TippingPoint's PWN2OWN contest has only been around for a short while, but is already very popular for testing the security of certain software and mobile devices.This year has already shown significant security breaches on Apple's Safari, Mozilla's Firefox and Microsoft's Internet Explorer, but one browser did make it through the first day of testing: Google's Chrome. That's right, the youngest of all previously mentioned browsers was the only one not be breached via a range of exploits during the tests, although remember, this is only day one.
During the first day of testing, competitors are set a goal to breach the security of browsers without using such plug-ins as Flash or Java, which are common entry points for attackers. One of the people competing, Charlie Miller (prior champion of PWN2OWN) said that he found the bug he used this year whilst preparing last year, but chose not to tell anyone until the 2009 competition. Why? "I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller said to ZDNet. "Apple pays people to do the same job so we know there's value to this work." He mentions this because the competition only pays for one bug per year of the competition, and he used a different one in 2008.
He also said that Apple's Safari was the easiest to exploit, whilst on Mac OS X, whereas it's harder to do so on Windows. Chrome, though, had one bug identified by Miller, yet he had been unable to exploit it "because the browser's sandboxing feature and the operating system's security measures together pose a formidable challenge," said Ars Technica.
Keep an eye out to see how day two goes, when competitors are allowed to use plug-ins to breach security of the browsers.
Also, Chrome is based off of Webkit which has been around for quite some time.
I said IE. IE8 is the same architecture built around the COM. (snipped) Also remember that most IE vulns are originated from the ActiveX not the browser itself.
Last edited by GreyWolfSC on 21 Mar 2009 - 00:16
Also, Chrome is based off of Webkit which has been around for quite some time.
Chrome indeed is based on the Webkit framework, which's open source, so chances are the code's been reviewed countless times. The only way to exploit Chrome is through plugins (the way they're implemented, even if they're officially claimed to run in less privileged levels) or through the Java applets.
Wow about the results though, it's weird to think how insecure the browsers are when people really work to break them.
Wow about the results though, it's weird to think how insecure the browsers are when people really work to break them.
Not sure; I think he went for Safari as it literally took a couple seconds for him to exploit it. I think it was more a case of "rawr, hacker muscles" :p I could be wrong, though.
Though, I'm more willing to believe that hackers will generally go for what's easiest to attack. I mean, it's simply the logical idea.
http://dvlabs.tippingpoint.com/blog/2009/0...ro-day-exploits
http://farm4.static.flickr.com/3452/336641..._1579ac95f9.jpg
- but maybe thats just the macbook he won last year
i mean, it doesn't even support RSS.
It's a long way off competing with Firefox for me though and I will be sticking with Firefox or Safari 4 for the time being.
I suppose they drew the line to browsers with over 1% usage.
I suppose they drew the line to browsers with over 1% usage.
Opera is still actively developed and is only a fraction less than Safari in the browser market. At least according to W3Schools http://www.w3schools.com/browsers/browsers_stats.asp
(this is not just about Opera, but about all of them, since they target IT people and thus aren't representative of the web at large, only early adopters, geeks, and web devs)
I suppose they drew the line to browsers with over 1% usage.
Opera is still actively developed and is only a fraction less than Safari in the browser market. At least according to W3Schools http://www.w3schools.com/browsers/browsers_stats.asp
That website inflates Opera's true figure by about 4 times. Opera market share is tiny around the same size as Netscapes
Opera frequently Id's itself as "IE" to get out of "non supported" browser code, and as a result, will get mis-identified as a web site hit.
Chrome has been out for long enough and is open-source so it shouldn't be too hard to find flaws. This is actually the reason most flaws were probably fixed. Also don't forget there is not much to Chrome -- a bare-bones browser -- making it much harder to compromise.
You can run it with the "--in-process-plugins" switch, but its quite buggy. Crashes very often for me, especially on flash-pages, so might be a problem related to Chrome and flash on Win7.
IE and safari are going to have a bit of money behind them, as in if you bring an exploit to MS/Apple you are more likely to reward more for it.
surely that is the motivation over chrome at present?
the lack of features is sometimes a blessing.
the lack of features is sometimes a blessing.
and firefox is a browser + C++ compiler?
Most likely. I kind of have to agree, though the zippy javascript rendering is probably more influential for me.
they did not test all browsers and Opera would be probably withstand one as well
mind that in some countries Opera is 2nd most popular browser
they did not test all browsers and Opera would be probably withstand one as well
mind that in some countries Opera is 2nd most popular browser
It was still technically the only browser to withstand day one of the Pwn2Own, regardless of browsers tested
Besides, that title wouldn't fit.
And as developer, nobody really uses it, so i don't really care if a system runs or not with chrome.
Also, say Chrome survives the whole Pwn2Own, that doesn't mean it has the best security out of the other browsers, it means it has the best security from the hackers/crackers at Pwn2Own compared to the other browsers. And sadly if it does have the best security, that doesn't mean everyone is going to switch to it as most ppl will stay on IE. Either way, good article and props to Google for surviving day one.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.