PWN2OWN: Google's Chrome only browser to withstand day one

TippingPoint's PWN2OWN contest has only been around for a short while, but is already very popular for testing the security of certain software and mobile devices.

This year has already shown significant security breaches on Apple's Safari, Mozilla's Firefox and Microsoft's Internet Explorer, but one browser did make it through the first day of testing: Google's Chrome. That's right, the youngest of all previously mentioned browsers was the only one not be breached via a range of exploits during the tests, although remember, this is only day one.

During the first day of testing, competitors are set a goal to breach the security of browsers without using such plug-ins as Flash or Java, which are common entry points for attackers. One of the people competing, Charlie Miller (prior champion of PWN2OWN) said that he found the bug he used this year whilst preparing last year, but chose not to tell anyone until the 2009 competition. Why? "I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller said to ZDNet. "Apple pays people to do the same job so we know there's value to this work." He mentions this because the competition only pays for one bug per year of the competition, and he used a different one in 2008.

He also said that Apple's Safari was the easiest to exploit, whilst on Mac OS X, whereas it's harder to do so on Windows. Chrome, though, had one bug identified by Miller, yet he had been unable to exploit it "because the browser's sandboxing feature and the operating system's security measures together pose a formidable challenge," said Ars Technica.

Keep an eye out to see how day two goes, when competitors are allowed to use plug-ins to breach security of the browsers.

Report a problem with article
Previous Story

Rumor: Next gen iPhone to feature much faster internet speed

Next Story

Rumor: Video coming to next gen iPhone this year

46 Comments

Commenting is disabled on this article.

Just curious, what do they count as an exploit? Just some random bug, or something that allows a hacker/third party to gain access to the end user's personal data?

Also, say Chrome survives the whole Pwn2Own, that doesn't mean it has the best security out of the other browsers, it means it has the best security from the hackers/crackers at Pwn2Own compared to the other browsers. And sadly if it does have the best security, that doesn't mean everyone is going to switch to it as most ppl will stay on IE. Either way, good article and props to Google for surviving day one.

But still chrome is unusable as a daily browser because its lack of several features, for example ABP and noscrypt.

And as developer, nobody really uses it, so i don't really care if a system runs or not with chrome.

Impressive stuff. I just wish Google Chrome worked better with Silver Light then I'd use it as my default browser, maybe (I am undecided if I dare give up Firefox yet).

Yeah, I thought the same thing too, because my netflix(big user of siverlight) wasnt working but come to find out you can just change the user agent string in the shortcut area of chrome and it'll work

lame news, proper title would be: PWN2OWN: Google's Chrome only TESTED browser to withstand day one

they did not test all browsers and Opera would be probably withstand one as well
mind that in some countries Opera is 2nd most popular browser

SHADOW-XIII said,
lame news, proper title would be: PWN2OWN: Google's Chrome only TESTED browser to withstand day one

they did not test all browsers and Opera would be probably withstand one as well
mind that in some countries Opera is 2nd most popular browser


It was still technically the only browser to withstand day one of the Pwn2Own, regardless of browsers tested :)

Besides, that title wouldn't fit.

What about Firefox, Safari and Internet Explorer then? What are each of those? A web browser and nothing else? Yes, they each are

mocax said,
Chrome is a web browser, and nothing else.

the lack of features is sometimes a blessing.


and firefox is a browser + C++ compiler?

mocax said,
the lack of features is sometimes a blessing.

GreyWolfSC said,
I think he meant it has no addons?

Most likely. I kind of have to agree, though the zippy javascript rendering is probably more influential for me.

but ogmz!" what about flock?!?!?! ha.
IE and safari are going to have a bit of money behind them, as in if you bring an exploit to MS/Apple you are more likely to reward more for it.
surely that is the motivation over chrome at present?

How so? They used the top browsers. Can't blame them if Opera can't get it in gear to build up popularity. They've only been around how long now? And still sit where? Yeah...

nunjabusiness said,
Damn shame Chrome is not working on Windows 7

You can run it with the "--in-process-plugins" switch, but its quite buggy. Crashes very often for me, especially on flash-pages, so might be a problem related to Chrome and flash on Win7.

I heard that these hackers had days to plan their executions, and they just most likely didn't concentrate their efforts on Chrome, because it's relatively new. They haven't learned the 'tricks' yet.

Well, obviously, they had as much time as they wanted to plan an attack on the browser.

Chrome has been out for long enough and is open-source so it shouldn't be too hard to find flaws. This is actually the reason most flaws were probably fixed. Also don't forget there is not much to Chrome -- a bare-bones browser -- making it much harder to compromise.

Netscape doesn't look too far behind Opera, yet it wasn't included either.

I suppose they drew the line to browsers with over 1% usage.

Stop looking at w3schools, they aren't an analyst firm, just a niche website displaying their wacked up statistics for a single website.
(this is not just about Opera, but about all of them, since they target IT people and thus aren't representative of the web at large, only early adopters, geeks, and web devs)

Xcursion said,
I'd like to see them include Opera.

Opera frequently Id's itself as "IE" to get out of "non supported" browser code, and as a result, will get mis-identified as a web site hit.

The new beta is starting to support RSS feeds and support for extensions is maturing.

It's a long way off competing with Firefox for me though and I will be sticking with Firefox or Safari 4 for the time being.

I've got a feeling that this Charlie Miller is quite anti-apple.

Wow about the results though, it's weird to think how insecure the browsers are when people really work to break them.

Majesticmerc said,
I've got a feeling that this Charlie Miller is quite anti-apple.

Wow about the results though, it's weird to think how insecure the browsers are when people really work to break them.


Not sure; I think he went for Safari as it literally took a couple seconds for him to exploit it. I think it was more a case of "rawr, hacker muscles" I could be wrong, though.

Well, considering Apple advertises their software as being more secure than the rest, it's probably a given motivation to try and take them down.

Though, I'm more willing to believe that hackers will generally go for what's easiest to attack. I mean, it's simply the logical idea.

IE, FF, Safari are old browsers. Hackers got used to them and their internals, so it's easier to identify weakness's faster in these than new browsers which are less familiar.

That's... kind of bogus reasoning. Many bugs are found immediately after a release as certain areas may have been overlooked by the company. The older browsers have had more time to sit out and tighten down any loose screws found on their browser.

Also, Chrome is based off of Webkit which has been around for quite some time.

Raa said,
IE 8's old? Damn, I didn't realise the time had gone by so fast.......

I said IE. IE8 is the same architecture built around the COM. (snipped) Also remember that most IE vulns are originated from the ActiveX not the browser itself.

dead.cell said,
That's... kind of bogus reasoning. Many bugs are found immediately after a release as certain areas may have been overlooked by the company. The older browsers have had more time to sit out and tighten down any loose screws found on their browser.

Also, Chrome is based off of Webkit which has been around for quite some time.

Chrome indeed is based on the Webkit framework, which's open source, so chances are the code's been reviewed countless times. The only way to exploit Chrome is through plugins (the way they're implemented, even if they're officially claimed to run in less privileged levels) or through the Java applets.