Last-minute pre-Pwnium Chrome update closes numerous holes…


Google has something of a reputation for doing things differently.

Contests, for instance.

Last year, in 2012, Google fell out with the organisers of the PWN2OWN competition at the CanSecWest conference.

That’s the competition where you try, live in public and unashamedly for money, to exploit one of the mainstream browsers.

Google didn’t like the terms and conditions in 2012 because they allowed winners to be paid out prize money even if they kept the vulnerabilities to themselves after the competition.

Google felt that the prize money should be contingent on responsible disclosure, where any prizewinning vulnerabilities would be given to the makers of the pwned browsers, together with a reasonable time to fix them.

So Google ran a competing competition at the same event and called it Pwnium, after the names of the two main flavours of its own browser, Chrome and Chromium.

Fast forward to just about now, when CanSecWest 2013 kicks off, and Google has patched up its differences (no pun intended) with PWN2OWN and has put up some of the prize fund there.

But that hasn’t stopped Google running its own contest in parallel, Pwnium Three, which has a prize fund of π million dollars.

(Actually, it’s US$3.14159 million. You’d have thought Google might more particularly have offered US$3,141,592.65 but it seems that it didn’t.)

You win a maximum of $150,000 at a time for each compromise, so to scoop the entire almost-pi-million dollars you’d need to come up with more than twenty different exploitable holes.

Last year’s winner, Pinky Pie, had to perform a seven-step pwnership pirouette, using six independent vulnerabilities, to penetrate Google Chrome just once.

So no individual is likely to walk off with $1 million, let alone 3.14 times that amount.

And getting your hands on even one of the $150,000 prizes this year just got a whole lot harder.

In fact, there may be several browser hackers who are feeling rather disappointed right now, with Google closing the door on a number of high-severity bugs just two days before the competition.

If you were holding a prize card that was one of the holes just fixed by Google, bad luck: you lost this round of the arms race!

Intriguingly, the $150,000 prizes are for compromises “with persistence”, meaning they survive between browser sessions, and even between reboots.

For a compromise that lasts only as long as the current browser session, your prize is limited to $110,000.

That’s actually an interesting guide to the relative danger of Advanced Persistent Threats (APTs) versus regular threats.

We hear a lot of hype about APTs, but in Google’s competitive playbook, they’re only worth about 40% more than BLTs, or Boring Limited-lifetime Threats.

Makes you think, doesn’t it?