Again

[Riddler+Sensei]

As mentioned this isn't first time Pinkie Pie has made bank off of Google. This appears to bring his yearly earnings from this to $120,000. Seems like rather profitable work, but assuming (hoping?) the limited number of zero day exploits I reckon this quickly becomes a tight zero-sum game for the participants.

Re:Pinkie Pie Again

[Laxori666]

Step 1) Team up with someone.
Step 2) One of you goes to work at Google.
Step 3) Google employee introduces exploits.
Step 4) You find them first and get paid by Google.
Step 5) Profit!

Wait, usually there are ???s in there... I must have done it wrong.

Bronies can take down Chrome.

Yet I'm supposed to trust its security?

False dichotomy

[Chuck+Chunder]

Come on Google, you can afford to pay people properly for such valuable work

Presumably they _do_ pay people for such valuable work. This isn't a "cheap trick", it simply acknowledges that:
- No matter what experience you do employ, there will always be vastly more external experience.
- Not everyone interested in these things would necessarily be motivated by being employed by Google (or even by money).
- Offering an alternative to the black market for such skills is a good idea.

Re:False dichotomy

[BeanThere]

It doesn't merely "acknowledge" that fact, it "abuses" and "exploits" that fact. I don't use words like "exploit" lightly, but when you are effectively knowingly getting people to work for you for free, that kind of pushes my buttons .. and the fact is that Google are letting people do highly skilled and valuable work for them, for free, which they then use for private commercial gain ... I think it is immoral on some level to knowingly allow someone to work for you for free, even if they want to (e.g. if maybe they're from a third-world country or something and in a desperate situation). And I'm saying that as an essentially pro-corporate libertarian who hates when people use words like "exploit". I'm not saying anyone's rights have been violated, but it is still repugnant, Google are just assholes but it's not illegal to be assholes.

Re:ban Java in schools

[DocSavage64109]

I recently went back to school for some classes, and not only does one of my classes want you to install Java on your home computer, but they want you to install Real as well.

Can I view the source code changes?

[emddudley]

Where can I view the details of this bug, and the patch made to fix it? I am curious what source code changes were made. The issues for this bug are locked... why can't the public view them?

• Issue 154983
• Issue 154987

Re:Can I view the source code changes?

You will be able to in a few weeks when all platforms have been updated at a good percentage of users.

Re:ban Java in schools

[roidzrus]

Why Real? I didn't even think they were still in business, to be honest.

Re:ban Java in schools

[DocSavage64109]

Exactly. Also, Real has managed to get rid of the advertising free versions that used to be available for educational use. Luckily, I still have a corporate ad-free real client at work that I downloaded a few years ago for someone if real-alternative doesn't work.

Re:ban Java in schools

[roidzrus]

What were they using Real for, anyway?

Re:ban Java in schools

[DocSavage64109]

I'm not really sure. It could have been a false/obsolete requirement. At work, people occasionally want to listen to web casts that are in real format.

Re:ban Java in schools

[hairyfeet]

I've run into a couple of places with that requirement and its always shitty lecture videos somebody recorded in Real format and is too fucking lazy to transcode.