While some companies take months to fix security vulnerabilities, Google just announced that it has fixed a leak in less than ten hours. The new security vulnerability was found as part of the Pwnium 2 competition at Hack in the Box 2012 in Kuala Lumpur, Malaysia on Tuesday. Further details at the Chromium Blog.
We’re happy to confirm that we received a valid exploit from returning pwner, Pinkie Pie. This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox. Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a “full Chrome exploit,” a $60,000 prize and free Chromebook.
One of Chrome’s most effective security defenses is our fast response time and ability to update users with critical patches, quickly. These bugs were no exception. We started analyzing the exploit as soon as it was submitted, and in fewer than 10 hours after Pwnium 2 concluded we were updating users with a freshly patched version of Chrome.