Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE8, Safari, iPhone All Fall At Pwn2Own Contest

Posted by timothy on from the sucks-to-be-everyone dept.

SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it." Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."

30 of 223 comments (clear)

  1. Title misleading? by Anonymous Coward · · Score: 5, Insightful

    Title misleading maybe... just a bit? Firefox got owned as well.

    1. Re:Title misleading? by Anonymous Coward · · Score: 4, Insightful

      Mod parent up. We all love firefox and all, but seriously, it deserves as much shame as all the other failed browsers. Submitter biased much?

    2. Re:Title misleading? by dogmatixpsych · · Score: 2, Insightful

      Actually I don't love Firefox. I use it as my main browser at home but I prefer Safari or Chrome. Firefox crashes frequently - at least a couple times a week - but I've never had problems with Safari or Chrome.

    3. Re:Title misleading? by pete_norm · · Score: 2, Insightful

      If you have that much trouble with Firefox, why do you keep using it?

    4. Re:Title misleading? by quadelirus · · Score: 3, Insightful

      The parent, my friends, is an example of the literal.net. The grandparent to this post was clearly being sarcastic, but that was lost of the anonymous coward above.

    5. Re:Title misleading? by poetmatt · · Score: 4, Insightful

      What are you doing exactly that firefox crashes? Other than jinitiator problems, there's almost nothing that can do so.

      Your lack of information makes me skeptical of vying for firefox instability. In fact, it sounds downright misleading. This is like saying "My car stalls sometimes". The answer is, sure, it does, but what are you doing to cause it? Firefox doesn't just "Crash on it's own" and neither does any browser.

      Likewise, the same basically applies to safari, IE8, etc. As much as all browsers have security risks, their instabilities mostly don't exist.

  2. Well ... by WrongSizeGlass · · Score: 5, Insightful

    ... these guys (and gals?) all know what they are going to try before they ever get to this contest. It's not like they discover all these vulnerabilities during some epiphany once they arrive.

    On the other hand, these security holes are real and need to be addressed by anyone and everyone that was shamed (this means MS, Apple, Mozilla, everyone) pronto!

    1. Re:Well ... by andrea.sartori · · Score: 3, Insightful

      the very fact that these people know what to do beforehand is proof that app security is generally terrible.

      --
      Mostly harmless.
    2. Re:Well ... by Bill_the_Engineer · · Score: 3, Insightful

      the very fact that these people know what to do beforehand is proof that app security is generally terrible

      App security may be generally terrible, but I believe that the fact really proves that the contestants can keep a secret until the contest.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    3. Re:Well ... by Lunix+Nutcase · · Score: 2, Insightful

      Because it wasn't part of the contest due to its extremely small market share.

  3. firefox on osx? by Anonymous Coward · · Score: 1, Insightful

    is the firefox exploit windows x64 only? or is it an exploit in the common firefox code?
     
    why does cracking the iphone add insult to injury? seems like you're throwing about cliches for the hell of it
     
    capture: wetness... it's what slashdot makes me feel in my pants

  4. So 64-bit ASLR on Windows is flawed as well... by dingen · · Score: 4, Insightful

    It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.

    --
    Pretty good is actually pretty bad.
    1. Re:So 64-bit ASLR on Windows is flawed as well... by geekboy642 · · Score: 3, Insightful

      Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!

      --
      Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
  5. Misleading; no credibility by carlhaagen · · Score: 5, Insightful

    The exploits were of course not found in the 5, 10 or 15 minutes advertised. They were all worked on for weeks, and even months, and were well-tested and prepared before being executed at the contest like a rehearsed stage play. Also worth to note is that the reason behind "Chrome only browser that withstood security breach" was that NO ONE TESTED CHROME AT ALL. I give this particular "Pwn2Own" show no credibility what so ever because of these details.

  6. On the other hand... by Tetsujin · · Score: 4, Insightful

    the very fact that these people know what to do beforehand is proof that app security is generally terrible.

    Well, I think you have a very good point there - but on the other hand, the developers do have to prioritize the work they do. Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort. In principle "security through obscurity" isn't a good policy but in practice it's often good enough. If the software has a serious flaw but nobody knows about it, that's good enough, at least temporarily.

    --
    Bow-ties are cool.
    1. Re:On the other hand... by Tetsujin · · Score: 4, Insightful

      Nice, you've just contradicted every security researcher over the last however many years. Congratulations on coming across as a fool.

      Dude, we disagree. It happens. You don't need to be a douche about it.

