IE8 and Safari hacked at Pwn2Own, nobody tries Chrome

Matthew DeCarlo

Matthew DeCarlo

Posts: 5,271   +104
Staff

Hackers successfully compromised Safari and Internet Explorer during the first day of Pwn2Own. The event began yesterday at 3:30PM PT and a group from French security firm Vupen exploited Safari 5 running on a MacBook Air in only five seconds, according to Computerworld. That's despite Apple releasing a last minute patch (v5.0.4) to prevent contestants from using known bugs. In addition to keeping the MacBook Air, the team earned a smooth $15,000 for its accomplishment.

Microsoft decided against updating Internet Explorer 8 ahead of Pwn2Own, presumably because it would have come outside of the company's traditional patch cycle. IE8 also fell to its first attacker, Stephen Fewer of Harmon Security. Fewer reportedly used three separate vulnerabilities to escape Protected Mode and bypass ASLR and DEP on Windows 7, something event organizer Aaron Portnoy hasn't seen before at Pwn2Own. Fewer also won $15,000 and the compromised system.


Despite Google's hefty $20,000 prize, no one has even attempted to hack Chrome. Only two parties registered for Chrome but the first contestant was a no-show and the second team wanted to focus on their BlackBerry vulnerability. The $20,000 offering only applied to the first day, but someone could still win $10,000 if they successfully exploit the browser before the event ends on March 11. Hackers will try their hand at Firefox and various mobile platforms today and tomorrow.

Permalink to story.

https://www.techspot.com/news/42765-ie8-and-safari-hacked-at-pwn2own-nobody-tries-chrome.html

 
I would think firefox would be compromised rather quickly because it is open source. People can just examine code and then find a snippet that could be used to exploit it. I know that it really isn't that easy to do, but I'm sure the developers of it could come up with at least one loop hole somewhere.
 
That's also the power of open source the group at the head of the distrbution or a concerned users, see's it, submits the bug and it gets fixed very fast.
 
Win7Dev said:
I would think firefox would be compromised rather quickly because it is open source. People can just examine code and then find a snippet that could be used to exploit it. I know that it really isn't that easy to do, but I'm sure the developers of it could come up with at least one loop hole somewhere.
Click to expand...

Since firefox is a browser that many hackers use the hackers report bugs they find instead of exploiting them.
 
@Win7Dev Well almost every browser is open source or a good part of it, Chrome and Safari use the open-source Webkit rendering engine, Chrome's chrome (UI) and its javascript interpreter is also open, Firefox is open from head to toes, the only private ones are Opera and IE.

Chrome is the toughest to crack because it runs every tab in its own sandbox making it very difficult for exploits to run arbitrary code. Webkit2, the next version of webkit, will have this functionality built-in, it's supposed to be implemented in Safari with OS X Lion.
 
I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.
 
neofryboy said:
I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.
Click to expand...

very poor analogy... but if you find a standard dunk tank that pays $20,000 for hitting it, i'm in.
 
jurassic4096 said:
neofryboy said:
I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.
Click to expand...

very poor analogy... but if you find a standard dunk tank that pays $20,000 for hitting it, i'm in.
Click to expand...
Umm, Google challenged people to hack them and no one "throw the ball", its a good analogy if you ask me. Poor chrome least you didn't get "wet"
 
I'll be very curious to see if anyone can hack Opera. It may have a lower share of the browser market, but it is hands down the best browser I have ever used. There is something fishy about no-one even attempting to hack Chrome. Plus, I would never use a browser or any other software or hardware that is sponsored by a company who's primary business is collecting data.
 
aj_the_kidd said:
jurassic4096 said:
neofryboy said:
I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.
Click to expand...

very poor analogy... but if you find a standard dunk tank that pays $20,000 for hitting it, i'm in.
Click to expand...
Umm, Google challenged people to hack them and no one "throw the ball", its a good analogy if you ask me. Poor chrome least you didn't get "wet"
Click to expand...

I'd call it a bad analogy because if I was in a dunk tank I wouldn't be disappointed if nobody dunked me :p
 
I'm with aj on this one. Chrome would win if someone tried and didn't succeed. You can't call something uncrackable when nobody tries to crack it. Intimidation is no excuse. Somebody who knows what they're doing needs to grow a pair and have it. They all seem to be taking the easy way out. They know Firefox, IE, and Safari can be cracked, so they go with it. But Chrome is tight is would take a lot more work. What would you rather go for? A browser that you have a good chance at cracking and winning the prize money? Or a browser that's hard to crack, causing you to not get any prize money?
Although considering it's been untouched for the past 2 years, there should be no excuse for this. Someone at least try it!
 
matrix86 said:
I'm with aj on this one. Chrome would win if someone tried and didn't succeed. You can't call something uncrackable when nobody tries to crack it. Intimidation is no excuse. Somebody who knows what they're doing needs to grow a pair and have it. They all seem to be taking the easy way out. They know Firefox, IE, and Safari can be cracked, so they go with it. But Chrome is tight is would take a lot more work. What would you rather go for? A browser that you have a good chance at cracking and winning the prize money? Or a browser that's hard to crack, causing you to not get any prize money?
Although considering it's been untouched for the past 2 years, there should be no excuse for this. Someone at least try it!
Click to expand...
Yeah I thought hackers were all about notoriety. I'd want to be part of team which hacked Chrome and told Google to "Sit down, be quiet, cause I just hacked your browser *****, now give me that money" :)
 
I think you mean that Google have given out $100,000 in rewards but if not please provide a source. Seems a little unlikely that they would be rewarding people $150,000 for each exploit found
 
aj_the_kidd said:
I think you mean that Google have given out $100,000 in rewards but if not please provide a source. Seems a little unlikely that they would be rewarding people $150,000 for each exploit found
Click to expand...

They were offering $1337 USD per exploit found... a funny figure.
 
You must log in or register to reply here.

Similar threads

A
Pwn2Own 2023 day one, all major operating systems and Tesla Model 3 hacked
Replies
4
Views
488
Q Wales
Q Wales
A
Pwn2Own 2023 contestants won more than $1 million by exploiting 27 zero-day flaws in three...
Replies
1
Views
454
m3diapers
M
midian182
Apex Legends tournament postponed after players hacked mid-match
Replies
0
Views
92
midian182
midian182

Latest posts

Back