Just two days before the annual Pwn2Own contest is set to begin at CanSecWest, Google has patched a huge set of serious vulnerabilities in its Chrome browser. In addition to the 14 high-risk flaws fixed in Chrome, the company also handed out rewards of $10,000 each to three researchers who regularly submit bugs to Google and have taken home quite a bit of cash in the past as part of the company’s reward program.
The $10,000 payouts went to Aki Helin, Arhur Gerkis and a researcher known as Miaubiz. These payments are in addition to the normal rewards that Google pays researchers who find and report security vulnerabilities in Chrome, and they represent a new kind of reward from the company. And Google officials said it is just the beginning of this kind of reward that isn’t tied to a specific bug report.
“To determine the above rewards, we looked at bug finding performance over the past few months. The three named individuals stood out significantly. It also shouldn’t come as a surprise that they all feature (and earn more!) in the release notes below. We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. In this instance, we’re dropping a surprise bonus. We reserve the right to do so again and reserve the right to do so on a more regular basis! Chrome has a leading reputation for security and it wouldn’t be possible without the aggressive bug hunting of the wider community,” Jason Kersey of the Google Chrome team wrote in a blog post.
The Pwn2Own contest at CanSecWest in Vancouver is a an annual competition that challenges researchers to hack one or more of a set list of targets. The target list typically includes each of the major browsers running on Windows or OS X. The rules of the contest have changed this year in order to give more contestants the ability to use vulnerabilities they’ve discovered. Instead of researchers simply sitting down in their assigned order and trying their bugs against a specific browser, this year’s contest will be a three-day competition in which entrants earn points for successful exploits against the various targets.
The targets this year are Chrome, Internet Explorer, Safari and Firefox, but the specific versions of each browser won’t be known until Wednesday when the contest starts.
“We basically rearchitected the entire thing this year. We wanted to take our limited budget and spread it over three winners in order to give them more incentive to bring their vulns to Pwn2Own,” Aaron Portnoy, the manager of the security research team at TippingPoint, whose Zero Day Initiative runs Pwn2Own, said in explaining the new rules last month. “We didn’t think it was fair with the drawing. That opens the door for people having a vulnerability they don’t use at the contest and it doesn’t get fixed.”
In past years, Safari, Firefox and IE have been frequent successful targets at the contest but no one has succeeded in taking down Chrome. This year Google has offered up to $1 million in rewards for successful exploits against its browser. The list of bugs the company fixed in Chrome on Sunday should make that harder.
The full list of fixes in Chrome include:
- [$1000]  High CVE-2011-3031: Use-after-free in v8 element wrapper. Credit to Chamal de Silva.
- [$1000]  High CVE-2011-3032: Use-after-free in SVG value handling. Credit to Arthur Gerkis.
- [$2000]   High CVE-2011-3033: Buffer overflow in the Skia drawing library. Credit to Aki Helin of OUSPG.
- [$1000]  High CVE-2011-3034: Use-after-free in SVG document handling. Credit to Arthur Gerkis.
- [$2000]  High CVE-2011-3035: Use-after-free in SVG use handling. Credit to Arthur Gerkis.
- [$1000]  High CVE-2011-3036: Bad cast in line box handling. Credit to miaubiz.
- [$3000]    High CVE-2011-3037: Bad casts in anonymous block splitting. Credit to miaubiz.
- [$1000]  High CVE-2011-3038: Use-after-free in multi-column handling. Credit to miaubiz.
- [$1000]  High CVE-2011-3039: Use-after-free in quote handling. Credit to miaubiz.
- [$500]  High CVE-2011-3040: Out-of-bounds read in text handling. Credit to miaubiz.
- [$1000]  High CVE-2011-3041: Use-after-free in class attribute handling. Credit to miaubiz.
- [$1000]  High CVE-2011-3042: Use-after-free in table section handling. Credit to miaubiz.
- [$1000]  High CVE-2011-3043: Use-after-free in flexbox with floats. Credit to miaubiz.
- [$1000]  High CVE-2011-3044: Use-after-free with SVG animation elements. Credit to Arthur Gerkis.