Windows flaw found; bug hunters paid bounty by Google

Google is known to pay up for finding flaws in its software, including its Chrome web browser. This week, at the same time that Google released the latest stable version of Chrome, the company also announced that it had paid quite a bit of money to a number of people who found issues with the browser.

The official Chrome blog site posted up word on these new bug bounties this week. However, one reward was given to two software developers who found a flaw in Windows, not in Chrome. The blog even makes mention of this, saying:

Occasionally, we issue special rewards for bugs outside of Chrome, particularly where the bug is very severe and/or we are able to partially work around the issue.

The company is sending $5,000 to Eetu Luodemaa and Joni Vahamaki of Documill, who alerted Google to a "critical" kernel memory corruption issue in Windows. Overall, Google paid out $29,500 in its latest bug hunt. That included giving a total of $15,000 to well known bug finder Sergey Glazunov. He was given $10,000 for finding a cross-site scripting vulnerability in Chrome, along with another $5,000 for discovering another Chrome bug.

Source: Chrome blog
Flyswatter image via Shutterstock

Report a problem with article
Previous Story

Cable companies to take on Xbox by entering gaming market

Next Story

Google Docs dumping some older Microsoft Office formats

37 Comments

Commenting is disabled on this article.

hence why I said to pass it off to someone who does do that sort of work for a living it used to be that devs would have beta testers to test a program before release to make sure it worked as intended nowadays it seems to be us Joe Public who are the testers and tough cookies if you get ripped off whilst using our software but if you send in a bug report we'll be sure to fix it for ya

Edited by Athlonite, Sep 27 2012, 12:10pm :

Athlonite said,
hence why I said to pass it off to someone who does do that sort of work for a living it used to be that devs would have beta testers to test a program before release to make sure it worked as intended nowadays it seems to be us Joe Public who are the testers and tough cookies if you get ripped off whilst using our software but if you send in a bug report we'll be sure to fix it for ya

You said "someone who does vulnerability testing". That is a small part of testing. All software goes through rigorous testing, it is not down to Joe Public. If it was, you'd soon know about it! I work in QA for a living and software that crashes critical services, refuses to load, intermittently hangs, runs at 100% CPU load or memory load comes as standard. Regardless of your thoughts on how hard done by Joe Public is, you can rest assured that the real nasty bugs are taken out months (or years) before you get to see it.

It has never been that devs had beta testers before release. Beta testing comes right before release, the majority of testing is always done in-house. You've only got to look at any major software company like Microsoft or Apple to see this in action.

And if devs took to proper programing and bug checking their stuff before releasing it into the wild maybe non of this crap would happen

ie: dev writes a program test it to see if it works fine if does then pass it to someone who does vulnerability testing if it passes then release it if doesn't then find the problem and fix it properly don't just write a bit of jump to line code to gloss over the bug

Athlonite said,
And if devs took to proper programing and bug checking their stuff before releasing it into the wild maybe non of this crap would happen

ie: dev writes a program test it to see if it works fine if does then pass it to someone who does vulnerability testing if it passes then release it if doesn't then find the problem and fix it properly don't just write a bit of jump to line code to gloss over the bug

I take it you don't work in software. If you do, then please don't.

A dev very rarely tests their own code, simply because checking your own work doesn't reveal all its faults. You need to do a lot more than vulnerability testing. Just because your piece of code isn't vulnerable in the way you designed it to be used, doesn't mean some other part of the software uses it in a way other than what you designed it for and exposes a flaw. Then there is the plethora of possible regression issues. This is why bug fixes aren't released overnight - it takes time to make sure your fix doesn't break anything else on the way.

This is exactly why I would never use Chrome. It's even more flawed/buggier than IE, Java, Flash, etc.

How the heck do you think it's made it up to version 22, or what ever it is, when it's probably the newest browser out there, of the major browsers, that is? I'll tell you so you know, bugs, security flaws and just general crappy testing of it!

I'll take IE over Chrome every day of the week!!

For those who wonder why Google is concerned about this Windows Kernel escalation flaw, here is a little explanation.

Chrome has had a LOT of security flaws (mostly in Webkit), and yet people think of it as a secure browser because there has been only a few 0day exploits over the last 2 years.

http://cdn2.sbnation.com/impor...browser-vulnerabilities.png

The only thing that makes Chrome secure is its sandbox. Without it, there would be a lot of 0day exploits in the wild. And what is making this sandbox secure? The OS chrome is running on.
Chrome's sandbox on Windows is basically just a set of processes protected by several Windows NT security features:
-Low integrity mode (introduced in Vista/IE7).
-job restrictions (prevents things such as launching another process)
-token restrictions
http://dev.chromium.org/developers/design-documents/sandbox

So, if there is a flaw in the Windows kernel, it could be used to escape chrome's sandbox (or IE's sandbox too). That's why Windows Kernels flaws matters to Google.

