Google Pays Researchers Record $112,500 for Android Flaws
Google Pays
Researchers Record $112,500 for
Android Flaws
The bug
bounty reward, given to a researcher who submit a working remote exploit , is
Google's highest in a Android bug.
Google has awarded its highest-ever bug bounty
for an Android flaw, the company announce this week. The $112,500 reward was
paid to a researcher who submitted the first working remote exploit since the Android Security Rewards (ASR)
program expanded in June 2017.
The Alpha
Team at Qihoo 360 Technology, submitted his report in September. The exploit
chain he found includes two bugs: CVE-2017-5116 and CVE-2017-14904. The first
is V8 engine bug used to get remote code
execution in the sandboxed Chrome render process. The second, a bug in
Android's libgralloc module, is used to escape from Chrome sandbox.
Together,
the exploit chain can be used to inject arbitrary code into system_server by
accessing a malicious URL in Chrome. Gong's findings earned him $105,000 from
ASR, the highest reward in the history of the program. He was also given $7,500
from the Chrome Rewards program.
The full set
of issues Gong discovered was addressed in the December 2017 monthly security
update, and all devices with security patches of 2017-12-05 or later are
protected. Pixel devices and partner devices using A/B updates will
automatically install the fixes when restarted.
Comments