Major browsers fall on day one of Pwn2Own, Chrome survives

By on March 25, 2010, 11:34 AM
For the fourth consecutive time in as many years, three of the most common web browsers have been successfully exploited on day one of Pwn2Own. The annual contest is sponsored by security firm TippingPoint, which challenges hackers and security researchers to attack devices running fully up-to-date versions of the latest browsers and operating systems, and then shares the details with the respective software vendors so they can work on patches.

Not surprisingly there were a few familiar faces showing their exploits at the competition. Just like in 2009 and the year before, Charlie Miller was awarded a cash prize after hacking Safari on a MacBook Pro without having physical access to the machine. Next was Peter Vreugdenhil, who managed to bypass Windows security features including Data Execution Prevention code via Internet Explorer 8 to take over a PC -- receiving $10,000 plus the hardware.

Another former winner known only by his first name, Nils, received $10,000 for exposing a memory corruption flaw in the latest version of Mozilla's Firefox browser. Of all the browsers set up as targets for the contest, only Google's Chrome remained standing on the first day, while Apple's Safari was even saw a second hack centering on the iPhone.

Within minutes of the competition starting, two European researchers, Vincenze Iozzo and Ralf Weinmann, managed to download the SMS database of a fully patched iPhone 3GS simply by visiting a specially crafted website. According to the researchers, while the exploit focused just on the SMS data, the same attack could be designed to access contacts, photos, and other data on the iPhone without the user having any idea an attack was underway.




User Comments: 34

Got something to say? Post a comment
SNGX1275 SNGX1275, TS Forces Special, said:

Sucks that Opera wasn't one of the browsers.

Guest said:

Yeah, I believe they limit it to real browsers only...

Guest said:

If you are implying that Opera isn't a real browser, then you clearly aren't very savvy or a mobile browser user. Opera's Mobile browser is top-notch.

Burty117 Burty117, TechSpot Chancellor, said:

Opera is a real browser but probably more hackable than we think. So Opera refuse to have it show in the tests and make them look bad.

Proud to see firefox in there though! Although was expecting it to be hacked more than just a memory corruption flaw.

Fishingelbow said:

Opera not a "real" browser...

Right! It's not full of holes requiring patches every other day!

TomSEA TomSEA, TechSpot Chancellor, said:

Lovely...a real vote of confidence for security through our browsers.

Guest said:

Chrome is intriguing, seems to be emerging as a real player among browsers.

For most of my clients I'm still backing Firefox. In particular, their responses to vulnerabilities remain gratifyingly quick.

Guest said:

Opera is a very good browser and has continuously been at the top of the security charts for years.

compdata compdata, TechSpot Paladin, said:

ouch. Doesn't exactly make me feel safe browsing :-p

9Nails, TechSpot Paladin, said:

Do they mention if these browsers had plug-ins installed? I seem to recall some previous competitions like this where I.E. and Firefox withstood the attack initially. Then some plug-in's were added to the competition where the winner exploited Quicktime security holes and was then able to compromise the computer.

EXCellR8 EXCellR8, The Conservative, said:

At this point IE shouldn't even be in the contest...

Guest said:

Too bad Chrome sucks memory like a back-alley hooker.

The same 10 webpages opened in separate tabs and total memory used:

IE 8 = 200MB

FF 3.6 = 240MB

Chrome 4.1 = 750MB

T77 T77 said:

opera is one of the best out there.i wonder why it was not present.

i wouldn't be surprised if IE wasn't there,it doesn't matter much if it was exploited.how many people out there use IE8? more and more users are switching to FF,chrome and opera.

we have to use IE rarely,only when some site would not support chrome,opera...

Badfinger said:

Opera I tried many times, never stuck, but I do have 10.10 installed.

Opera is a very good browser, I am just a long term Firefox user, and try as I might, none of the new kids keep my attn for very long.

M$ can cram IE where the sun don't shine, I will never use that thing on purpose, unless there is no other option.

I started using Firefox around beta .92, so it has been a while, now at 3.6.2

Clrabbit said:

To be honest I actually like Opera's low usage it in terms mean less stuff is made to Explote it sense such a small user base uses it. Kind of like using some rare-distro of linux secure by obscurity.

I always worry every time Opera dose something big to attract a bunch of new people.

