Of the Big Four browsers, only Apple’s Safari has so far survived the onslaught of the browser-breakers at PWN2OWN 2013
Chrome, Internet Explorer 10 and Firefox, all running on Windows, have already fallen by the wayside.
To remind you: in the world of PWN2OWN, “successful attack” means that merely by browsing to untrusted web content, you’re able to inject and run arbitrary executable code outside the browser.
In the real world, that means you could pull off a drive-by install, where you bypass all intended protections, preventions and pop-up warnings from the browser.
In other words, you could put malware on remote users’ computers without them being involved, or even aware.
As the competition rules explain:
A successful attack ... must require little or no user interaction and must demonstrate code execution... If a sandbox is present, a full sandbox escape is required to win.
However, if you’re a Safari fan, don’t get too excited about your browser’s resilience just yet.
None of the PWN2OWN entrants are actually scheduled to take on Safari (the only non-Windows-hosted software in the competition), and we are unlikely ever to be sure why.
Was the combination of Safari and OS X too tough? Was the prize money too low? Do the browser-breakers consider OS X malware a secondary revenue stream not glamorous enough for the limelight of competitive hacking? Are the browser-breakers simply not up to speed on Safari and OS X hacking yet?
(Let’s hope that Safari’s victory over the attackers was true resilience, or even simply a lack of interest from the competitors, rather than that someone came up with an exploit but chose instead to sell it to the internet underworld.)
Java, plugged into Internet Explorer on Windows, also fell today – not once, but three times.
Here’s HP’s summary of the results so far:
The competition continues at midday on Thursday 07 March 2013, with VUPEN Security taking a crack at Adobe Flash and George Hotz trying out his skills on the Adobe Reader plugin.
When they’re done, Pham Toan will have a crack at Internet Explorer 10.
If he succeeds, he’ll only win a consolation prize because, as shown above, VUPEN already took down Microsoft’s latest browser.
→ PWN2OWN contestants step up to the plate/crease in a randomly-chosen order. And since you only enter in the first place if you’re pretty certain that you have an exploit that will work on the competition system, that usually means that it’s first in, best dressed. Second and third place winners get kudos, but no cash.
With prize money at 70% of that for Chrome and IE, you’d assume that Flash and Reader are supposed to be easier to break. On the other hand, Safari was valued at just 65%, and no-one broke that.
So stay tuned. We’ll let you know tomorrow how Flash and Reader stood up.
Is this a legitimate comp or something we should be wary of? I do understand that, either way, we all shouldn't be complacent about security.
It's legit, though Google (amongst others) fell out with it last year and withdrew its browser and its money because you could come along, show off your vulnerability, pwn the laptop, collect the cash…
…and then walk away without revealing your vulnerability to the browser maker, perhaps to sell your vulnerability to someone else (or to disclose it publicly, knowing it was verified to work).
The competition is a bit more responsible now. You win the prize but the browser vendor gets access to your work and time to fix the flaw before world+dog gets told how to use the exploit.
All good fun with lots of money being thrown around….but spare a thought for those of us in the trenches who are going to have to clean up the mess by spending countless hours patching thousands of vulnerable endpoints across multiple enterprises whilst begging our users in vain to browse safely and not to click on any link that comes their way.
Would the vulnerabilities have arrived anyway? Of course…but it still leaves a bit of a bad taste in the mouth!
Really? You’d rather be scrambling to patch a bunch of systems because they’re being actively exploited, than have competitions like this unearth the vulnerabilities, and have them released in a responsible manner?
There is an active black market for vulnerabilities. Far better for people to make the money here, where the vulnerability gets displayed and fixed, than sold on the black market to be used for evil.
The article suggests lack of interest as a possible reason Safari didn't fall. But I doubt it. This article….
http://www.theregister.co.uk/2013/01/22/pwn2own_w…
….says the prize for hacking the Safari browser was set to $65,000. Who would lack interest in that much money? Java fell for just $20,000.
I'm not sure it's very smart to award all the cash prizes to those who happen to be lucky enough to be chosen first. It seems to me that such a system provides far less incentive to those who aren't chosen first. What's in it for them if the cash has already been awarded to someone else?
I suppose they get the credit for having achieved the pwnation, and maybe that's enough for some. But what's to keep them from just saying "Forget it", and walking away to sell their exploits to the bad guys?
Ah…and now I see that the PWN2OWN sponsor (HP) apparently agrees, having announced on Day 2 that they will pay a cash prize to everyone who creates a successful attack. That makes more sense.
https://nakedsecurity.sophos.com/pwn2own-results-d…
The cynic says that everyone expected Miller to beat Safari in 10 seconds or so (as usual) and no one else bothered.
People use Safari?
Yes, and now you know why.
The article seems to suggest that Safari running on Windows was not part of the 'game'. A number of people use it that way, but is it any more secure that the other browsers?
Part of the security, or insecurity, may be due to the OS being used, any flavour of UNIX (such as OS X and Linux) tends to be less vulnerable than Windows. That may be because of smaller presence in the market so less interest in attacking.
Could 'The Duck' clarify the position of Safari on Windows please?
Safari on Windows is dead, so there’s no point in testing that configuration.
I'd be interested to know how well this works in Firefox with Noscript. And I would also like it tested with a browser sandboxed with Sandboxie.
@ Chuck–
I think the the point is to hack with their default configurations, as how vast majority of people would use it. Most people on the street don’t have a clue what NoScript is, or Sandboxie.