The Chrome update, which includes new versions for Windows, Linux and Mac, includes a variety of improvements as well as the security fixes (such as improvements to managing and securing extensions, better support for HTML5 time/date inputs, and better WebGL error handling.) The bug and vulnerability fixes include five that earned a total of $3500 from Google’s bug reward scheme.
Noticeably, however, the MathML extension has been withdrawn. “We’ve also resolved a high severity security issue by disabling MathML in this release,” announced Google. “The WebKit MathML implementation isn’t quite ready for prime time yet but we are excited to enable it again in a future release once the security issues have been addressed.” And perhaps after CanSecWest.
Wolfgang Kandek, CTO at Qualys, blames CanSecWest for the flurry of browser updates this month. “I believe,” he commented in the Laws of Vulnerabilities blog, “all of them are shoring up defenses for the upcoming CanSecWest conference on March 6-8 in Vancouver.” CanSecWest hosts the annual Pwn2Own competition, “in which,” he adds, “some of the world's leading vulnerability and exploitation specialists compete for the fastest and most elegant way to break through browser defenses.” Prizes on offer are up to US$ 100,000 for browsers and US$ 75,000 for plug-ins (included for the first time in this competition.)
Google is returning to Pwn2Own this year after withdrawing last year following a dispute over disclosure rules. It set up its own Pwnium competition specifically for Chrome. Now, however, it is back to sponsoring Pwn2Own, while simultaneously hosting Pwnium at CanSecWest. This time Pwnium will specifically focus on attempts to subvert the Samsung 550 Chromebook running Wi-Fi. Pwnium prizes include US$ 110,000 for a browser or system level compromise, and US$ 150,000 if the compromise survives a reboot. In total, Google is offering up to the magical number of US$ 3.14159m in prize money.