"To date, most successful attacks against Chrome exploit Adobe Flash, which is protected by a significantly more porous sandbox."<p>I notice that pretty much every time I read articles about Pwn2Own and similar. It's high time that Flash was abandoned as a ubiquitous part of the web. It is to web development as Outlook Express was to desktop software in the 90s - sure it's everywhere, but it's not doing much good by being so.
The Chrome Release blog says it's fixed: <a href="http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-update.html" rel="nofollow">http://googlechromereleases.blogspot.com/2012/03/chrome-stab...</a><p>And that the SVN commit history is available: <a href="http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog.html?url=/branches/963/src&range=125577:124982&mode=html" rel="nofollow">http://build.chromium.org/f/chromium/perf/dashboard/ui/chang...</a><p>But I don't see any commit that look even remotely related to this exploit. What's up?
That's only the Pwnium hack, though. The Pwn2Own vulnerability remains undisclosed and unfixed.<p>Which leads me to the question: why aren't companies like Google customers of companies like Vupen? Too many of them to make it cost-effective? Or does Vupen (for example) prefer if those holes are <i>not</i> fixed? You can sell a vulnerability many times, after all.