The patch is for Chrome 25.0.1364.152 for Windows and Linux. Three of the bugs were use-after-free vulnerabilities in browser navigation handling, frame loader and in SVG animations, Threatpost reported. The patch also addressed memory corruption issues in Web Audio and in Indexed DB, and a possible path traversal in database handling.
The hackathons are running in Vancouver during the CanSecWest Conference. It will be the third iteratin of Google's own Pwnium hacking competition, which will have a new focus this year on the Chrome OS. In all, the browsing behemoth plans to award up to $3.14 million in winnings to those who can produce full exploits.
The attack must be demonstrated against a base (Wi-Fi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software may be used to attempt the attack. Google is also accepting exploits found via a virtual machine.
Google is offering $110,000 for a browser or system level compromise in guest mode or as a logged-in user, delivered via a web page, and $150,000 for a compromise with device persistence (guest to guest with interim reboot), delivered via a web page. Previously it was awarding $60,000 per exploit, up to $2 million.
The Pwn2Own contest, meanwhile, is run by HP’s DVLabs Zero Day Initiative (ZDI), and has a focus on finding, demonstrating and “responsibly disclosing” vulnerabilities in all the popular web browsers, along with a focus on browser plug-ins.
“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware,” said ZDI, in announcing the contest. “These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers.”
The targets will be running on the latest, fully patched version of Windows 7 and 8, and OS X Mountain Lion. All targets will be installed in their default configurations. The first contestant to successfully compromise a selected target will win the prize for the category. In all, ZDI is offering more than half a million dollars in cash and prizes during the competition for vulnerabilities and exploitation techniques across various categories. Top prizes will go to the hacker who can compromise either Google Chrome on Windows 7 ($100,000) or Microsoft Internet Explorer 10 on Windows 8 ($100,000).