Pwnium: great exploits, fast patches: Last week we debuted Pwnium, a contest based on our Chromium Security Rewards program. Both of these initiatives reward well intentioned researchers who help make the web a safer place by reporting security vulnerabilities. Our total payout to researchers for these programs is now well over half a million dollars.
We weren’t sure what kinds of reports we would get from Pwnium, but by the end of the week we were thrilled to have awarded $120,000 for two excellent submissions. Thanks to Chrome’s rapid auto-update functionality, we were able to update Chrome twice, in both cases protecting users less than 24 hours after the respective bugs were reported. While these vulnerabilities were reported directly and privately to us, this kind of speed is especially important if bugs were ever being actively abused to harm users.
Since the full exploits were disclosed, we were able to study them and add a range of additional defensive measures based on what we saw. These measures will make Chrome more secure from any similar hacks in the future. We’ll publish write-ups to honor these two highly creative works in the coming weeks.
Also last week, a separate exploit for Chrome was demonstrated at the Pwn2Own competition. We’ve since learned that the bug exploited a vulnerability in the Flash Player plug-in -- affecting all browsers. The contest organizers have reported the vulnerability details directly and privately to Adobe, and Adobe will be providing a fix as part of its forthcoming Flash Player update. When that happens, Chrome users will enjoy the advantage of an auto-update and quick protection. Looking forward, Adobe and Google are collaborating on a version of Flash Player which will run inside the primary Chrome sandbox. Chrome OS devices already ship with this next-generation sandbox for Flash Player.
Engaging the wider security community is one of our core security principles, and Pwnium is a great example of the benefits of this type of collaboration. Our special thanks to the contestants for their exceptional contributions to security on the web.
Posted by Chris Evans and Travis McCoy, Chrome Security Team