I've used Chome a couple of times but you know The ad, code and content blocking is just so lacking. Then again from Googles stand point it's not a good thing when too many people are blocking all you're ads.. Infect the only time I have even ever seen a Adsense ad was when I was using Chrome on some body else's computer.... It was rather strange and disorienting to see so many ads on the Internet. lol

megrawab said:

Wow. Chrome is developed very well... Too bad Opera was not included... Atleast it didn't upset me.. Opera is still the best for me then chrome... Where can I study hacking ? ....

LightHeart said:

Chrome

I read a comment on a web site that Chrome was recently patched before the contest. That is a week before the contest new patches were applied. The other software in the contest had versions that were not patched in several weeks. The point being hackers had more time to work through flaws with the other software.

Burty117 Burty117, TechSpot Chancellor, said:

Almost everyone above me, why do you all seem afraid of your Browser being hacked?? i know its a possiblity but really only when you navigate to a dodgy website. How many of you visit the most vile porn everyday?

Honestly I haven't had an anti-virus installed for the last couple of years and my browser has always been FF yet I have not yet been infected! and its nice not to have some stupid anti-virus running in the background take resources for nothing.

The people in this test as stated by LightHeart all got to start hacking the software weeks in advance.

I actually feel safer knowing FF only has a memory corruption issue rather than IE which can be hacked within minutes and the entire computer taken control of!

Guest said:

@ Burty, dodgy websites and porn are not the only places you get hacked. Ever click on a "google" right sidebar ad? Got a virus from a $99 cruise ad that could not be gotten rid of. Had to reformat my HD.

Burty117 Burty117, TechSpot Chancellor, said:

Guest said:

@ Burty, dodgy websites and porn are not the only places you get hacked. Ever click on a "google" right sidebar ad? Got a virus from a $99 cruise ad that could not be gotten rid of. Had to reformat my HD.

No! i never have, your the ***** who clicked on the ads! I have never clicked on an ad on the internet I will never click on an ad. sure i'll read them but why would you ever trust something that says "£99 cruise" on it? its obviously a lie!

And another thing, I ONLY use google to search and to find places via Maps. I will never click on there sponsored sites I will never click on a link that doesn't go to a popular site. its just asking for trouble.

I believe that fair enough browsers are not the greatest piece of coding ever made but its better than than we all give it credit for.

Most people like Guest here just seem to be a little bit thick and click on adverts and visit sites with names that are obviously going to contain virus's or . . . "ooooww! that looks like a good deal! i can fly half way across the world and they'll pay for the flight!" its obviously fake! why are you clicking on it??

its not browsers that are insecure, its the person using it.

poertner_1274 poertner_1274, secroF laicepS topShceT, said:

Wow. Chrome is developed very well... Too bad Opera was not included... Atleast it didn't upset me.. Opera is still the best for me then chrome

Definitely a shame not to see how Opera stacks up to this competition. I would like to see what flaws are out there and see them patched.

Opera is by far my favorite browser, and have been using it since its inception.

... Where can I study hacking ? ....

Please do not ask about hacking sites. That is not supported here at TechSpot.

captaincranky captaincranky, TechSpot Addict, said:

And another thing, I ONLY use google to search and to find places via Maps. I will never click on there sponsored sites I will never click on a link that doesn't go to a popular site. its just asking for trouble.

I believe that fair enough browsers are not the greatest piece of coding ever made but its better than than we all give it credit for.

Most people like Guest here just seem to be a little bit thick and click on adverts and visit sites with names that are obviously going to contain virus's or . . . "ooooww! that looks like a good deal! i can fly half way across the world and they'll pay for the flight!" its obviously fake! why are you clicking on it??

its not browsers that are insecure, its the person using it.

You're the best Burty, I guess that's why you feel the need to tell us over and over again.

Almost everyone above me, why do you all seem afraid of your Browser being hacked?? i know its a possiblity but really only when you navigate to a dodgy website. How many of you visit the most vile porn everyday?
Ya know, after being here listening to dueling fanbois spout "truisms" like, "my browser's better than your browser", or maybe, "AMD's better than Intel", (and of course vice versa), porn is like a breath of fresh air.

