Major browsers fall on day one of Pwn2Own, Chrome survives

[Jos]

For the fourth consecutive time in as many years, three of the most common web browsers have been successfully exploited on day one of Pwn2Own. The annual contest is sponsored by security firm TippingPoint, which challenges hackers and security researchers to attack devices running fully up-to-date versions of the latest browsers and operating systems, and then shares the details with the respective software vendors so they can work on patches.

Not surprisingly there were a few familiar faces showing their exploits at the competition. Just like in 2009 and the year before, Charlie Miller was awarded a cash prize after hacking Safari on a MacBook Pro without having physical access to the machine. Next was Peter Vreugdenhil, who managed to bypass Windows security features including Data Execution Prevention code via Internet Explorer 8 to take over a PC -- receiving $10,000 plus the hardware.

Another former winner known only by his first name, Nils, received $10,000 for exposing a memory corruption flaw in the latest version of Mozilla's Firefox browser. Of all the browsers set up as targets for the contest, only Google's Chrome remained standing on the first day, while Apple's Safari was even saw a second hack centering on the iPhone.

Within minutes of the competition starting, two European researchers, Vincenze Iozzo and Ralf Weinmann, managed to download the SMS database of a fully patched iPhone 3GS simply by visiting a specially crafted website. According to the researchers, while the exploit focused just on the SMS data, the same attack could be designed to access contacts, photos, and other data on the iPhone without the user having any idea an attack was underway.

Permalink to story.

https://www.techspot.com/news/38368-major-browsers-fall-on-day-one-of-pwn2own-chrome-survives.html

 

[SNGX1275]

Sucks that Opera wasn't one of the browsers.

 

[Guest]

Yeah, I believe they limit it to real browsers only...

 

[Guest]

If you are implying that Opera isn't a real browser, then you clearly aren't very savvy or a mobile browser user. Opera's Mobile browser is top-notch.

 

[Burty117]

Opera is a real browser but probably more hackable than we think. So Opera refuse to have it show in the tests and make them look bad.

Proud to see firefox in there though! Although was expecting it to be hacked more than just a memory corruption flaw.

 

[Fishingelbow]

Opera not a "real" browser...

Right! It's not full of holes requiring patches every other day! :haha:

 

[TomSEA]

Lovely...a real vote of confidence for security through our browsers.

 

[Guest]

Chrome is intriguing, seems to be emerging as a real player among browsers.

For most of my clients I'm still backing Firefox. In particular, their responses to vulnerabilities remain gratifyingly quick.

 

[Guest]

Opera is a very good browser and has continuously been at the top of the security charts for years.

 

[compdata]

ouch. Doesn't exactly make me feel safe browsing

 

[9Nails]

Do they mention if these browsers had plug-ins installed? I seem to recall some previous competitions like this where I.E. and Firefox withstood the attack initially. Then some plug-in's were added to the competition where the winner exploited Quicktime security holes and was then able to compromise the computer.

 

[EXCellR8]

At this point IE shouldn't even be in the contest...

 

[Guest]

Too bad Chrome sucks memory like a back-alley hooker.

The same 10 webpages opened in separate tabs and total memory used:

IE 8 = 200MB
FF 3.6 = 240MB
Chrome 4.1 = 750MB

 

[T77]

opera is one of the best out there.i wonder why it was not present.
i wouldn't be surprised if IE wasn't there,it doesn't matter much if it was exploited.how many people out there use IE8? more and more users are switching to FF,chrome and opera.
we have to use IE rarely,only when some site would not support chrome,opera...

 

[Badfinger]

Opera I tried many times, never stuck, but I do have 10.10 installed.
Opera is a very good browser, I am just a long term Firefox user, and try as I might, none of the new kids keep my attn for very long.

M$ can cram IE where the sun don't shine, I will never use that thing on purpose, unless there is no other option.

I started using Firefox around beta .92, so it has been a while, now at 3.6.2

 

[Clrabbit]

To be honest I actually like Opera's low usage it in terms mean less stuff is made to Explote it sense such a small user base uses it. Kind of like using some rare-distro of linux secure by obscurity.

I always worry every time Opera dose something big to attract a bunch of new people.

I've used Chome a couple of times but you know The ad, code and content blocking is just so lacking. Then again from Googles stand point it's not a good thing when too many people are blocking all you're ads.. Infect the only time I have even ever seen a Adsense ad was when I was using Chrome on some body else's computer.... It was rather strange and disorienting to see so many ads on the Internet. lol

 

[megrawab]

Wow. Chrome is developed very well... Too bad Opera was not included... Atleast it didn't upset me.. Opera is still the best for me then chrome... Where can I study hacking ? ....

 

[LightHeart]

Chrome

I read a comment on a web site that Chrome was recently patched before the contest. That is a week before the contest new patches were applied. The other software in the contest had versions that were not patched in several weeks. The point being hackers had more time to work through flaws with the other software.

 

[Burty117]

Almost everyone above me, why do you all seem afraid of your Browser being hacked?? i know its a possiblity but really only when you navigate to a dodgy website. How many of you visit the most vile porn everyday?

Honestly I haven't had an anti-virus installed for the last couple of years and my browser has always been FF yet I have not yet been infected! and its nice not to have some stupid anti-virus running in the background take resources for nothing.

