Google patches 19 Chrome bugs week before Pwn2Own hacking contest

Pays out $14K in bounties to 9 researchers
Google on Monday patched 19 vulnerabilities in Chrome, paying nine researchers $14,000 in bug bounties for reporting the flaws.
As it did last year, Google beefed up the security of its browser a week before the kickoff of Pwn2Own, the annual hacking contest held at the CanSecWest security conference in Vancouver, British Columbia.
The update to Chrome 9.0.597.107 fixed 16 flaws rated "high," the second-most-severe ranking in Google's threat system, and quashed three "medium" bugs.
None of the vulnerabilities were ranked "critical," the category essentially reserved for bugs that may let an attacker escape Chrome's anti-exploit "sandbox." Google patched two sandbox-escape bugs -- both pegged critical -- in Chrome this year.
The bugs patched Monday were in several components, including WebGL, the hardware accelerated 3D graphics API that debuted in early February with Chrome 9; SVG (scalable vector graphics) rendering and animation; and the browser's address bar.
Nearly a quarter of the vulnerabilities were identified as "stale pointer" bugs, a term used to describe flaws in an application's -- in this case, Chrome's -- memory allocation code.
As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.
Google paid out $14,000, the second-highest total this year, for the 15 vulnerabilities found and reported by outside security researchers. Nine different researchers received checks, with Martin Barbella taking home $3,000, Sergey Radchenko $2,500 and two others $2,000 each.
Google and Mozilla, which makes Firefox, are the only browser developers to pay bounties directly to bug researchers.
In hindsight, Monday's update should have been expected: In 2010, Google also patched Chrome the week before Pwn2Own.
2011's Pwn2Own begins March 9, when security researchers will vie for fame and cash by trying to take down not just Chrome, but also the current versions of Apple's Safari 5, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.
Monday's patches could be particularly important this year, since Google has a special stake in Pwn2Own: It put up the $20,000 prize for hacking Chrome on the first of the contest's three days. (After that, if no one breaks the browser, the rules change and Google will fork over just $10,000, with Pwn2Own sponsor HP TippingPoint ponying up the other $10,000.)
At least one other browser builder will issue patches before Pwn2Own's first day of competition. Mozilla has scheduled a security update of Firefox 3.6 for later today.
The patched Chrome 9 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.

Safari, IE hacked first at Pwn2Own

Apple, Microsoft browsers drop to first shots at the hacking contest
Apple's Safari and Microsoft's Internet Explorer (IE) both fell to the first hackers who tried their luck on the browsers at Wednesday's opening day of Pwn2Own.
The hacking challenge kicked off at 3:30 p.m. PT, slightly later than scheduled, at the CanSecWest security conference, which runs March 9-11 in Vancouver, British Columbia.
A team from the French security company Vupen walked off with $15,000 and a new MacBook Air after exploiting an unpatched vulnerability in Safari.
Earlier today, Apple updated Safari to version 5.0.4, fixing 62 vulnerabilities. But Vupen was still able to break the browser.
"Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest," Vupen said Wednesday afternoon on its Twitter account several hours before the contest began. "This breaks some exploits but not all!!"
HP TippingPoint, the security company that sponsors Pwn2Own, said earlier today that the last-minute Safari updates could affect who was awarded prize money.
TippingPoint's Peter Vreugdenhil said the browsers were "frozen" two weeks before today's tip-off with the then-current versions of Safari, Google's Chrome 9, Microsoft's IE8 and Mozilla's Firefox 3.6, to give researchers a stationary target.
"Exploit development does sometimes rely on certain versions and that is the reason we have frozen the devices," Vreugdenhil said in an e-mail today.
But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize.
Instead, the money would have gone to the first researcher who exploited the "frozen" version of Safari -- 5.0.3 was on the MacBook Air -- using a bug still present in today's update.
"As long as the latest version still has the vulnerability, and the researcher has successfully 'pwned' [successfully compromised the computer] with the frozen version, he or she will have won," said Vreugdenhil.
This was the first time in four years that Safari had fallen to someone other than Charlie Miller, an analyst with the security consulting group Independent Security Evaluators (ISE), and co-author of The Mac Hackers Handbook. Miller won at Pwn2Own in 2008, 2009 and 2010 by exploiting Safari.
Microsoft's IE8 also dropped to its first attacker, Stephen Fewer, who drew the No. 1 spot for that browser. Fewer is the founder of Harmony Security, and frequently reports bugs to TippingPoint's Zero Day Initiative (ZDI) bounty program.
To exploit IE8, Fewer bypassed Protected Mode, said Aaron Portnoy, manager of TippingPoint's security research team and the organizer of Pwn2Own for each of its five years. Protected Mode is Microsoft's name for the sandbox-like anti-exploit technology designed to isolate the browser from the operating system and the rest of the computer.
Vupen, which was waiting in the wings in case Fewer failed, did not get a chance to try its luck against IE8.
Microsoft, which has engineers from its Microsoft Security Response Center (MSRC) at the Canadian contest, said it was already on the case.
"Our top security researchers are already investigating the IE exploit used in the Pwn2Own contest," the MSRC team said via Twitter Wednesday afternoon.
Earlier this week, Microsoft had said it had not updated IE -- as Apple, Google and Mozilla all did in the days leading up to the contest -- because the move would have been too disruptive to customers.
As Jerry Bryant, a group manager with MSRC, pointed out Tuesday, TippingPoint reports the vulnerabilities exploited at Pwn2Own to vendors, who have six months to fix the flaws before TippingPoint goes public with any technical information. Thus, there is little danger of any exploited bug falling into cybercriminals' hands.
In an interview after the day's activities wrapped up, TippingPoint's Portnoy said that Firefox had been rescheduled for Thursday and that the researchers who had earlier committed to tackling Chrome had either not shown up or had decided to focus on RIM's BlackBerry smartphone.
The four smartphones will be subjected to attack Thursday, Portnoy said.
Pwn2Own's smartphone track features devices running Apple's iOS, Google's Android, Microsoft's Windows Phone 7 and RIM's BlackBerry OS. TippingPoint will award $15,000 for the first hack of each of the smartphones.