Honestly I haven't had an anti-virus installed for the last couple of years and my browser has always been FF yet I have not yet been infected! and its nice not to have some stupid anti-virus running in the background take resources for nothing.
See, this is the just reward for taking the moral high ground, unfortunately, so is extreme boredom.

Try and keep in mind though, that's what system resources are for, to be used.

My current system lists (on average) 3.5 GBs of RAM with about 2-4 % CPU usage. Wouldn't want to tax that, now would I?

Burty117 Burty117, TechSpot Chancellor, said:

captaincranky said:

You're the best Burty, I guess that's why you feel the need to tell us over and over again.

Almost everyone above me, why do you all seem afraid of your Browser being hacked?? i know its a possiblity but really only when you navigate to a dodgy website. How many of you visit the most vile porn everyday?
Ya know, after being here listening to dueling fanbois spout "truisms" like, "my browser's better than your browser", or maybe, "AMD's better than Intel", (and of course vice versa), porn is like a breath of fresh air.

Honestly I haven't had an anti-virus installed for the last couple of years and my browser has always been FF yet I have not yet been infected! and its nice not to have some stupid anti-virus running in the background take resources for nothing.
See, this is the just reward for taking the moral high ground, unfortunately, so is extreme boredom.

Try and keep in mind though, that's what system resources are for, to be used.

My current system lists (on average) 3.5 GBs of RAM with about 2-4 % CPU usage. Wouldn't want to tax that, now would I?

ha ha! lol! yeah, but when playing crysis on an athlon duel core the moment the anti-virus started it just made the game start to lag and crawl. so at the time it did make a big difference.

Plus I can promise you your computer goes above 4% when being used or when the anti-virus is scanning your computer. unless you have a really bad hard drive.

In all fairness though it is alot of the time users fault that the virus got in their computer. I know, its my job. Even if I just monitor someones TS session you can always watch at least one person a day just click on something they obviously are not sure about because they take a moment to think about clicking on it.

Maybe curiosity killed the cat also killed the computer? =P

Guest said:

For those who dont use an antivirus, how do you know its not infected... if you dont use an antivirus?? Does it look healthy?? Felling in shape?

About the browser exploits, unless your a sysadmin or IT manager in a big financial company, who cares? Do you store your bank account passwords written in a text file somewhere in your desktop? Do you send your credit card number for everyone who asks for it? If you do, then you should take care, and stop using the Web!! Just walk to your bank like you used to. Its good for your health and maybe your finances.

SNGX1275 SNGX1275, TS Forces Special, said:

For those who dont use an antivirus, how do you know its not infected... if you dont use an antivirus?? Does it look healthy?? Felling in shape?

I can't speak for everyone, but until very recently I hadn't ran AV on my machines in years. The way I ensured I wasn't infected was by using Opera to steer clear of most browser exploits, used gmail for email rather than OE out Outlook, and occationally ran an online scan, like eset's. Those steps with a bit of common sense will keep you clean. The reason I am now not going AV free is because I saw first hand (by testing it out on my netbook) how little resources Microsoft's Security Essentials consumes.

Guest said:

Every one who thinks Opera is not a "real browser", or it is a "new kid", or it's not compliant to security and other standards, do not realy know what Opera is. In fact, Opera uses to be the first to implement a lot of very interesting things (at least to me), like mouse gestures (since version 3.sth), "Reload every..." (I use this as keepalive...), tabs, test compliance (http://acid3.acidtests.org/, http://www.css3.info/selectors-test/test.html), synchronization, widgets and, more recently, some features not interesting to me, but certainly useful to a lot of people (Opera Turbo, Opera Unite,...). By the way, I think one should point his/her preferred browser to those two links before saying something about Opera. In spite of some annoyances (e.g. lack of smartcard support), I'm stuck with Opera for some 12+ years. (please forgive my poor english...)

edivaldoapereira@yahoo.com.br

Guest said:

I strickly use IE8 and I never had a virus detected. I tried all other Browsers but alway revert back to MS IE. I love Bill Gates! I wish I was he son! He is my hero! Windows 7 rules and so does IE8.

Burty117 Burty117, TechSpot Chancellor, said:

Guest said:

I strickly use IE8 and I never had a virus detected. I tried all other Browsers but alway revert back to MS IE. I love Bill Gates! I wish I was he son! He is my hero! Windows 7 rules and so does IE8.

