In Under 10 Hours, Google Patches Chrome To Plug Hole Found At Its Pwnium Event

An anonymous reader writes "Last night, Google held its Pwnium 2 competition at Hack in the Box 2012, offering up a total of $2 million for security holes found in Chrome. Only one was discovered; a young hacker who goes by the alias 'Pinkie Pie' netted the highest reward level: a $60,000 cash prize and a free Chromebook (the second time he pulled it off). Google today patched the flaw and announced a new version of Chrome for Windows, Mac, and Linux."

What about Java?

[roidzrus]

Oracle could take a lesson from this.

Re:What about Java?

[WD]

As soon as Oracle stops enabling a web browser plug-in with the Java installer, then your point may be valid. But as things currently are, they better damn care about vulnerabilities that affect applets! (which is the whole point of the OP)

Re:What about Java?

[Billly+Gates]

Java is HUGE at the office and wont go away anytime soon. People still think of Netscape java 1.2 applets running in all gray glory from last century when think of Java. What they do not see is how Bank of America, Chase, ManPower, Seibel, Kronos, and many and I mean many corporate portals use it

It gets worse. They use Java to manipulate +Com objects through security exploits in the RMI. So a patched Java is not acceptable as it would close the hole HR needs to do the payroll so the app can talk to excel with full administrator privileges. Yes I did say admin which is why it cant' run on Windows 7 and requires XP and java 1.4.1. Not 1.4.0, not 1.4.2, just just 1.4.1 with its plus +30 security holes.

As a consultant or IT shop like Harry the best you can do is please to finance who say there is no compelling business case to be secure as they also use these IE 7 apps and are afraid of change too and like things fine just the way they are thank you very much!! ... aren't you a cost center anyway? ... thats what I thought we are a real business and have important things to go do go away etc.

Java 8 is almost out and I wonder what is going to happen? I only have java 6 on this desktop (plugins DISABLED!).

Second time is very good for him.

[epSos-de]

Who would have thought that legal hacking can make you rich faster than a day job. I bet he can live quite OK with the prize money, until the itch for luxury will create more need for money.

works if you have exhaustive unit tests

[Chirs]

If the fix changes a behaviour in a corner-case not caught by a unit test then your module regression test isn't worth much anymore.

Re:works if you have exhaustive unit tests

[GeekBoy]

Better to patch a vulnerability with the small possibility of having to issue another patched version to correct a corner case than to leave a vulnerability out there.

Re:Good to see

[cbhacking]

MS certainly, and Apple probably, have the technical expertise to do so. Of course, there are usually other barriers. The problem isn't necessarily red tape, either... Chrome is a fairly young product, and has very little legacy code relying on its functionality. Even so, I question whether they did anything close to a full regression test on this patch. That's not to say that I expect the patch to have caused regressions; I just doubt that they can say, with full confidence, that it didn't. For something like IE, here there is a *huge* amount of third-party legacy code, some of it very crufty yet effectively unreplaceable, finding the root cause of the problem and writing the patch are trivial compared to the time that MS absolutely must spend on regression testing. There have been times in the past where a patch for a serious issue was made available quickly (within a day or so) as an opt-in hotfix, but typically they can't do a full "push to production" (i.e. make it an automatic update) in less than about a week.

The hacker/cowboy-coder culture often serves young products well, but it doesn't work once the product matures and develops a legacy. Assuming Chrome succeeds at making serious inroads in business, which is quite possible over the next few years (whether that's Google's current main goal for it or not), Google will have to slow down their "push to production" patch speed a little.

Re:Non-existant QA?

[MtHuurne]

This is Google, they do a lot of automated testing and they're good at distributing workloads, so it's likely it did undergo extensive testing in a very short time. Also testing is all about managing risk: what are the chances of this fix introducing something that is worse than the issue itself? This pair of bugs allows an attacker to inject code and escape from the sandbox, which clearly falls into the Bad Things Category.

Re:60K vs. median annual wage/income

[Billly+Gates]

Those statistics really show a disturbing trend. The death of the middle class and the very rich who bring up that average so high. They are already buying houses in cash in an effort to raise rent prices and also use their wealth to collect rents on food and oil prices on those who do not have anything.

I can't see how anyone besides a single person living a very humble and low end lifestyle can survive at $26k a year! I would have to live with my parents if I earned that just to pay off my student loans. I would go hungry fast every car, insurance, rent, and student loans came in. Like maybe $10 a day max!