To sum up, Google Chrome is no more secure than the platform it runs on.
If there is a publicly known 0day flaw in Windows AND if Microsoft is slow to fix it, then we could see some 0day flaws in Chrome being exploited in the wild (because according to many hackers, 0day flaws in webkit are easy to find).

I predict that in 2014, when Windows XP will no longer receive security updates, we'll see much more 0day flaws in Chrome for XP, because some users will still use XP for many years, and while they may think using a supported version of Chrome will protect them, they will become an easier target once some XP kernel flaws are well known.

link8506 said,
For those who wonder why Google is concerned about this Windows Kernel escalation flaw, here is a little explanation.

Chrome has had a LOT of security flaws (mostly in Webkit), and yet people think of it as a secure browser because there has been only a few 0day exploits over the last 2 years.

http://cdn2.sbnation.com/impor...browser-vulnerabilities.png

The only thing that makes Chrome secure is its sandbox. Without it, there would be a lot of 0day exploits in the wild. And what is making this sandbox secure? The OS chrome is running on.
Chrome's sandbox on Windows is basically just a set of processes protected by several Windows NT security features:
-Low integrity mode (introduced in Vista/IE7).
-job restrictions (prevents things such as launching another process)
-token restrictions
http://dev.chromium.org/developers/design-documents/sandbox

So, if there is a flaw in the Windows kernel, it could be used to escape chrome's sandbox (or IE's sandbox too). That's why Windows Kernels flaws matters to Google.

To sum up, Google Chrome is no more secure than the platform it runs on.
If there is a publicly known 0day flaw in Windows AND if Microsoft is slow to fix it, then we could see some 0day flaws in Chrome being exploited in the wild (because according to many hackers, 0day flaws in webkit are easy to find).

I predict that in 2014, when Windows XP will no longer receive security updates, we'll see much more 0day flaws in Chrome for XP, because some users will still use XP for many years, and while they may think using a supported version of Chrome will protect them, they will become an easier target once some XP kernel flaws are well known.

Additional notes...

Microsoft's IE7 was the first to implement a sandbox on Vista with a managed broker system. The reason this is important is this is what pushed Google to abandon Firefox and create their own browser, due to the tracking protection features in IE7 that Google was not happy about, as it hurt their advertising model.

Additionally, it was the IE team that helped Google build their sandbox for Chrome. Google forgets to thank or mention the IE team when it comes to this aspect. Even the later added plugin broker security is just a variation of the IE7 plugin broker technology that Microsoft helped them, even though they didn't implement plugins initially.

Google has implemented a variation of Windows security sandbox on other platforms, but no other platform is as comprehensive or robust as Chome on Windows, because it does come down to the platform and the security of the platform.

Chome's WebGL is a more of a problem than they want to talk about, as it does not have any broker system or sandbox between WebGL and the GPU OpenGL framework. So any locally exploitable OpenGL or shader code bug or flaw can be directed at a system from a hosting web site through Chrome.

(This part has me a bit curious to exactly what kernel memory error Google found, because if it is related to GPU operations and is the result of their bastardized* WebGL implementation, this is going to hurt them.)
*WebGL is not a W3C or HTML5 standard because of its security issues

To further illustrate the dependence Chrome has on its hosting OS/platform...

When Google offers their 'bounty' for Chrome at various competitions, it ONLY applies to Chrome running on Windows 7 64bit version. (All the Windows security and 64bit features of enhanced ALSR etc are needed.)

So if Chrome was compromised on OS X, Linux, or even Android itself, Google would not pay the competition bounty, as they do not deem the non-Windows platforms 'secure'.

As for the comments saying "Microsoft doesn't respond to bug reports until they're posted publicly" - I agree that historically, Microsoft has been pretty slow on that front. but IMO, that's because they didn't have any real reason to put bug fixes at high priority. With Chrome gaining so much market share, they're starting to take this kind of thing way more seriously (hence the auto-updating of IE10, etc.).
On top of that, Microsoft is investing heavily in research that protects more than just the browser - with the BlueHat Prize (http://www.microsoft.com/security/bluehatprize/) they were able to pay researches hundreds of thousands of dollars to provide attack mitigation techniques that they then implemented into software that's been released (EMET 3.5 Tech Preview). jm2c

OP - hmm, agreed with @Jason Stillion - they probably reported it as a chrome flaw, and then found out that it was actually something wrong with windows.

