Google patches WebKit flaw post Pwn2Own

Google patches a WebKit vulnerability, exploited by a team of Pwn2Own winners.

Google Chrome

Google has patched a vulnerability exploited by researchers at last week's Pwn2Own hacking contest.

Even though Google Chrome was not hacked during the competition, the bug resided in WebKit - the rendering engine used by the browser.

WebKit is also featured in Apple's Safari and the browser found on BlackBerry phones.

A team of researchers, including Willem Pinckaers, Vincenzo Iozzo and Ralf-Philipp Weinmann, hacked a BlackBerry Torch 9800 by exploiting the vulnerability.

Advertisement - Article continues below
Advertisement - Article continues below

On top of the $15,000 (9,345) they received for the BlackBerry hack, the researchers were handed $1,337 from Google.

The update, in Google Chrome 10.0.648.133, only fixed the WebKit security issue.

The memory corruption bug was given a high priority ranking, but Google was not forthcoming on any additional details.

"Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix," said Jason Kersey, from the Google Chrome team.

Google has handed out over $100,000 as part of its Chromium Security Rewards programme.

Politically motivated attacks

Advertisement - Article continues below

Meanwhile, Google warned a vulnerability affecting Internet Explorer (IE) users had been exploited in politically motivated attacks.

Google said its users had been targeted, but gave no further details on who the affected parties were. The tech giant said visitors to "another popular social site" had been targeted as well.

The bug in MIME HTML (MHTML) a protocol used by applications to render certain kinds of documents and bring together different content onto one HTML file - was publicly disclosed back in January.

When Microsoft offered a workaround for the zero-day vulnerability, no exploits had been seen in the wild.

Advertisement - Article continues below

"The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities," the Google Security Team said in a blog.

"To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web services."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Google looks to replace third-party cookies in two years

15 Jan 2020
cloud computing

Google adds partners to real-time translation tools

8 Jan 2020

Best smartphone 2019: Apple, Samsung and OnePlus duke it out

24 Dec 2019

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020

Openreach offers free full-fibre installation for thousands of homes

14 Jan 2020