Google Fixes Four High-Risk Flaws in Chrome Before Pwn2Own

Google Chrome

Google has fixed several serious security vulnerabilities in Chrome 33, just ahead of the Pwn2Own hacking competition at CanSecWest this week, which surely will reveal several more new bugs in the browser.

The company’s Chrome browser is always at the top of the target list for contestants in Pwn2Own, which rewards them with cash prizes for demonstrating exploits against previously unknown vulnerabilities in the major browsers. A team from VUPEN, along with individual researchers, are lined up to go after Chrome, Internet Explorer, Safari and Adobe Reader and Flash. Google also runs its own Pwnium contest in parallel with Pwn2Own and offers large rewards for new attacks against Chrome.

Pwn2Own is set to begin Wednesday and run through Thursday at the conference, and on Tuesday Google patched four high-risk flaws in Chrome.

[$4000][344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva.

[$3000][342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs.

[$1000][333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne.

[338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.

Google likely will be releasing more patches for Chrome later this week as researchers demonstrate their new exploits.

Suggested articles


  • BlackCat on

    Google and Apple always seem to have huge amounts of vulnerabilities patched in their security updates. Agreed this one is small, but the last one for Chrome had 30 bugs fixed and the last iOS one had 20. Apple holds the record for having something like 80 and 100 vulnerabilities fixed in certain OS X versions. I haven't seen this level of patches since XP days, but then XP wasn't originally designed to be on the hostile Internet, but rather secure and compatible intranets. I think at this point in software history it's time to consider 'too much change too fast' as being a substantial security liability.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.