Google Fixes Four High-Risk Flaws in Chrome Before Pwn2Own

2014-03-12T15:09:51
ID THREATPOST:62DDA8B1D92DD5CF10E1F4C2F59520BA
Type threatpost
Reporter Dennis Fisher
Modified 2014-03-12T19:09:51

Description

Google has fixed several serious security vulnerabilities in Chrome 33, just ahead of the Pwn2Own hacking competition at CanSecWest this week, which surely will reveal several more new bugs in the browser.

The company’s Chrome browser is always at the top of the target list for contestants in Pwn2Own, which rewards them with cash prizes for demonstrating exploits against previously unknown vulnerabilities in the major browsers. A team from VUPEN, along with individual researchers, are lined up to go after Chrome, Internet Explorer, Safari and Adobe Reader and Flash. Google also runs its own Pwnium contest in parallel with Pwn2Own and offers large rewards for new attacks against Chrome.

Pwn2Own is set to begin Wednesday and run through Thursday at the conference, and on Tuesday Google patched four high-risk flaws in Chrome.

[$4000][344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva.

[$3000][342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs.

[$1000][333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne.

[338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.

Google likely will be releasing more patches for Chrome later this week as researchers demonstrate their new exploits.