Today, a new update to the Stable Channel of Chrome has brought over $14,000 in rewards to individual researchers and teams that have found security risks in Chrome that have been patched. This brings the total amount of rewards given out in the Chromium Security Rewards program to over $100,000.

The program was started in 2010 and gave security researchers the chance to try and find vulnerabilities in Chrome along with the potential for generous rewards. Many argue that for this reason and others that Chrome has become the most secure browser available. Other browsers that have hit the market recently, such as the venture capital-backed social browser RockMelt, are based on Chromium’s open source code which is also where Chrome comes from.

Google is even taking security up a notch, sponsoring a part of the Pwn2Own 2011 contest that is being held in Vancouver at CanSecWest. It will be awarding $20,000 to anyone who can hack the Chrome browser on the Cr-48, the company’s pilot Chrome OS laptop.

via Google Chrome Releases

At last year’s Pwn2Own competition at CanSecWest, Chrome stood as one platform that did not get hacked. That may change this year with another year of researchers being able to spend time with it, but Google wants to give out a little motivation to make sure that Chrome is secure.

The company will be awarding $20,000 to anyone who is able to hack the browser on the Cr-48. This would require finding a hole that allows escalation privileges from inside the sandbox. It can be combined with some other type of vulnerability involved, but there must be a break in the sandbox to get the award.

Break me.

Prizes are given out for hacking other browsers, which include the top four: IE, Firefox, Chrome and Safari. Last year three of the four were hacked as well as the iPhone.

The awards are as follows: $15,000 for a hack of any of the above browsers. Google will offer the $20,000 on day 1 of the contest for a hack using Google code, the organizers will pony up $10,000 on day 2 for non-Google code and Google will offer $10,000 for the bug.

Pwn2Own 2011 is being held March 9-11 in Vancouver, BC. Read more details here on ZDI’s blog.

via ZDNet

For the past six months, those who have been able to find a flaw in Chromium were awarded cash prizes for doing so. Now that this program has been ongoing for some time, the Chromium team has decided increase the amount given out for the most critical of flaws found, moving from $1,337 to $3,133.70. Most awards will remain at the $500 level, depending on the published severity guidelines.

The Chromium project has lead to Chrome being one of the most secure browsers on the market. The annual conference where researchers try to compromise browsers and other computer platforms, Pwn2Own, had no takers for Chrome browser this year. It could be because Chrome is still the newcomer on the market. Nevertheless all of the other major browsers ended up getting hacked at Pwn2Own.

It’s unknown whether or not the decision from the Chromium team relates to Mozilla recently raising their Security Bug Bounty Program award up from $500 to $3,000. With that being said, moving the amount just above Mozilla’s while keeping the cachet of the original award may mean something when thinking about Firefox versus Chrome: actions speak louder than words.

While news has been sparse since Day 1 of Pwn2OWn, word is that Chrome was the only major browser to make it through the entire competition unscathed. That means it even got through the vaunted Windows XP Day 3, where many expected that Chrome would be exploited by using some of XP’s inherent holes. Not to mention withstanding the service packs that XP is nine years old.

Major browsers such as IE8, Safari and Firefox were hacked within minutes of the start.

Pwn2Own, by the way, is a contest that awards “researchers” cash prizes for successfully hacking computer platforms – prizes in the range of $10,000 to $15,000 plus the computer that they are hacked on.

OK, so Chrome made it through. But let’s think about this. Chrome has only been out since 2008, and there still aren’t that many users who have adopted it yet. W3schools, a web developer site, cites an 11.6% rate of users who visit their site as running Chrome for February 2010. And that is a site for early adopters of web technology! The real number for the entire web population is probably closer to five percent. That may be one of the reasons that researchers have yet to find vulnerabilities in it: they hack what they know, which are the other browsers out there.

Of course, there is also the idea that the other browsers on the market are simply weaker than Chrome which is also a possibility. There was some stir in the days leading up to the contest that Google quickly patched up a slew of security flaws in what was seen as a pre-emptive move. But when you are actually awarding outside experts with cash when they see a flaw in Chrome, it’s probably easier to patch up things that may be hard to see when they are right in front of you.

Anyone else ever had that problem before?

Good news for all you Mac users: the newest update to Chrome 5 will offer the Translate feature that those of us on the Windows version have been able to enjoy for the past couple of weeks. If you’ve never used Google translate, you probably don’t know what you’re missing. I have a piece out there already that pretty much outlines what I’m talking about, and you can check it out here.

Here are the new updates to Chrome 5 Beta for Mac:

• Translate feature has been added
• Greater control over privacy (learn more here)
• Full screen mode by using Shift-CMD-F (Thanks Nick!)
• Forced reload, instead of using cache by using Shift+Reload

Already have Chrome 5 Beta for Mac? You will be automatically updated. If you don’t have Chrome 5, get it here.

With the news that Safari was the first browser successfully hacked at this year’s Pwn2Own competition, those of you out there who like using Apple products may want to consider giving Chrome 5 a try. An earlier version that is in stable release, Chrome 4, has yet to go down at the competition where hackers (they’re called “researchers” these days) try to compromise operating systems, browsers and mobile phones.

Apple comes out with great products. There is no doubt about that. But one big problem is that they aren’t nearly as ubiquitous as Windows products, and therefore have not been as susceptible to attack by those with malicious intentions. Unfortunately that landscape is changing. Check out this graph that shows the correlation between the prevalence of Apple stores and adoption of their products:

So while Apple has been building its own retail stores around the world they have increased their market share from 3.5% to almost 10% in a span of seven years. That means more Macs and more of them means the potential to attack them increases. As an example of how much work needs to done to protect Macs, Apple added data execution protection (DEP) to Snow Leopard which was something adopted by Windows in XP SP2 which came out in 2003.

So this post may have gone off on a tangent from its original theme, but I hope it has been informative nonetheless.

Yesterday’s first day for the Pwn2Own contest came and went literally for the Chrome browser. The competition, which pits security minded hackers against web browsers, operating systems and mobile phone platforms did however do a number on Apple products. Apple’s Safari browser was hacked on both Snow Leopard and the iPhone, while Charlie Miller, a previous winner, snagged ten grand by remotely taking control of Safari on a MacBook Pro. Miller is the one who was quoted a while ago saying that Chrome 4 without Flash on Windows 7 was the most secure computing environment out there today.

Also, IE8 on Windows 7 was successfully hacked on the first day of Pwn2Own, with researcher Peter Vreugdenhil getting past Windows 7′s data execution protection (DEP) and address space layout representation (ASLR) to exploit IE8. An hour after that, a freelancer named Nils was also able to use those same Windows vulnerabilities to also hack Firefox 3.6.

Yesterday was the day for Windows 7, and today the competition will face Vista, with tomorrow highlighting XP. Will Chrome fall on a less secure system? We shall see. Here is the complete three day schedule for Pwn2Own:

Day 1

The target pairings for day one are:

• Microsoft Internet Explorer 8 on Windows 7
• Mozilla Firefox 3 on Windows 7
• Google Chrome 4 on Windows 7
• Apple Safari 4 on MacOS X Snow Leopard

Day 2

• Microsoft Internet Explorer 7 on Windows Vista
• Mozilla Firefox 3 on Windows Vista
• Google Chrome 4 on Windows Vista
• Apple Safari 4 on MacOS X Snow Leopard

Day 3

• Microsoft Internet Explorer 7 on Windows XP
• Mozilla Firefox 3 on Windows XP
• Google Chrome 4 on Windows XP
• Apple Safari 4 on MacOS X Snow Leopard

Most top prizes are in the $10,000 range, plus the hardware that is hacked on is also awarded. There is also a focus on these mobile platforms (and as we said that the iPhone has already been hacked):

• Apple iPhone 3GS
• RIM Blackberry Bold 9700
• Nokia E72 device running Symbian
• HTC Nexus One running Android

We’ll keep you posted, especially on the Google-related products.

As mentioned previously, the Chromium team is giving out cash awards to researchers who are able to find vulnerabilities in the browser’s software. While most awards given out are in the $500 range, there is another tier for those who are able to find very serious flaw. Finally, someone has won the top award, getting $1,337 from Google for finding what must be a serious exploit. Although we cannot see what the flaw is because not all browsers have been updated, I’m Sergey Glazunov, who won the award, is happy to be receiving some recognition since most of the time these folks don’t get the appreciation that they deserve.

This is coming at a good time, and there is no doubt that the recent rash of updates to Chrome’s stable build has to do with the upcoming Pwn2Own contest which pits hackers against browsers and operating systems in a contest to see who can compromise a system the fastest. Charlie Miller, one of the past winners, has gone on record to say that he thinks Google Chrome is one of the most secure browsers along with Windows 7 being the most secure operating system.

Although it appears that smartphone operating systems will be a big focus of the year’s Pwn2Own, it will still be interesting to see which browsers are the most secure. Computerworld is predicting that Chrome will last the longest which is a promising sign and shows how much effort has been put into a browser that has only been around since 2008.

Best known as the hacker that is able to consistently deliver results in the Pwn2Own contest which awards contestants for successfully exploiting OS vulnerabilities, Charlie Miller gave an interview recently and shared his thoughs about the most secure computing platform for users. While he was unable to comment on Chrome OS (he said he didn’t have enough info yet) his thoughts and the best browser and OS were of interest.

“Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about”, Miller told oneitsecurity. And while we agree with his point, it stands out that he would find that IE8 is comparable to Chrome in any way other than security. Chrome offers a better UI, is faster and has far better web compliance scores.

He discussed the potential of hacking Linux, saying that it would be relatively easy to pull off. But the low adoption rate of Linux as inhibited any motivation for researchers to try to point out flaws that are inherent to the system. Chrome OS is based off of a flavor of Linux so it will be interesting to see how it evolves from the perspective of security.

Miller is clearly not impressed by Flash, and that’s no surprise. With Pwn2Own’s 2010 contest coming up, the focus this year is going to be on exploiting mobile phones. That would probably be made easier if some of these platforms like the iPhone actually had Flash, so expect Android to be a big target with a lot of entrants trying to win the big prize by hacking that platform. The total prize allocation for the contest is set at $100,000.