In Under 10 Hours, Google Patches Chrome To Plug Hole Found At Its Pwnium Event

An anonymous reader writes "Last night, Google held its Pwnium 2 competition at Hack in the Box 2012, offering up a total of $2 million for security holes found in Chrome. Only one was discovered; a young hacker who goes by the alias 'Pinkie Pie' netted the highest reward level: a $60,000 cash prize and a free Chromebook (the second time he pulled it off). Google today patched the flaw and announced a new version of Chrome for Windows, Mac, and Linux."

What about Java?

[roidzrus]

Oracle could take a lesson from this.

Re:What about Java?

[characterZer0]

Why? Oracle does not care about Java on the client, only about Java on the server. Why should they care about flaws in applets, it is unrelated to their business.

Re:What about Java?

[WD]

As soon as Oracle stops enabling a web browser plug-in with the Java installer, then your point may be valid. But as things currently are, they better damn care about vulnerabilities that affect applets! (which is the whole point of the OP)

Re:What about Java?

[davester666]

Why? Describe what penalty and/or downside Oracle would face if say, hundreds of thousands of computers become part of botnets due to a flaw in the Java plugin.

Re:What about Java?

[cbhacking]

Potential class-action lawsuit and/or government fines in countries where warranty and suitability for a purpose can't be completely disregarded? Hell, possibly even a class-action in the US, where you don't even really need the law on your side if you can simply show that an action that a company took, or failed to take, had a known risk of harm to you and did in fact result in harm?

Or there's the risk of big and highly-visible companies (think Google) publically announcing that they're getting rid of Java because they see it as a security threat, similar to what happened when some Google computers were exploited due to an IE6 vuln. I realize that in Google's particular case, getting rid of Java entirely is highly unlikely, but if they simply make the effort to publicly tar-and-feather it as insecure - which they could do easily, for example by displaying a warning on the search results page if they detect the Java plugin on your browser - that would hurt Oracle's reputation badly even if it were specific to the applet plugin.

Speakingof los of reputation, companies may decide that if Oracle can't keep the applet sandbox secure, then maybe they can't be trusted to keep their enterprise products secure either... and hey look, there's at least a few competing systems out there for pretty much every product or service Oracle offers. If Oracle came to be known as a company that can't ensure reasonable security, that will make them a lot less attractive to the prospective customers of their more expensive products too.

Re:What about Java?

[hairyfeet]

Frankly Java doesn't bother me as if you aren't working with the enterprise or with a few apps like GoToMyPC its easy enough to avoid, its the Adobe products that bite home users square in the ass. When you look at the combined number of bugs out there for Flash and Reader Adobe has been pretty piss poor when it comes to security yet sadly there are no replacements in sight.

HTML V5 is frankly half ass and piss poor, it sucks CPU cycles like a drunk sucking down free drinks and without GPU acceleration is completely unusable on anything low power, not to mention it doesn't even cover half the use cases of Flash, and all of the PDF readers other than Adobe end up choking on PDFs made by Adobe Acrobat thanks to all the funky features the free versions never seem to get around to implementing.

So while I'll happily give credit to the Google team and hope their patch makes it up the Chromium branch to all the variants quickly there is plenty of other bad software out there besides Java and unlike Java a lot harder to just avoid.

Re:What about Java?

[Billly+Gates]

Java is HUGE at the office and wont go away anytime soon. People still think of Netscape java 1.2 applets running in all gray glory from last century when think of Java. What they do not see is how Bank of America, Chase, ManPower, Seibel, Kronos, and many and I mean many corporate portals use it

It gets worse. They use Java to manipulate +Com objects through security exploits in the RMI. So a patched Java is not acceptable as it would close the hole HR needs to do the payroll so the app can talk to excel with full administrator privileges. Yes I did say admin which is why it cant' run on Windows 7 and requires XP and java 1.4.1. Not 1.4.0, not 1.4.2, just just 1.4.1 with its plus +30 security holes.

As a consultant or IT shop like Harry the best you can do is please to finance who say there is no compelling business case to be secure as they also use these IE 7 apps and are afraid of change too and like things fine just the way they are thank you very much!! ... aren't you a cost center anyway? ... thats what I thought we are a real business and have important things to go do go away etc.

Java 8 is almost out and I wonder what is going to happen? I only have java 6 on this desktop (plugins DISABLED!).

Pinkie Pie?

[Vylen]

So a My Little Pony hacked up Chrome?

I await the fan art for this visual image!

Re:Pinkie Pie?

What can we say, that reputation for breaking the fourth wall includes sandboxes.

Sterling work here.

Re:Pinkie Pie?

[sandytaru]

The laws of physics don't apply to Pinkie Pie. Neither do the laws of programming.

Re:Pinkie Pie?

So a My Little Pony hacked up Chrome?

Eeyup. This is actually the second time Pinkie's done this sort of thing, although Google's response time is about 20% cooler than it was last time around.