The people in this test as stated by LightHeart all got to start hacking the software weeks in advance.

I actually feel safer knowing FF only has a memory corruption issue rather than IE which can be hacked within minutes and the entire computer taken control of!

 

[Guest]

@ Burty, dodgy websites and porn are not the only places you get hacked. Ever click on a "google" right sidebar ad? Got a virus from a $99 cruise ad that could not be gotten rid of. Had to reformat my HD.

 

[Burty117]

Guest said:
@ Burty, dodgy websites and porn are not the only places you get hacked. Ever click on a "google" right sidebar ad? Got a virus from a $99 cruise ad that could not be gotten rid of. Had to reformat my HD.

No! i never have, your the ***** who clicked on the ads! I have never clicked on an ad on the internet I will never click on an ad. sure i'll read them but why would you ever trust something that says "£99 cruise" on it? its obviously a lie!

And another thing, I ONLY use google to search and to find places via Maps. I will never click on there sponsored sites I will never click on a link that doesn't go to a popular site. its just asking for trouble.

I believe that fair enough browsers are not the greatest piece of coding ever made but its better than than we all give it credit for.

Most people like Guest here just seem to be a little bit thick and click on adverts and visit sites with names that are obviously going to contain virus's or . . . "ooooww! that looks like a good deal! i can fly half way across the world and they'll pay for the flight!" its obviously fake! why are you clicking on it??

its not browsers that are insecure, its the person using it.

 

[poertner_1274]

Wow. Chrome is developed very well... Too bad Opera was not included... Atleast it didn't upset me.. Opera is still the best for me then chrome

Definitely a shame not to see how Opera stacks up to this competition. I would like to see what flaws are out there and see them patched.

Opera is by far my favorite browser, and have been using it since its inception.

... Where can I study hacking ? ....

Please do not ask about hacking sites. That is not supported here at TechSpot.

 

[captaincranky]

And another thing, I ONLY use google to search and to find places via Maps. I will never click on there sponsored sites I will never click on a link that doesn't go to a popular site. its just asking for trouble.

I believe that fair enough browsers are not the greatest piece of coding ever made but its better than than we all give it credit for.

Most people like Guest here just seem to be a little bit thick and click on adverts and visit sites with names that are obviously going to contain virus's or . . . "ooooww! that looks like a good deal! i can fly half way across the world and they'll pay for the flight!" its obviously fake! why are you clicking on it??

its not browsers that are insecure, its the person using it.

You're the best Burty, I guess that's why you feel the need to tell us over and over again.

Almost everyone above me, why do you all seem afraid of your Browser being hacked?? i know its a possiblity but really only when you navigate to a dodgy website. How many of you visit the most vile porn everyday?

Ya know, after being here listening to dueling fanbois spout "truisms" like, "my browser's better than your browser", or maybe, "AMD's better than Intel", (and of course vice versa), porn is like a breath of fresh air.

Honestly I haven't had an anti-virus installed for the last couple of years and my browser has always been FF yet I have not yet been infected! and its nice not to have some stupid anti-virus running in the background take resources for nothing.

See, this is the just reward for taking the moral high ground, unfortunately, so is extreme boredom.

Try and keep in mind though, that's what system resources are for, to be used.

My current system lists (on average) 3.5 GBs of RAM with about 2-4 % CPU usage. Wouldn't want to tax that, now would I?

 

[Burty117]

captaincranky said:
You're the best Burty, I guess that's why you feel the need to tell us over and over again.

Almost everyone above me, why do you all seem afraid of your Browser being hacked?? i know its a possiblity but really only when you navigate to a dodgy website. How many of you visit the most vile porn everyday?

Ya know, after being here listening to dueling fanbois spout "truisms" like, "my browser's better than your browser", or maybe, "AMD's better than Intel", (and of course vice versa), porn is like a breath of fresh air.

Honestly I haven't had an anti-virus installed for the last couple of years and my browser has always been FF yet I have not yet been infected! and its nice not to have some stupid anti-virus running in the background take resources for nothing.

See, this is the just reward for taking the moral high ground, unfortunately, so is extreme boredom.

Try and keep in mind though, that's what system resources are for, to be used.

My current system lists (on average) 3.5 GBs of RAM with about 2-4 % CPU usage. Wouldn't want to tax that, now would I?

ha ha! lol! yeah, but when playing crysis on an athlon duel core the moment the anti-virus started it just made the game start to lag and crawl. so at the time it did make a big difference.

Plus I can promise you your computer goes above 4% when being used or when the anti-virus is scanning your computer. unless you have a really bad hard drive.

In all fairness though it is alot of the time users fault that the virus got in their computer. I know, its my job. Even if I just monitor someones TS session you can always watch at least one person a day just click on something they obviously are not sure about because they take a moment to think about clicking on it.

Maybe curiosity killed the cat also killed the computer? =P

 

[Guest]

For those who dont use an antivirus, how do you know its not infected... if you dont use an antivirus?? Does it look healthy?? Felling in shape?
About the browser exploits, unless your a sysadmin or IT manager in a big financial company, who cares? Do you store your bank account passwords written in a text file somewhere in your desktop? Do you send your credit card number for everyone who asks for it? If you do, then you should take care, and stop using the Web!! Just walk to your bank like you used to. Its good for your health and maybe your finances.