“Fully patched versions of Safari and Internet Explorer 8 were both successfully hacked today at pwn2own, the annual hacking competition held as part of the CanSecWest security conference. If a researcher can pwn the browser – that is, make it run arbitrary code – then they get to own the hardware the browser runs on. This year, not only did they have to run arbitrary code, they also had to escape any sandboxes – restricted environments with reduced access to data and the operating system – that are imposed.”
I don’t know why, but I somehow expected that this year would be different, that we would finally reach some kind of maturity. But here we are, every browser challenged so far broken wide open. One can only hope that the Chrome challenger not showing up is a sign that Chrome is going to make it through.
I am to some part especially disappointed that IE8 fell so quick, Microsoft certainly has been adding a lot of layers of security to it, but while it apparently took three separate exploits working together to beat it that’s not much consolation when the outcome is the same for the user.
Well I though that Apple issued a monster patch before the competition deadline for the purpose.
http://arstechnica.com/apple/news/2011/03/likely-pre-pwn2own-safari…
I cannot wait to see the mobile web competition unrolling
Looks like Firefox is up for grabs tomorrow. This article came up just as I was thinking about something – does Firefox (either 3.x or 4.x) have any kind of sandbox mode by default?
i know plugins are now out-of-proces (from Firefox4), which handles plugin crashes gracefully.. but i’m not sure if it also acts as a sandbox.
Plugin seperation was already added in Firefox 3.6.
Firefox Mobile 4 (which will have release candidate status soon) has real process seperation.
It was planned that the version after Firefox 4, probably called Firefox 5 and released in 3 months, will probably have process seperation as well.
Mozilla calls it Electrolysis.
Hopefully this will also lead to better threading.. would be nice if each tab ran in it’s own thread and could be closed/killed if it misbehaved.
End of the day it still comes down to relying on the user to open a malicious page. More than anything, this should be a reminder that users need to be encouraged to practice proactive security habits rather than relying on the default state of their browsers to protect them.
While your statement sounds good, it is actually pointless. For all practical purposes, a “drive by” hijacking of the browser is the most likely attack all of us face, and certainly the most dangerous when the user doesn’t have to click “OK”, etc. Otherwise, I guess we could have the attack be navigating each browser to http://www.google.com and see which browsers are owned.
The point of security testing is we will all at some point think we are going to a safe site, and if just by navigating to that site our computer can be taken over, then this is a serious security flaw.
It’s similar to testing the security system of a VIP limousine. It would not be much of a test if we left the car in the garage. It needs to be tested on a dangerous road with mailicious folks around, or else it isn’t much of a test.
You’re right, but a user who’s aware of their habits and who avoids risky behaviors is in a better spot than one who’s running around assuming they’re safe due to having a “safe” browser. It won’t stop them from being owned by a malicious ad on Facebook in 100% of cases, but it is a significant step up.
Beyond that, the tests themselves are contrived worst case scenarios for the purpose of highlighting what could happen. How many of us are running an OS in a pristine state without additional layers of security in place? I know I’m not, I don’t know many Windows users who are actually.
So yeah, these security breaches absolutely need to be recognized and fixed, but the process of educating people shouldn’t be left at that.
You are right – I shouldn’t have said pointless. Your comment is true, that informed users are always the first line of attack, and being careful about where you browse is important. However, I don’t think it applies to this particular test – this is a test of your browser under difficult circumstances, not with careful users. I am definitely interested in which browser stays secure if I accidently find myself on a dark and scary side-street on the Information Highway (wow, haven’t used that term in a while).
I think you are vastly underestimating the potential for infection from a “safe” website. Prior to this whole Anonomous affair, you would have assumed that visiting HB Gaury’s website would have been safe right? I mean their a security company, if anyone is going to be okay to visit it would be them. Anon hacked the crap out of that site for publicity purposes. If they had wanted to they could have simply added a small piece of code that sent malicious stuff to everyone’s browser.
You can get hacked going to *any* website. Aside from direct hacking of a site, there is still xss, xsrf, and wonderful ad networks delivering up nasty stuff. You can’t simply blame users for going to an obviously bad site anymore.
Of course, the odds of getting something nasty do go up if you visit a lot of gambling/ porn/ gaming/ warez sites, but I don’t think its as dramatic as you think.
I think some of the ad networks delivering content for major sites (CNN, etc.) had malicious jpegs being vended through them at one point. Definitely don’t count on visiting ‘safe’ sites keeping your machine secure. Though I guess maybe blocking ads will help though?
I personally feel that Opera is more relevant than Safari. I’m not sure why Opera is always left out as a major browser.
um Market share, Safari has a much larger market share than Opera. Opera share on the desktop is very small, even if it is a good browser.
Not for mobile: http://gs.statcounter.com/#mobile_browser-ww-monthly-201102-201102-…
The difference isn’t really all that great on the desktop either, with Safari at 5% and Opera at 2%. A little more than 2x, but then Safari isn’t nearly that close to Chrome, at 16%.
Not so much market share as the fact it’s the default browser for OS X
Any reason they were testing IE8 when the current version is IE9?
Afaik, IE9 is not current yet, but still pre-release.
Uhm, no. The current version of IE is 8. IE9 has not been released yet.
Next you’ll be saying that FF4 is the “current” version, or that Chrome 11 is the “current” version, when neither of those have been released either.
I wouldn’t have a problem with Apple if they had some integrity.
They go on promoting their image about security and better quality, and many people buy that line, but all too often we hear about apple recall upon recall caused by cheap or faulty components.
Everything is shrouded in secrecy, nobody knows how many vulnerabilities apple fixes because they won’t say. It’s probably even a secret within apple. Sure, compared to MS or Linux they look like the holy grail, but then again MS and Linux publicly disclose their vulnerabilities.
My problem with Apple is that they care more about the public perception of security and quality than about the reality of the situation.