3 interesting Twitter tools

OK, so let's say you're interested in social trends. A great place to look at what's hot is Twitter and, yep, there's a service that will graph the popularity of any keyword on Twitter: It's called Trendistic.
Just enter any term you're curious about into Trendistic's search field and voila! You can create a graph for the last 24 hours or the last 7, 30, 90, or 120 days.
You can see, for example, that the chart for the word "libya" over the last month shows the term started to get used significantly on Feb. 15 at 6 a.m. and is currently trending slowly down from peaks on Feb. 21 and 22.
Unfortunately Trendistic can't handle complex search terms or show a comparison between two or more terms, so I'll give Trendistic a rating of 3 out of 5.
Of course, to figure out what Twitter trends are worth analyzing with Trendistic you might want to keep track of what's hot. While Twitter reports trending terms on the user interface there are several other services that do a similar job, for example, What the Trend.
WTT uses crowdsourcing to mine Twitter. By submitting trends you believe to be important and rating trends submitted by other people you can help determine the perceived significance of trends and increase your own reputation score. If you follow @wtt you will also be able to see the latest trends as they appear and there's an API for extending your own apps.
WTT provides a powerful insight into what's on the collective's mind and the Pro version, which provides real time reporting, is priced at $450 per month. WTT gets a rating of 4 out of 5.
So you have an idea of what's on other people's minds but how well are you doing with social media? Try twentyfeet.com. This service will mine your Twitter, Facebook, MySpace, YouTube, bit.ly, and Google Analytics and slice and dice the results to give you insight into the impact (or lack, thereof) you are (or aren't) making in the socioverse.
After you add your various accounts, twentyfeet will access them and graph the results to show you attributes such as your Twitter reputation indicators (number of followers, number of lists you're in, and number of followers lost), Twitter influence indicators (number of mentions and retweets you get), and bit.ly links clicked and bit.ly referrers breakdown.
All of the results are displayed as graphs and the data can be downloaded as Excel spreadsheets and pushed out to social networks directly from the twentyfeet.com user interface. This makes the analysis of your use of social media a social media topic which implies that that the analysis would, in turn, be analyzed as part of your use of social media. Could this be the event horizon of a social media black hole?
Twentyfeet.com allows you to have one Twitter and one Facebook account monitored and analyzed for free and forever. After a 30-day free trial additional accounts cost $2.49 each per year.
My only problem with twentyfeet.com is that after six hours it still hasn't finished analyzing my Facebook account (then again, maybe on Facebook I'm so social, the analysis is a really, really big job).
I'd also like to see twentyfeety.com support LinkedIn and I'd love to see the analyses cross-reference the various social services you use to present a unified picture identifying both how similar and how different your social media worlds are. Even so, I'll give twentyfeet.com a rating of 4.5 out of 5.