      Software Engineering is an engineering discipline. That means the principles according to which the product should work are always tempered by the reality of how the work must be conducted. What good is it, for instance, if you have the most secure browser of them all, if nobody uses it? That's an extreme case, of course, in which security concerns are so heavily emphasized that they would compromise some other essential concern (for instance, it could fuck up the release schedule, interfere with work being done to make the software run quickly, or take development resources away from the challenge of trying to make the browser more appealing to its audience...) Obviously there are other intermediate outcomes possible. But generally speaking one can't aim for perfection. If you set out to make something perfect, it never gets done, because it's never perfect. Obviously the bugs should be fixed... But finding and fixing a security flaw before an exploit has made its way into the wild is not necessarily the best use of development resources. It depends on the situation, really.

      --
      Bow-ties are cool.
    2. Re:On the other hand... by ClosedSource · · Score: 1, Insightful

      "There is no such thing as "security through obscurity", it's a myth created by lazy programmers."

      Right, that's why I give out my passwords to everyone I can.

    3. Re:On the other hand... by dougisfunny · · Score: 3, Insightful

      I usually aim for perfection, though I don't wait until then to release. Aiming for perfection is fine. Waiting for it is not, as attaining perfection isn't possible.

      --
      This is not the funny you're looking for.
    4. Re:On the other hand... by Lars+T. · · Score: 3, Insightful

      my password on my bank site is 1234!ab. my bank account pin is 2389. my mother's maiden name is O'Conner. I have $37,890.12 in savings, and about $2,200 in checking (it varies)

      I'm also a gun owner in a castle doctrine state.

      Security through obscurity is a myth? COME GET SOME.

      Well, thanks for the information, Mr. Anonymous Coward.

      --

      Lars T.

      To the guy who modded me down from perfect to terrible Karma - Apple haters still suck

    5. Re:On the other hand... by nomel · · Score: 2, Insightful

      No, he absolutely right. The safest one lane bridge will be one made with 10 bazillion cubic feet of cement and steel...with a few holes to let the water through of course. But, this is the real world, you can't do that. It would be ugly, environmentally harmful, and cost too much money; it wouldn't get built on real earth.

      There's ALWAYS compromise for functionality. This is why things such as "margin of safety" exists. You don't build something that will not fail, you build something that a failure is, statistically, pretty slim.

      If you read your quote, he says it's always tempered by the real world. This is true. So, I challenge you: name *one* device that functions as it should, 100% of the time, without compromise.
      If I were given this impossible challenge, the first thing that would come to my mind is medical devices. Look up how fruitful medical device production is these days. It's not, because for anything beyond something simple like a screw, you nearly *can't* make them reliable enough and still turn a profit over their lifetimes (lawsuits for failing devices are expensive for some odd reason).

  7. Re:As I said elsewhere on the net: by Anonymous Coward · · Score: 2, Insightful

    So if you're such a badass programmer please link to your assembly-coded web browser that contains zero exploits. Oh, you don't have one and you're just a posturing tard? Yeah, that's what I thought.

  8. Security is dead by Alwin+Henseler · · Score: 3, Insightful

    While I'm all for tight code where every byte is important, one could just as well argue that languages used aren't high-level enough.

    Operating systems and apps are often coded in languages like C or C++, that allow a lot of things, which turn into vulnerabilities down the road. Assembly is king of this: it allows a progammer to do anything, including things that aren't safe, smart or correct. No matter how good the code you produce or how comprehensive your testing procedures are, the sheer size of software systems guarantees a number of bugs to be lurking.

    Personally I think that security is dead as long as these languages are the tools, testing code is the norm (vs. some sort of formal verification), and coders are looking for bugs rather than proving they're not there. Fixing this will take a combination of new methods for building software, new design principles to manage system complexity, and safe(r) languages to write the code in. There's a lot of research around (see seL4 microkernel or Coyotos for example), but results rarely finds its way into mainstream products. There's a long way to go still... or users just don't care enough.

    1. Re:Security is dead by Fareq · · Score: 3, Insightful

      Vista, the pile of problems that it is, took thousands of people about 6 years to create.

      It would have been simply infeasible to increase the work by 10x (since 10x as many people couldn't do 10x the work -- overhead and all -- we're talking probably at least 15x - 20x increase in cost to develop, and probably more elapsed time regardless of the number of engineers).

      Even if it costs a trillion dollars, spread over 10 years, to fix things that could have been prevented with the 10x effort up front, it simply wouldn't have been possible.

      Ultimately, we would all have to settle for slower innovation and simpler products.

      So far, the market has decided that a somewhat-buggy, vulnerable, but cheap, advanced, and rapidly developed product is more valuable than an expensive, simple, but bulletproof application for most people's needs.

      For some things, it is probably worthwhile to scale back expectations of complexity and innovation to increase invulnerability and guarantee correctness. Software running on the space shuttle or a nuclear sub strikes me as belonging to this category.

