Google patches Chrome flaw in 24 hours

The day after Google's Chrome browser was successfully hacked twice at this year's CanSecWest security conference in Vancouver, British Columbia, Google pushed out a patch to fix the flaw that made one of the hacks possible — the second Chrome update in three days. "Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!" wrote Chrome developer Jason Kersey on the official Chrome blog. "Ch-ch-ch-ch-ching!!! $60,000." Pwnium is a new Google-hosted contest at CanSecWest that's giving away up to $1 million in rewards for successful hacks of Chrome. It's running concurrently at CanSecWest with another hacking contest, the annual Pwn2Own contest, which is in its sixth year. The French security firm VUPEN cracked Chrome in Pwn2Own yesterday, but unlike Glazunov, the company's not telling how it did it, other than that it exploited a previously unknown flaw — a "zero day" in security speak — in the "default installation" of Chrome. VUPEN is one of several security firms in the world that controversially won't always immediately tell software companies about flaws in their own software. Instead, as part of its "exclusive vulnerability research intelligence" policy, VUPEN normally informs only its paying, contracted clients about software vulnerabilities, leading some to call the company's actions "no different from patent trolls." On its website, VUPEN states that it "follows a commercial responsible disclosure policy and reports all discovered vulnerabilities to the affected vendors under contract with VUPEN, and works with them to create a timetable pursuant to which the vulnerability information may be publicly disclosed." Google created Pwnium this year after Pwn2Own changed its own rules, abolishing the rule that had forced contestants to disclose all the vulnerabilities they exploited. "Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome," read a posting last week on the Chrome developer blog. VUPEN famously cracked Chrome in May 2011, and refused to tell Google what that flaw was as well. The company cracked Apple's Safari browser at last year's Pwn2Own contest. This year was the first time that Chrome, which was released at the end of 2008, had ever been cracked at Pwn2Own. On Monday, Google patched as many holes in Chrome as it could find ahead of the contests. Clearly, it wasn't enough.