With movies, Facebook looks to outgrow its niche

Social network tries new angle to compete with Google, dominate the Net
Facebook, as widely popular as it is as a social networking site, is looking to break out of its niche. In doing so, it would like to take a defensive swing at Google.

Industry analysts say Facebook took that step this week, with a little help from Warner Bros. Entertainment.

Warner Bros., a giant in the movie business, has begun offering movies to rent or buy and view on the Facebook site. The program, which launched in a test phase in the U.S. on Tuesday, requires users to pay $3 for the movies using Facebook's on-site currency, called Credits.

The Batman film, The Dark Knight, was the first movie available on Facebook. Users can rent the film through its official Facebook page. Other movies are scheduled to be made available on Facebook in the coming months.

For a company that has quickly become the largest social network in the world, why venture into the movie-viewing business?

Ezra Gottheil, an analyst at Technology Business Research, said it's all part of Facebook's plan to become not only an online destination, but also a portal to music, movies and politics. It's also another way for Facebook to pull in more advertising and revenue.

"This is all upside for Facebook," Gottheil said. "Facebook would like to be users' entry point to the entire Web -- communications, content, game-playing, etc. As long as additions don't obscure the primary experience, and I don't see any reason this would, every addition removes one more reason to leave Facebook World."

This, according to Gottheil, is all part of Facebook's progression.

"This is another step in Facebook's evolution from purely people-centered social networking toward both a people-centered and content-centered site," he added. "Many things Facebook has done contribute to this trend, but every addition strengthens their position."

Rob Enderle, an analyst at Enderle Group, said Facebook's latest move also is a defensive swing against Google, which is increasingly becoming a rival to the social network.

"I think [this movie deal] could be critical if Facebook is going to move out of its niche and go after the broad [advertising] market in general," Enderle said. "It is as much a defensive move against Google, which is already in the media space but has struggled with social networking. They want to get Google chasing them."

While there's been a lot of attention on the competition between Google and Microsoft, there has been a growing rivalry between Google and Facebook in the past six months. Both companies are top in their fields and, perhaps most important, both want to dominate the social Web.

While Facebook is the early leader in the social Web, Google is rumored to be working on its own social network to go head-to-head with Facebook.

With Facebook getting a $500 million investment earlier this year from Goldman Sachs and a Russian investor, several analysts have speculated that company executives might use that newfound cash to go after Google.

"We are seeing the beginning of a major market inflection point," Enderle said. "When the dust clears, a few companies won't be around, and we may have a couple of new power players. If [Facebook] pulls this off, it will be textbook brilliant."

Mozilla releases Firefox 4.0 release candidate

The Mozilla Foundation has issued the first release candidate of Firefox version 4.0, finishing a grueling and ambitious beta development cycle for the browser.

This release candidate represents what the development team feels is a finished browser, said Johnathan Nightingale, director of Firefox development, in an interview.

The quality assurance team will still take feedback from users over the next few weeks, but if no major bugs are found, Mozilla expects to issue the full production release of the browser by the end of the month, he said.

If so, March will be a busy month for the ongoing browser wars. In addition to the pending final release of Firefox 4, Microsoft plans to launch version 9 of its Internet Explorer on March 14. And Google released version 10 of its Chrome browser on Monday.

Version 4 of Firefox is a major upgrade for the open-source browser, and includes a wealth of new features and enhancements.

The user interface has been completely revamped and streamlined, with the menu bar condensed under a single button. The JavaScript Engine has been overhauled for speedier performance. The Add-ons Manager has been upgraded to a full-page interface.

Tab management has also taken a great leap forward. Users can bundle sets of tabs into different groups, under a feature called Panorama. They can add small permanent tabs to the top of the browser, for those pages and applications they continually keep open.

For the first time, Firefox will allow users to synchronize their bookmarks across different computers and even with Android-based mobile phones. This is also the first version of the browser to include the Do Not Track feature, which can alert website owners if the user wishes to opt out of third-party Web tracking.

The release candidate is available for the Windows, Mac and Linux platforms, and supports more than 70 languages. Current users of the beta version will have their browsers automatically updated.