Of the Big Four browsers, only Apple’s Safari has so far survived the onslaught of the browser-breakers at PWN2OWN 2013
Chrome, Internet Explorer 10 and Firefox, all running on Windows, have already fallen by the wayside.
To remind you: in the world of PWN2OWN, “successful attack” means that merely by browsing to untrusted web content, you’re able to inject and run arbitrary executable code outside the browser.
In the real world, that means you could pull off a drive-by install, where you bypass all intended protections, preventions and pop-up warnings from the browser.
In other words, you could put malware on remote users’ computers without them being involved, or even aware.
As the competition rules explain:
A successful attack ... must require little or no user interaction and must demonstrate code execution... If a sandbox is present, a full sandbox escape is required to win.
However, if you’re a Safari fan, don’t get too excited about your browser’s resilience just yet.
None of the PWN2OWN entrants are actually scheduled to take on Safari (the only non-Windows-hosted software in the competition), and we are unlikely ever to be sure why.
Was the combination of Safari and OS X too tough? Was the prize money too low? Do the browser-breakers consider OS X malware a secondary revenue stream not glamorous enough for the limelight of competitive hacking? Are the browser-breakers simply not up to speed on Safari and OS X hacking yet?
(Let’s hope that Safari’s victory over the attackers was true resilience, or even simply a lack of interest from the competitors, rather than that someone came up with an exploit but chose instead to sell it to the internet underworld.)
Java, plugged into Internet Explorer on Windows, also fell today – not once, but three times.
Here’s HP’s summary of the results so far:
The competition continues at midday on Thursday 07 March 2013, with VUPEN Security taking a crack at Adobe Flash and George Hotz trying out his skills on the Adobe Reader plugin.
When they’re done, Pham Toan will have a crack at Internet Explorer 10.
If he succeeds, he’ll only win a consolation prize because, as shown above, VUPEN already took down Microsoft’s latest browser.
→ PWN2OWN contestants step up to the plate/crease in a randomly-chosen order. And since you only enter in the first place if you’re pretty certain that you have an exploit that will work on the competition system, that usually means that it’s first in, best dressed. Second and third place winners get kudos, but no cash.
With prize money at 70% of that for Chrome and IE, you’d assume that Flash and Reader are supposed to be easier to break. On the other hand, Safari was valued at just 65%, and no-one broke that.
So stay tuned. We’ll let you know tomorrow how Flash and Reader stood up.