Meanwhile...
They have managed to update their IOS version to prevent hackers using it as an attack vector by simply stopping it working altogether! Clever Google!
Google patched 10 security vulnerabilities in its web browser Chrome on Monday - two days before the start of Pwn2Own, the annual hacking contest in which experts race to compromise software to win prizes. The latest update fixes flaws in Chrome's Windows and Linux builds. Six of the 10 holes addressed are rated as "high" risk …
You know that Chrome on iOS isn't actually chrome right?
Google have to use the OS version of WebKit, and it's not allowed to use Apple's Nitro JS, nor can it use Google's own V8 JS engine.
It's a VERY basic browser ontop of a intentionally gimped Safari to ensure that Apple always has the best iOS browser.
Providing you talk about comparable software, not a full GNU/Linux distro with 10s of thousands of packages vs. a bare MS Windows with just a few of them. It also makes sense if one doesn't mix the severities.
Not every vulnerability is exploitable so you can get money for it at the pwn2own . Some marked as "potentially" exploitable, some are DoS, some require more additional factors, like physical presence, user's account etc.
You can't even use the old Open Source gem here, and claim its some how mysteriously more secure because everyone can see the source code....
Okay, your irony is inappropriate, unless you or someone else gets money from Google. BTW, how do MS sponsor this curiosity?
I'll be honest I didn't bother to check whether the fixed exploits were already publicly known but if they weren't then I feel sorry for anyone who independently found those exploits and were planning to use them at the contest. They've just wasted a whole lot of time.
It works both ways however. The fact that the entrants spotted these vulnerabilities and planned to exploit them for monetary gain doesn't exactly cast them in the best light either.
They could have disclosed those bugs privately to the companies concerned before the competition and made nothing (or less, in Mozilla's/Google's case), but instead they chose to withhold said exploit for the chance to win.
If legal monetary gain wasn't on offer, people wouldn't be trying to find bugs and claim prizes - prizes offered by the software publishers. All that you could do is legitimately disclose a bug to the publisher for a more modest reward or none at all and an obligation to keep the secret until fixed, or else criminally sell the bug to Russian and Chinese hackers. Or, for maximum money, do both.
I mean, -I- don't go looking for dangerous bugs in the web browser or virtual machine that I'm using. I might, if the rewards were better.
Well, if I was trying to sell details of a web client vulnerability to hackers, Russian and Chinese customers are who I'd think of contacting initially (wealthy Nigerian princes - less so), but if I was in that business, I'd probably have a better idea of who's paying big money. And supposedly the Chinese government in particular is investing generously in the field, but, as it happens, I don't have anything to offer to them. Which is probably just as well for me.
>Tellingly, Java exploits also earn less than a third of the $70,000 prize for exploiting either Adobe Reader or Flash plugins
Wow to any Oracle employees reading this your company now rates below even Adobe in security. Welcome to the bottom. Guess Larry is too busying sailing his mega yachts and jacking up licensing fees to worry about inconvenient things like security.
Wow never thought I would be defending Microsoft (check my post history lol) but even I have to admit due to things like slammer Microsoft have come along way regarding security best practices etc. Oracle on the other hand hasn't gotten the memo most of the rest of the industry has. Oracle unlike most other companies does seem to be able to get away with ignoring their customers except to increase fees yearly.
One nice thing about including at least some cash for Java is it will draw more security guys as everyone and their brother seems to have a zero day for Java these days. The only bad thing is they will only pay it once. If they had to pay 20k for every unpatched exploit in Java right now that half a million in prize money would disappear fast.