VANCOUVER–A group of researchers from VUPEN, a French security firm, was able to compromise Google Chrome in the initial stages of the Pwn2Own contest. But because of the new rules this year, that doesn’t guarantee them a win in the contest. Rather, it just gives them a nice head start.
Browsing Tag: vulnerabilities
Many industries tend to run in identifiable cycles. Financial services, the auto industry, entertainment–they all have cycles. Because the security industry isn’t nearly as old as any of these, it hasn’t had much of a chance to establish such cycles. But one seems to be appearing now in the form of renewed criticism and distaste for offensive security research.
Adobe on Monday issued two emergency fixes for critical security vulnerabilities in its Flash Player product. The vulnerabilities, if left unpatched, could allow an attacker to take control of a system running a vulnerable version of Flash Player.
An Adobe Flash vulnerability fixed last month is being used in targeted attacks right now, with attackers attempting to persuade victims to open a malicious Word document that contains the payload for the Flash bug. The vulnerability has been patched for nearly a month, but history has shown that flaws that have been patched for several months or even years are still quite valuable for targeted attacks.
Just two days before the annual Pwn2Own contest is set to begin at CanSecWest, Google has patched a huge set of serious vulnerabilities in its Chrome browser. In addition to the 14 high-risk flaws fixed in Chrome, the company also handed out rewards of $10,000 each to three researchers who regularly submit bugs to Google and have taken home quite a bit of cash in the past as part of the company’s reward program.
Just a few days after releasing a fairly large set of patches for its Chrome browser, Google has pushed out another update, fixing 13 vulnerabilities, more than half of them being high-severity bugs.
Adobe issued two security bulletins on Tuesday, fixing a critical security vulnerabilities in Shockwave Player, and another affecting its RoboHelp authoring product.
There is another new version of Mozilla Firefox available, and version 10.0.1 includes a fix for a critical security vulnerability in the browser. The flaw is a serious use-after-free flaw in a component of the browser that also exists in Thunderbird, SeaMonkey and other Mozilla products.
In the 15 months since Google began offering rewards to researchers who report vulnerabilities in its Web applications, the company has paid out more than $400,000 in bug bounties. That’s a lot of money, even for Google, and the company is counting the program as a huge success.
CANCUN–The offensive security research community has evolved in the last decade or so from a relatively small and insular group inwardly focused, to a large and rather vocal group with a wide variety of motives, opinions and skill levels. But, to hear Brad Arkin of Adobe tell it, the huge amount of talent in that community could be put to better use trying to develop new defensive technologies and techniques rather than searching for the next bug in an infinite sea of bugs.