Richio said,
Why look for Windows problems? What's there to gain?
-- I have had Kernel issues though!

I'm guessing it looked like a Chrome flaw, and when they dug deeper, Chrome was fine, but it was actually windows having the flaw.

Jason Stillion said,

I'm guessing it looked like a Chrome flaw, and when they dug deeper, Chrome was fine, but it was actually windows having the flaw.


Ideally. Otherwise whoever reported the issue is kind of...weird. You find a Windows bug, you report it to Microsoft.

Who finds Windows bugs and only tells Google about it?

Richio said,
Why look for Windows problems? What's there to gain?
-- I have had Kernel issues though!

read my comment below, I explain why Chrome's security is only as high as Windows kernel's security.

It's interesting how when vulnerabilities are found in Chrome, there is a lot of positive press for Google, but when a vulnerability is found in IE, the press goes overboard and say that businesses should uninstall IE.

I'm not saying Neowin is like this, just the tech news industry in general.

Omen1393 said,
It's interesting how when vulnerabilities are found in Chrome, there is a lot of positive press for Google, but when a vulnerability is found in IE, the press goes overboard and say that businesses should uninstall IE.
.

Yeah because they go about fixing it straight away but IE are bad with their updates.

Omen1393 said,
It's interesting how when vulnerabilities are found in Chrome, there is a lot of positive press for Google, but when a vulnerability is found in IE, the press goes overboard and say that businesses should uninstall IE.

I'm not saying Neowin is like this, just the tech news industry in general.

yeah I am still waiting for the German government to say uninstall Chrome, FireFox and Java... heck Java has exploits like crazy, oh wait they are a FOSS gov, they probably love all the free java software and use java based applications in linux...

Omen1393 said,
It's interesting how when vulnerabilities are found in Chrome, there is a lot of positive press for Google, but when a vulnerability is found in IE, the press goes overboard and say that businesses should uninstall IE.

I'm not saying Neowin is like this, just the tech news industry in general.

The difference is that before they are used in the wild Google doesn't publish anything about the bugs. In fact, they even wait until the majority of users has updated their browser to a version that's safe before saying anything about the bug. This pretty much completely differs from Microsoft, where bugs are usually out in the wild long before they're fixed.

Richio said,

Yeah because they go about fixing it straight away but IE are bad with their updates.

You're joking right? No they don't. They simply announce the exploits when they release a new version, unlike Microsoft that release preventative measures info so people can prevent it until the patch comes along.

funkydude said,

You're joking right? No they don't. They simply announce the exploits when they release a new version, unlike Microsoft that release preventative measures info so people can prevent it until the patch comes along.

Microsoft's has had in the past where they get a vulnerability reported to them, then nothing happens, then the person puts the info out on the web, then MS would mention how "irresponsible" that person was.

Yeah, I never understood that. Every piece of software has bugs and exploits yet MS get hammered for it. People act like these things don't happen with Chrome for example.

Over the past decade MS have been made astounding improvements in security.

What makes Chrome or similar internet heavy software more secure than IE ?

Richio said,

Yeah because they go about fixing it straight away but IE are bad with their updates.

Facts contradict this. Of course if you look at the long history of mIcrosoft then they have been slow. The lack of competition made them lazy. However since Chrome they've been on the top of the game. Only recently a huge security issue was found and they patched it within a few days. Windows is huge and it and its key applications are constantly getting updates.

But people love to hate Microsoft. They deserved a lot of the hate but they've done a 180 and are actually ahead of the competition in many respects. The industry isn't ready to accept that. Just look at the sh*tbarrage Windows Phone has to endure.

WooHoo!!! said,
Yeah, I never understood that. Every piece of software has bugs and exploits yet MS get hammered for it. People act like these things don't happen with Chrome for example.

The difference is that Google has been very proactive when it comes to security, paying large sums for information and addressing issues promptly. There were many vulnerabilities in IE that were present for years and other times where Microsoft was contacted and did nothing for months, until the exploits were made public to pressure Microsoft into action.

All software has security flaws but Google handles them in a much more efficient and proactive manner. It's the same with web standards. Microsoft has been very slow at developing IE in comparison to Chrome, Firefox or Opera.