I await the fan art for this visual image!

Okie dokie lokey! Hold onto your hooves, 'cuz here we go!

Pinkie Pie Breaks The Fourth Wall For The Last Time (Warning: Dubstep)

Cupcakes (Warning: Cupcakes.)

Pinkie Pie's day job

[Trax3001BBS]

Hacking Google for fun, profit and to the benefit of other's.

I do wonder

[Trax3001BBS]

How hard Pinkie Pie had to fight not use their real name, or if Google just let it slide.

Re:I do wonder

[wierd_w]

The answer is simple.

Pinkie Pie simply makes use of exploit code to circumvent google's "real name" requiremets for google services. It was, in fact, by getting good at retaining his pseudonym that he became skilled enough to enter these competitions. ;D

(And I totally pulled that out of my ass. For my next trick..)

Second time is very good for him.

[epSos-de]

Who would have thought that legal hacking can make you rich faster than a day job. I bet he can live quite OK with the prize money, until the itch for luxury will create more need for money.

Re:Second time is very good for him.

[cbhacking]

60K USD isn't exactly "make you rich" territory in the US, but it's a hell of a lot of money for a teenager. That's pretty close to the median annual salary. It's easily enough to get you through college if you don't go somewhere expensive (do it twice, like he did, and you're looking at enough money for an unsubsidized Ivy League education if you're careful about other expenses). It's enough money to start up a very small business, or enough to buy a modest house in the less expensive parts of the country.

Even assuming that his expenses are very low, it's probably not enough to live on as an investment. If he can pull it off a few more times, though, it certainly could be (again, assuming a modest standard of living and some smart investing). It's definitely enough to live on until he can expect to get a good job (with skills like that, there are a *lot* of good jobs available, either in a big company that hires in-house security people like Google, or as a consultant).

As for the "itch for luxury", not everybody is subject to that. I make, after tax, about 3x what I live on, and that's been true for the 2.5 years since I graduated. I still live more-or-less like a college student, though. I drive a nicer car now than I did back then, and I eat fancier food and have a bigger apartment, but all those extra luxuries combined add up to far less what I was spending in school (and my school was a high-quality but public university, which I was able to make it through without loans; not exactly super-expensive).

Re:Second time is very good for him.

[Billly+Gates]

Oh please and a spoiled American. You want to talk about how much 60k a year is? How about make $10 a day working 12 hours as fast as body can do at Foxxcon in China sound? To them $30,000 is A TON OF MONEY.

Sure you can't buy yatchs with that but I have made far less money and struggled like millions of other people reading this in the recent economic downtown. I would feel like a king for $60k a year! ... now if you buy 60k cars, $300,000 homes, eat out 5 times a week, put all your expenses on a credit card with 30.5% interest, and take $10,000 vacations each year I would have to say the reason you are broke is not because you make a poor measily 60k a year. The reason is you have a spending problem!

With a nice $10,000 used car, $190,000 home, eating out twice a week, and only using a credit card in emergencies I have to say that is a TON of money and anyone making that should be greatful just to have a job. Too many are making $15,000 a year who used to make $60,000.

For a kid without a family, mortgage, and a life in front of him that is A TON of money. You can live rent free for 2 whole years, work another job, or get a degree with that and pull in more. Good for him and thanks Google for being generous.

Crack on demand

[Xylantiel]

I think this demonstration of crack-on-demand is not really a good thing for chrome. This means that cracks for chrome are not worth too much more than 60k on the black market. That doesn't seem like a very high price.

Re:Crack on demand

[Xylantiel]

Sure "some" people do. The point is that if someone will do it for 60k plus props, then there are plenty of others that can do it for nefarious purposes. Also I'm not just being cynical, there is a practical component. Looking at it from the practical security standpoint this indicates a market value of a given type of crack, and therefore the approximate cost of such an attack to the hypothetical adversary in your security evaluation. Everything is vulnerable to a "motivated enough" attacker. Security is keeping the expected cost of the crack below the benefit (motivation). My cynicism comes in when I say that $60k+props seems like a pretty darn low cost for a hole (escape from sandbox) in a high-profile browser touted for its security. More cynicism comes in by the assumption that this crack is just the product. The critical issues are in the way the crack was found, which is not mentioned. I would have more confidence if this Pinkie Pie person were well-known for all the bugs they have fixed in chromium, and they just held onto one for the contest. A cause of concern is that the exploit sounds awfully similar to the previous one (using a render bug to access the IPC), indicating that there is a whole family of possible exploits of which these may just be two examples.

Good to see

[dubbreak]

It's good to see Google is able to get patches out this quick. I've worked in small businesses that same day fixes were doable but a challenge and a government office with so much red tape pushing something to production that quick would have been impossible. I bet neither MS nor Apple could pull that off.

Looks like Google is keeping it's hacker culture alive rather than becoming a slow moving behemoth like their competitors.