I pitty you deeply.

Or its because your smart and just don't click on stuff you don't know.

Either way though, still pitty you for having to use the worst browser ever made.

captaincranky captaincranky, TechSpot Addict, said:

I pitty you deeply.

Or its because your smart and just don't click on stuff you don't know.

Either way though, still pitty you for having to use the worst browser ever made.

There,there, now Burty, don't let that mean old nasty "guest" upset you. That was just the posting equivalent of a "drive by download". Don't give it a second thought, just go play your Crysis game.

Burty117 Burty117, TechSpot Chancellor, said:

captaincranky said:

I pitty you deeply.

Or its because your smart and just don't click on stuff you don't know.

Either way though, still pitty you for having to use the worst browser ever made.

There,there, now Burty, don't let that mean old nasty "guest" upset you. That was just the posting equivalent of a "drive by download". Don't give it a second thought, just go play your Crysis game.

LOL! this made me chuckle =)

I do quite enjoy starting rows on here though. its nice to see people who are still (relativley) sane =)

matrix86 matrix86 said:

Everybody keeps listing the cool features of Opera, but they ALWAYS forget what I think is the coolest...the voice commands. Why are these never brought up?

I don't really use it anymore because I prefer the extreme customization of FireFox. Now that I have Dragon NaturallySpeaking, I just use that to control my browser. But for a while, I used the voice control in Opera and it worked very well for me.

Clrabbit said:

Couple of things to answer here:

"How do people that don't use AV know there clean?"

The smart users when they say "I don't use AV" really means "I don't bother with active AV software." meaning once a year or less they do have about 3~6 AV programs they sweep there computer with a find nothing!

At least this is what I do every time before I reformat my system or once a year once ever comes sooner I like to run a good sweep of the system, just for fun. so far the the only things found over the last 10years has been 4 cookies in firefox... that I'm pretty sure were false positives. Sense they were data tacking cookies I actually wanted to keep around, so i didn't have to log-in to things all the damn time.

For the most part as long as you have your Browser/system/firewall/router/modem setup right it doesn't matter how "Questionable" the site is your pretty safe, as long as your not stupid enough to give out information about your self.

In order to exploit a flaw a site most use active code, if you have every thing but basic XHTML and CSS disabled, it would be externally hard for a site to automaticly do any thing to you.

The way most people get them selfs "infected" witch is a very relative term sense most of the things people call "viral" are really things they agreed to, they just didn't read the ELUA of something they installed. As a tech I've had people swear up and down they go something from a ad on google... a quick look around add/remove programs and its like ah~ no you are using about 10 ad supported programs.

There are viral ad's and site code out there, but be smart keep ActiveX, Java, Scripts, and flash disabled on sites you don't trust. Clean your cache often, and have cookies auto deleted, only manually keep cookies that you know you want, and don't accept cookies from every site on the Internet. "I mean really didn't your parents teach you not to take cookies from strangers?"

SNGX1275 SNGX1275, TS Forces Special, said:

Everybody keeps listing the cool features of Opera, but they ALWAYS forget what I think is the coolest...the voice commands. Why are these never brought up?

I've actually never used Voice Commands, presumably the biggest reason is that until recently none of my computers have had a mic. I know they all have a line in, but I've never had a mic (well not since about 98 or 99) now my netbook does, but I've never used it. One thing that was huge for me when I first was using Opera was Mouse Gestures, it was really awesome to hold right mouse, flick left, and have that go back. I hardly use that anymore because my main PC's mouse has a back and forward arrow on it, so I just use those. But back when I just had a Logitec iFeel, mouse gestures were amazingly useful.

Guest said:

@burty117

Are you serious? You don't click on main advertisements, or any at all? What kind of paranoid way is that to 'surf'.

Even with your paranoia, someone who says they've never had a virus is a complete ***** - everyone has and will, probably even within a few days of browsing.

You say you don't go to the less popular sites, often they are probably safer than your more popular sites - these types of sites are targetted for iframe droppers, leaving you with a nice browser exploitation (and dirty payload).

Where it is obvious endpoint security's main flaw lies on the common user, browser security is not to be over-estimated, there exists databases of exploits for current or recent versions of the top browsers, and yes, that INCLUDES Opera.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.