Google patches critical Chrome flaw 24 hours after first exploit

Mar 9, 2012
1

Google's Chrome web browser has been one of the only browsers to make it out of the annual Pwn2Own contest without being cracked. That record changed this year after Google offered up a total prize package of $1 million to be given out to the developers who could exploit vulnerabilities in Chrome. A Russian student was able to exploit a vulnerability in Chrome, which won the hacker $60,000 courtesy of Google.

Once the vulnerability was exposed and Google understood how it was executed, developers at Google went to work fixing the security vulnerability. It took Google developers less than 24 hours to patch the vulnerability and send it out as an automatic update. That means Chrome users were protected about as quickly as possible. It often takes Microsoft months to patch similar security vulnerabilities in Internet Explorer.

Google is withholding technical details of the exploit until the majority of users have installed the fix and are protected. Google describes the vulnerability as a "UXSS and bad history navigation" issue and have dubbed it CVE-2011-3046. We are not expecting to get the full details on the exploit since Chrome is based on the WebKit browser engine that also powers Apple's Safari and other browsers. That means a vulnerability in Chrome could potentially be exploited on those of the browsers too.

[via Arstechnica]


Must Read Bits & Bytes