Chrome OS emerges from Pwnium 3 unscathed, Chrome, IE and Firefox fall at Pwn2Own

Google has a well earned reputation for paying big bucks to those that can demonstrate vulnerabilities in its products. At the Pwnium 2 event last year, a hacker known as “Pinky Pie” earned $60,000 for exploiting two core vulnerabilities in the Chrome Browser.

After cutting a check, Google sent the information on to its own code jockeys and a patch was deployed across all platforms in less than 10 hours.

At Pwnium 3, Google had a pool of $3.14159 million (see what they did there?) up for grabs for hackers to expose whatever security holes they could find. One of the targets was a Samsung Series 5 550 Chromebook. Entrants could not exploit any vulnerabilities in Chrome OS.

Certainly that is a testament to Google’s work, although that does not mean there is nothing left to find. Still that is a pretty impressive outcome. Google’s Chrome browser (along with the other browsers) did not fare so well however.

At the Pwn2Own event, put on by HP TippingPoint’s Zero Day Initiative, the Chrome browser fell hard. A hacker known as Nils who was working with a group called MWR Labs did a full Chrome exploit and picked up a $100,000 reward for his efforts. The exploits were found after bypassing a series of memory protection mechanisms.

Microsoft’s Internet Exporer and Firefox were also hacked. VUPEN, a security firm, also used a memory related vulnerability and earned $60,000 for its trouble with Firefox. The group then picked up an additional $100,000 for taking down Internet Explorer. VUPEN also demonstrated a Java overflow exploit and took home an extra $20,000.

The money is more than a reward, it is also a purchase. HP and Google basically agree to buy these vulnerabilities so they can create needed patches and improve the products. Apple’s Safari browser was up for grabs too. HP had $75,000 waiting but no one pre-registered for the event to take it on.

sources: Engadget, eSecurity Planet, and ZDNet