Slashdot Mirror

← Back to Stories (view on slashdot.org)

In Under 10 Hours, Google Patches Chrome To Plug Hole Found At Its Pwnium Event

Posted by Soulskill on from the omg-pwnies dept.

An anonymous reader writes "Last night, Google held its Pwnium 2 competition at Hack in the Box 2012, offering up a total of $2 million for security holes found in Chrome. Only one was discovered; a young hacker who goes by the alias 'Pinkie Pie' netted the highest reward level: a $60,000 cash prize and a free Chromebook (the second time he pulled it off). Google today patched the flaw and announced a new version of Chrome for Windows, Mac, and Linux."

12 of 113 comments (clear)

  1. What about Java? by roidzrus · · Score: 5, Insightful

    Oracle could take a lesson from this.

    1. Re:What about Java? by WD · · Score: 4, Insightful

      As soon as Oracle stops enabling a web browser plug-in with the Java installer, then your point may be valid. But as things currently are, they better damn care about vulnerabilities that affect applets! (which is the whole point of the OP)

  2. Pinkie Pie? by Vylen · · Score: 5, Funny

    So a My Little Pony hacked up Chrome?

    I await the fan art for this visual image!

    1. Re:Pinkie Pie? by Anonymous Coward · · Score: 4, Funny

      What can we say, that reputation for breaking the fourth wall includes sandboxes.

      Sterling work here.

    2. Re:Pinkie Pie? by sandytaru · · Score: 4, Funny

      The laws of physics don't apply to Pinkie Pie. Neither do the laws of programming.

      --
      Occasionally living proof of the Ballmer peak.
  3. I do wonder by Trax3001BBS · · Score: 4, Interesting

    How hard Pinkie Pie had to fight not use their real name, or if Google just let it slide.

  4. Second time is very good for him. by epSos-de · · Score: 5, Insightful

    Who would have thought that legal hacking can make you rich faster than a day job. I bet he can live quite OK with the prize money, until the itch for luxury will create more need for money.

    --
    ~ Best man at your service.
  5. Non-existant QA? by jmac880n · · Score: 5, Interesting

    While the turn-around time is impressive, it could not possibly have undergone extensive QA testing...

    I understand that some bugs can have such OBVIOUS solutions - what could POSSIBLY go wrong with the fix???

    1. Re:Non-existant QA? by MtHuurne · · Score: 4, Insightful

      This is Google, they do a lot of automated testing and they're good at distributing workloads, so it's likely it did undergo extensive testing in a very short time. Also testing is all about managing risk: what are the chances of this fix introducing something that is worse than the issue itself? This pair of bugs allows an attacker to inject code and escape from the sandbox, which clearly falls into the Bad Things Category.

  6. Re:works if you have exhaustive unit tests by GeekBoy · · Score: 4, Insightful

    Better to patch a vulnerability with the small possibility of having to issue another patched version to correct a corner case than to leave a vulnerability out there.

  7. Re:Good to see by cbhacking · · Score: 4, Insightful

    MS certainly, and Apple probably, have the technical expertise to do so. Of course, there are usually other barriers. The problem isn't necessarily red tape, either... Chrome is a fairly young product, and has very little legacy code relying on its functionality. Even so, I question whether they did anything close to a full regression test on this patch. That's not to say that I expect the patch to have caused regressions; I just doubt that they can say, with full confidence, that it didn't. For something like IE, here there is a *huge* amount of third-party legacy code, some of it very crufty yet effectively unreplaceable, finding the root cause of the problem and writing the patch are trivial compared to the time that MS absolutely must spend on regression testing. There have been times in the past where a patch for a serious issue was made available quickly (within a day or so) as an opt-in hotfix, but typically they can't do a full "push to production" (i.e. make it an automatic update) in less than about a week.

    The hacker/cowboy-coder culture often serves young products well, but it doesn't work once the product matures and develops a legacy. Assuming Chrome succeeds at making serious inroads in business, which is quite possible over the next few years (whether that's Google's current main goal for it or not), Google will have to slow down their "push to production" patch speed a little.

    --
    There's no place I could be, since I've found Serenity...
  8. 60K vs. median annual wage/income by DragonWriter · · Score: 5, Informative

    60K USD isn't exactly "make you rich" territory in the US, but it's a hell of a lot of money for a teenager. That's pretty close to the median annual salary.

    If by "pretty close" you mean "well above".

    For 2010 (the most recent year for which statistics are available; the 2011 statistics should be available this month), the Social Security Administration figures show the median annual wage in the US as $26,363.55, and the average annual wage as $39,959.30.

    So, $60K is more than twice the median annual wage and more than 1.5 times the average annual wage. Its also a more than the median household income ($50,054 in 2011, per the U.S. Census Bureau).