Google and Mozilla have been preparing for the Pwn2Own contest by patching their browsers. This is in anticipation to the contest, where hackers congregate to find and exploit vulnerabilities, especially in browsers. The same contest in the past had hackers holding on to existing but undiscovered vulnerabilities they knew about until the contest, when they exploited the same to save time. It's little wonder that the Internet majors have patched up their browsers, as Google had paid $1,000 for their troubles last year. Google had also announced a $20,000 reward last month to anyone who can compromise its Chrome browser, which wasn't be exploited in the last contest.
Google was the first to release a patch fixing 19 flaws in the Chrome browser; of which three bugs were classified as "medium" while the rest were marked as "high" risk vulnerabilities. This was followed by Mozilla publishing fixes for 10 security flaws in Firefox that included eight rated "critical," while the remaining two were rated "High" and "Moderate". One of those was particularly malicious, with the hackers being able to code a JPEG image that could save malicious code onto the system memory.
Speaking on the vulnerability, Mozilla warned its users, "Security researcher Jordi Chancel reported that a JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in memory and then later executed on a victim's computer."
The Pwn2Own hacker contest has been an annual event since 2007, where hackers are encouraged, and even paid to compromise software, computing platforms and web browsers. However, it's nothing illegal. The event sponsor pays reward money to the hacker and it in turn profits by alerting the vendors of vulnerabilities in their software/OS. The browsers targeted include Firefox, Internet Explorer, Chrome and Safari. Opera hasn't been targeted because of the lack of widespread usage and the fact that the contestants use the browser for the same reason.
Successful hackers are asked to sign a confidentiality agreement regarding the vulnerabilities, and the vendors are free to patch their code with the information on vulnerabilities provided the sponsor. Think of this as a monetised form of ethical hacking, and everyone profits at the end of the day.
Google was the first to release a patch fixing 19 flaws in the Chrome browser; of which three bugs were classified as "medium" while the rest were marked as "high" risk vulnerabilities. This was followed by Mozilla publishing fixes for 10 security flaws in Firefox that included eight rated "critical," while the remaining two were rated "High" and "Moderate". One of those was particularly malicious, with the hackers being able to code a JPEG image that could save malicious code onto the system memory.
Speaking on the vulnerability, Mozilla warned its users, "Security researcher Jordi Chancel reported that a JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in memory and then later executed on a victim's computer."
The Pwn2Own hacker contest has been an annual event since 2007, where hackers are encouraged, and even paid to compromise software, computing platforms and web browsers. However, it's nothing illegal. The event sponsor pays reward money to the hacker and it in turn profits by alerting the vendors of vulnerabilities in their software/OS. The browsers targeted include Firefox, Internet Explorer, Chrome and Safari. Opera hasn't been targeted because of the lack of widespread usage and the fact that the contestants use the browser for the same reason.
Successful hackers are asked to sign a confidentiality agreement regarding the vulnerabilities, and the vendors are free to patch their code with the information on vulnerabilities provided the sponsor. Think of this as a monetised form of ethical hacking, and everyone profits at the end of the day.
0 comments:
Post a Comment