Last-minute pre-Pwnium Chrome update closes numerous holes...

Filed Under: Featured, Google, Google Chrome, Vulnerability

Google has something of a reputation for doing things differently.

Contests, for instance.

Last year, in 2012, Google fell out with the organisers of the PWN2OWN competition at the CanSecWest conference.

That's the competition where you try, live in public and unashamedly for money, to exploit one of the mainstream browsers.

Google didn't like the terms and conditions in 2012 because they allowed winners to be paid out prize money even if they kept the vulnerabilities to themselves after the competition.

Google felt that the prize money should be contingent on responsible disclosure, where any prizewinning vulnerabilities would be given to the makers of the pwned browsers, together with a reasonable time to fix them.

So Google ran a competing competition at the same event and called it Pwnium, after the names of the two main flavours of its own browser, Chrome and Chromium.

Fast forward to just about now, when CanSecWest 2013 kicks off, and Google has patched up its differences (no pun intended) with PWN2OWN and has put up some of the prize fund there.

But that hasn't stopped Google running its own contest in parallel, Pwnium Three, which has a prize fund of π million dollars.

(Actually, it's US$3.14159 million. You'd have thought Google might more particularly have offered US$3,141,592.65 but it seems that it didn't.)

You win a maximum of $150,000 at a time for each compromise, so to scoop the entire almost-pi-million dollars you'd need to come up with more than twenty different exploitable holes.

Last year's winner, Pinky Pie, had to perform a seven-step pwnership pirouette, using six independent vulnerabilities, to penetrate Google Chrome just once.

So no individual is likely to walk off with $1 million, let alone 3.14 times that amount.

And getting your hands on even one of the $150,000 prizes this year just got a whole lot harder.

In fact, there may be several browser hackers who are feeling rather disappointed right now, with Google closing the door on a number of high-severity bugs just two days before the competition.

If you were holding a prize card that was one of the holes just fixed by Google, bad luck: you lost this round of the arms race!

Intriguingly, the $150,000 prizes are for compromises "with persistence", meaning they survive between browser sessions, and even between reboots.

For a compromise that lasts only as long as the current browser session, your prize is limited to $110,000.

That's actually an interesting guide to the relative danger of Advanced Persistent Threats (APTs) versus regular threats.

We hear a lot of hype about APTs, but in Google's competitive playbook, they're only worth about 40% more than BLTs, or Boring Limited-lifetime Threats.

Makes you think, doesn't it?

, , , , , , ,

You might like

2 Responses to Last-minute pre-Pwnium Chrome update closes numerous holes...

  1. Nigel · 603 days ago

    "... in Google's competitive playbook, they're only worth about 40% more than BLTs, or Boring Limited-lifetime Threats.

    Makes you think, doesn't it? "

    Indeed it does. It makes me think that one can no longer confidently assume that "BLT" refers to a bacon, lettuce, and tomato sandwich.

  2. Dow · 602 days ago

    "Indeed it does. It makes me think that one can no longer confidently assume that "BLT" refers to a bacon, lettuce, and tomato sandwich. "

    Brilliant!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog