Latest Expert Witness News

Security experts find bugs and win with Google

Two security researchers are sharing a cash prize from Google after winning a bug hunt contest designed to improve the security of Google Native Client technology.

Despite the dozen or so bugs they found in the code, which lets Web-based applications run native code and take advantage of a computer's processing power, one of the winners predicted the technology will be secure when it is deployed.

Mark Dowd, X-Force researcher engineer at IBM Internet Security Systems and his partner, Ben Hawkes, an independent security researcher in New Zealand, found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants and accepted as valid. The more severe bugs, for instance, would allow an attacker to completely disable the technology's inner sandbox.

The technology, revealed as a research project in December and promoted to a development platform last month, is an attempt to enable computers to run Web applications downloaded from the Internet directly on the processor and at the speed of "native" software installed on a computer.

Current Web application programming environments, like Flash, JavaScript, and ActiveX, offer limited processing power and have suffered their own share of implementation flaws that can be exploited.

Google expects to integrate Native Client into the developer version of its Chrome browser before the end of the year.

back