      But, for right now... I wouldn't pay $2500-$5000 per seat for an operating system that was as advanced and capable as Windows 7, but which had zero crash bugs and zero security vulnerabilities. (and similar outsized pricing on other software that I use)

      Nor would I be willing to pay today's prices for secure versions of 10+-years-ago software when the same prices could get me modern software.

      Until we can find a way to decrease the comparative cost of building provably-secure systems (versus what is available with rapid development and "best efforts"), it isn't going to happen for most software.

  9. Re:Misleading; no credibility by Elwood+P+Dowd · · Score: 4, Insightful

    Isn't your point about Chrome invalidated by your point about the time taken?

    Did no one attack Chrome because none of these researchers had an exploit that would work against it?

    --

    There are no trails. There are no trees out here.
  10. Re:Misleading; no credibility by Bill_the_Engineer · · Score: 4, Insightful

    I give this particular "Pwn2Own" show no credibility what so ever because of these details.

    I believe what you really meant to say was that we shouldn't fall into the trap of believing that Chrome is actually safer due to the fact that no one really targeted it in this contest.

    I've done my share of "Digital Combat Exercises" and you are correct that we should only view the contest as a verification that flaws exist, and not as a certification that a particular platform is safe.

    For my first competition, my team concentrated on all the windows machine on the network because we had a list of known exploits and figured that we could exploit them the quickest and therefore accumulate the highest score possible within the time limits. All teams used the same strategy, and the Linux machines weren't even targeted. This wasn't because Linux was safer, it was because we all knew Windows was a softer target. This made for a some very close final scores.

    For the following year's contest (which I couldn't participate due to a schedule conflict), my old team paid attention to the known exploits for Linux and started targeting them to guarantee a larger lead going into the final minutes of the contest.

    I think you'll see this pattern in all "hacker" contests. Each year more platforms will fall as each team strategize on what will give them the edge during the time alloted. You'll probably see Chrome fall next year. Look at Safari in Pwn2Own, it wasn't until 2 years ago before people started to seriously attack it for the points.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  11. Re:So many exploits, so few hydrogen bombs by Locke2005 · · Score: 3, Insightful

    That's analogous to suggesting that getting rid of all the drug-sniffing dogs will cut down on drug smuggling. What kind of world do you live in where the argument "If I don't know about it, then it must not exist!" is considered logical?

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  12. Re:BS without details by jo_ham · · Score: 2, Insightful

    This is not about just Safari and OS X - all the details about browser exploits, including for Firefox and Windows are just too scant in detail.

  13. Re:They had no choice, Slashdot headlines are shor by quadelirus · · Score: 4, Insightful

    How about:

    IE8, Safari, FF, iPhone All Fall At Pwn2Own

    It has fewer characters.

    Or, focus on one area: IE8, Safari, Firefox all Fall At Pwn2Own

    And they didn't bother to mention Firefox in the description either, which clearly had enough space to include the word "Firefox."

  14. "software engineering" by Anonymous Coward · · Score: 1, Insightful

    Software Engineering is an engineering discipline.

    Only when it applies "technical, scientific, and mathematical knowledge to design and implement materials, structures, machines, devices, systems, and processes that safely realize a desired objective or invention."

    http://en.wikipedia.org/wiki/Engineering

    Most coders don't do engineering, and that's part of the problem. In most other disciplines there are also standards:

    I really hate to point this out but ... there are two reasons that, in other
    engineering and technological fields, we *do* manage to avoid repeating at
    least the reasonably common mistakes:

    1. We develop standards and practices that have the force of law.
    Electrical circuitry in houses is subject to a variety of such standards.
    So is plumbing. [...]

    2. We require training and passing of exams *on those standards and
    practices*. We enforce this requirement by requiring licenses to work in
    many fields - and those licenses depend on passing the exams. [...]

    We in the software industry have been leading charmed lives for many years.
    We've managed to avoid liability, avoid serious training in good practices,
    avoid any kind of standards - all by arguing that this would cramp our style
    and keep us from continuing to innovate. Maybe that's true - but we've been
    building up a massive debt side by side with all that innovation.
    Eventually, that debt's going to come due. If we don't clean up our own
    mess, the greater society will come along and do it for us - and the results
    won't be pleasant.

  15. Re:As I said elsewhere on the net: by TapeCutter · · Score: 2, Insightful

    "They are relying upon someone else's code to translate down to that, and if those methods are flawed they're screwed....If you ignore the basics, you're going to be fucked later on."

    And the machine code depends on logic circits which in turn depend on complex software tools that design those circits, which depend in turn on, blah, blah, blah,.... Sooner or later you have to face the fact that if you can't trust anyone to do thier job properly then you're fucked before you even start.

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.