Re:Good to see

[cbhacking]

MS certainly, and Apple probably, have the technical expertise to do so. Of course, there are usually other barriers. The problem isn't necessarily red tape, either... Chrome is a fairly young product, and has very little legacy code relying on its functionality. Even so, I question whether they did anything close to a full regression test on this patch. That's not to say that I expect the patch to have caused regressions; I just doubt that they can say, with full confidence, that it didn't. For something like IE, here there is a *huge* amount of third-party legacy code, some of it very crufty yet effectively unreplaceable, finding the root cause of the problem and writing the patch are trivial compared to the time that MS absolutely must spend on regression testing. There have been times in the past where a patch for a serious issue was made available quickly (within a day or so) as an opt-in hotfix, but typically they can't do a full "push to production" (i.e. make it an automatic update) in less than about a week.

The hacker/cowboy-coder culture often serves young products well, but it doesn't work once the product matures and develops a legacy. Assuming Chrome succeeds at making serious inroads in business, which is quite possible over the next few years (whether that's Google's current main goal for it or not), Google will have to slow down their "push to production" patch speed a little.

Re:Good to see

[ruir]

The reality is that MS and Apple know fairly well that in the long run is counter-intuitive to post small 0-day patches. They know fairly well they are easy to reverse engineer and thus, more people will be aware of the flaw and will develop more exploits.

Non-existant QA?

[jmac880n]

While the turn-around time is impressive, it could not possibly have undergone extensive QA testing...

I understand that some bugs can have such OBVIOUS solutions - what could POSSIBLY go wrong with the fix???

Re:Non-existant QA?

[MtHuurne]

This is Google, they do a lot of automated testing and they're good at distributing workloads, so it's likely it did undergo extensive testing in a very short time. Also testing is all about managing risk: what are the chances of this fix introducing something that is worse than the issue itself? This pair of bugs allows an attacker to inject code and escape from the sandbox, which clearly falls into the Bad Things Category.

Re:Non-existant QA?

[swillden]

While the turn-around time is impressive, it could not possibly have undergone extensive QA testing...

You mean it could not have undergone extensive QA testing by humans. Google has really excellent automated testing infrastructure, at all levels of unit, functional, integration and system tests.

works if you have exhaustive unit tests

[Chirs]

If the fix changes a behaviour in a corner-case not caught by a unit test then your module regression test isn't worth much anymore.

Re:works if you have exhaustive unit tests

[GeekBoy]

Better to patch a vulnerability with the small possibility of having to issue another patched version to correct a corner case than to leave a vulnerability out there.

60K vs. median annual wage/income

[DragonWriter]

60K USD isn't exactly "make you rich" territory in the US, but it's a hell of a lot of money for a teenager. That's pretty close to the median annual salary.

If by "pretty close" you mean "well above".

For 2010 (the most recent year for which statistics are available; the 2011 statistics should be available this month), the Social Security Administration figures show the median annual wage in the US as $26,363.55, and the average annual wage as $39,959.30.

So, $60K is more than twice the median annual wage and more than 1.5 times the average annual wage. Its also a more than the median household income ($50,054 in 2011, per the U.S. Census Bureau).

Re:60K vs. median annual wage/income

[Billly+Gates]

Those statistics really show a disturbing trend. The death of the middle class and the very rich who bring up that average so high. They are already buying houses in cash in an effort to raise rent prices and also use their wealth to collect rents on food and oil prices on those who do not have anything.

I can't see how anyone besides a single person living a very humble and low end lifestyle can survive at $26k a year! I would have to live with my parents if I earned that just to pay off my student loans. I would go hungry fast every car, insurance, rent, and student loans came in. Like maybe $10 a day max!

Getting people to work for you for free/cheap

[BeanThere]

Factoring all overheads (e.g. HR, office space, equipment), how much would a company like Google have to pay to hire a security team to do the amount of security testing work done collectively at this "competition"? Well above $2,000,000. A whole bunch of people do free testing, and one guy gets $60,000 'and a free Chromebook, wow' - not that impressive an amount, considering the amount of self-training and self-development you have to put it in to reach that level of expertise, and the amount of time needed to find a security problem. $60K is, what, maybe 6 months salary of hiring a person of that skill level to do similar work .. when you factor in overhead costs, maybe even just 3 or 4 months worth (Google would probably have been very lucky to hire someone to find that bug for that cost). Come on Google, you can afford to pay people properly for such valuable work .. I don't like these cheap tricks that companies like Google use to effectively get people to work for them for free or peanuts.

False dichotomy

[Chuck+Chunder]

Come on Google, you can afford to pay people properly for such valuable work

Presumably they _do_ pay people for such valuable work. This isn't a "cheap trick", it simply acknowledges that:
- No matter what experience you do employ, there will always be vastly more external experience.
- Not everyone interested in these things would necessarily be motivated by being employed by Google (or even by money).
- Offering an alternative to the black market for such skills is a good idea.