
10 hours later, Google Patches Chrome to Plug Pwnium 2 Security Hole - Quekster
http://thenextweb.com/google/2012/10/10/in-less-than-24-hours-google-patches-chrome-to-plug-security-hole-found-at-its-pwnium-2-event/
======
ChuckMcM
Say what you want but I really appreciate the fast turnaround from Google on
this. Its excellent that they do this sort of thing, and that they have the
mechanism to push the patches quickly.

------
semenko
Direct link to the Chromium blog post:
[http://blog.chromium.org/2012/10/pwnium-2-results-and-
wrap-u...](http://blog.chromium.org/2012/10/pwnium-2-results-and-wrap-
up_10.html)

The commit that closes the exploit:
[http://src.chromium.org/viewvc/chrome?view=rev&revision=...](http://src.chromium.org/viewvc/chrome?view=rev&revision=161037)

~~~
afhof
Looking at the diff, it doesn't appear anything was really fixed, just
removed. I guess that explains the quick turn around time on the exploit.

------
tomrod
I tell you, this is one of the biggest selling points to me about products
with rapid deployment such as Ubuntu utilities, Firefox, Chrome, and the like.
Fixing any bug and pushing an update in hours upon discovery is just awesome.
We live in great times.

------
TwoBit
Chrome and FireFox patches take hours to be released. IE patches take weeks to
be released. Can somebody explain why?

~~~
mkarttic
no. and everyone knows why. Please stop flaming IE, its gotten old.

~~~
avbor
Honestly, I don't know why. Is it for stability reasons?

~~~
rrreese
The thing to understand is that Microsoft's main customers are larger business
and government, who have large installations. These organisations tend to be
very conservative. They don't like to just deploy software/updates, rather
they usually put them on test systems and check that the updates don't affect
other software.

I.E is also a lot more integrated into windows then the other browsers. So
chrome largely just needs to test that their browser works, Microsft needs to
test that that the browser works one each version of windows (Vista/7/8) but
also all versions (Pro, Home Basic, home Premium etc), but also for all
supported languages (Dutch Windows Pro, Dutch Home Basic etc). In addition
they need to test that an I.E update doesn't break other software like
installers, Office, popular non Microsoft software that makes use of I.E.

Given that their customers will probably take their time updating it makes
sense for Microsoft to very carefully test any updates as a hot patch released
10 hours after a bug is found probably won't be widely deployed any faster
then one released 10 days later. And 10 hours probably isn't long enough to
test all the software that relies on I.E in some manner.

~~~
avbor
Thanks for the explanation!

------
misterS
Now there's a bright mind with (possibly) a more-than-good job offer.

~~~
dguido
What makes you think he doesn't already have a job? He's going by a handle
because participation in the contest would get him fired from his job.

~~~
WalterGR
Yup. To add a citation:

"The tall teen, who asked to be identified only by his handle 'Pinkie Pie'
because his employer did not authorize his activity, spent just a week and a
half to find the vulnerabilities and craft the exploit, achieving stability
only in the last hours of the contest."

[http://www.wired.com/threatlevel/2012/03/zero-days-for-
chrom...](http://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/)

~~~
s_henry_paulson
Translation:

He spends all of his time at work doing stuff like this and doesn't want his
employer to find out that he's not actually doing the job he's supposed to.

------
eranation
Can someone please explain the exploit and how it was fixed?

~~~
bvdbijl
It seems there was a bug in some profiling code (that was left behind?). This
code made it possible to write arbitrary files on the system, which they fixed
by removing the profiling code. This is the commit that fixes that:
[http://src.chromium.org/viewvc/chrome?view=rev&revision=...](http://src.chromium.org/viewvc/chrome?view=rev&revision=161037)

The SVG exploit was in Webkit, don't know the exact problem with that

------
bookworm_
If I'm going to use Webkit, I'd rather use something simple, like midori.
Standard issue on the Raspberry Pi.

Chrome complexity? Browser controlled by commercial entity that sells web ad
space? No thanks.

~~~
evmar
Midori, because it uses WebKit, was surely vulnerable to the same SVG
vulnerability and has no sandbox.

~~~
yeahriight
Can you disable auto-loading of images in Chrome? If yes, how easy is that to
do? It's very easy in midori.

I will always choose simplicity over complexity if I'm concerned about
security. Chrome is very complex.

~~~
wladimir
You'll have to verify that disabling auto-loading of images will disable SVG
parsing / rendering. SVG is embedded into the DOM tree, and not loaded in an
img tag.