Omen1393 said,
It's interesting how when vulnerabilities are found in Chrome, there is a lot of positive press for Google, but when a vulnerability is found in IE, the press goes overboard and say that businesses should uninstall IE.

I'm not saying Neowin is like this, just the tech news industry in general.

Same reason if there is a problem found in Windows it's shrugged off, but if the same was found in Mac OS X. It is like ERMERGERD let's bash Apple to hell and back.

Gotta love this site for stuff like that.

KomaWeiß said,

Same reason if there is a problem found in Windows it's shrugged off, but if the same was found in Mac OS X. It is like ERMERGERD let's bash Apple to hell and back.

Gotta love this site for stuff like that.


Well, Microsoft didn't put out advertisement after advertisement mocking & bashing the Windows OS, and (in one specific commercial) trying to instill in all non-techy viewers the feeling that OSX will never get a virus while Windows gets a new one every second. Remember http://www.youtube.com/watch?v=GQb_Q8WRL_g ? IMO, they asked for it.

Omen1393 said,
It's interesting how when vulnerabilities are found in Chrome, there is a lot of positive press for Google, but when a vulnerability is found in IE, the press goes overboard and say that businesses should uninstall IE.

I'm not saying Neowin is like this, just the tech news industry in general.

pathetic too

Ambroos said,

The difference is that before they are used in the wild Google doesn't publish anything about the bugs.

Security through obscurity doesn't compute!

Richio said,

Yeah because they go about fixing it straight away but IE are bad with their updates.

you're wrong, every browser vendor takes weeks to months to fix security flaws after they have been privately reported.

one example:
http://www.cve.mitre.org/cgi-b...name.cgi?name=CVE-2011-3098

flaw reported to Google in august 2011, fixed in may 2012.
That is not exactly fast.

another one:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1823
critical flaw, reported in may 2010, fixed in september 2010

Just look at the CVEs, there are tons of other examples of slow patching of security flaws in Chrome/Firefox/IE/or whatever.

MFH said,

Security through obscurity doesn't compute!

+100, all not releasing the exploit does is prevent users from knowing about it, and thus taking extra precautions to prevent it from being exploited on their machines (read: trying another browser until Google fixes the bug)

Matthew_Thepc said,

Well, Microsoft didn't put out advertisement after advertisement mocking & bashing the Windows OS, and (in one specific commercial) trying to instill in all non-techy viewers the feeling that OSX will never get a virus while Windows gets a new one every second. Remember http://www.youtube.com/watch?v=GQb_Q8WRL_g ? IMO, they asked for it.

Wasn't it IE who was bashing every browser I think 6 months or a year ago?

KomaWeiß said,

Wasn't it IE who was bashing every browser I think 6 months or a year ago?

I wouldn't doubt it, but could you provide a link/source?

KomaWeiß said,

I call BS biased crap. Probably some marketing team bought by Microsoft. IE was never and will never be a safe browser until they remove ActiveXploit.

And JAVA and Flash and and and, oh wait where has half the internet gone?

/facepalm

KomaWeiß said,

I call BS biased crap. Probably some marketing team bought by Microsoft.

yeah right! It's the marketing department at Microsoft who asked Secunia and every other vulnerability tracking site to fake the number of flaws of chrome, and neither Google nor any security expert have noticed this fraud (except you of course!)

And I guess Microsoft faked these numbers in this Google-sponsored study too!
http://www.theregister.co.uk/2...e_firefox_security_bakeoff/
(you have to download the zip file of this study to find the PDF talking about the vulnerability count).

Next time, don't comment if you have no idea about what you're talking.

IE was never and will never be a safe browser until they remove ActiveXploit.

You know ActiveX controls are exactly the same thing as NPAPI plugins, don't you?

Obviously not. Otherwise you wouldn't have posted such a stupid comment.
It's crazy, we're in 2012, and people still don't understand what ActiveX controls and NPAPI plugins are!

NPAPI plugins are the equivalent of ActiveX controls for Chrome/Firefox/Opera/Safari/...
Both ActiveX and NPAPI plugins contain native code, are potentially dangerous if installed from an unknown source, and they are necessary to support plugins like Flash player, QuickTime, ...

BTW, IE10/Metro on Windows doesn't support ActiveX. Now you have no reason not to use IE ^^

and maybe should you stop using Chrome/Firefox as long as they support NPAPI plugins, because NPAPI plugins are like ActiveX controls...

Edited by link8506, Sep 27 2012, 5:45am :