Slashdot Mirror
IE8, Safari, iPhone All Fall At Pwn2Own Contest
SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it."
Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."
Title misleading maybe... just a bit? Firefox got owned as well.
Apparently none of them wanted to take on Google Chrome..I believe no one was able to crack it last year.
It is no coincidence that in no known language does the phrase 'As pretty as an Airport' appear.
... these guys (and gals?) all know what they are going to try before they ever get to this contest. It's not like they discover all these vulnerabilities during some epiphany once they arrive.
On the other hand, these security holes are real and need to be addressed by anyone and everyone that was shamed (this means MS, Apple, Mozilla, everyone) pronto!
is the firefox exploit windows x64 only? or is it an exploit in the common firefox code?
why does cracking the iphone add insult to injury? seems like you're throwing about cliches for the hell of it
capture: wetness... it's what slashdot makes me feel in my pants
I find it interesting that the IE exploit was published for the world to see, but the Mac and Firefox hacks have been held back.
It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.
Pretty good is actually pretty bad.
The exploits were of course not found in the 5, 10 or 15 minutes advertised. They were all worked on for weeks, and even months, and were well-tested and prepared before being executed at the contest like a rehearsed stage play. Also worth to note is that the reason behind "Chrome only browser that withstood security breach" was that NO ONE TESTED CHROME AT ALL. I give this particular "Pwn2Own" show no credibility what so ever because of these details.
Article is so poor in detail :(
Who logs in to gdm? Not I, said the duck.
Yeah, especially in BASIC.
for his paper written on the plane ( and for his exploit ). Gawd knows how hard it is to write anything decent while travelling on a fucking plane.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
There's an old saying about not killing the messenger...
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Instead Charlie Miller will show the vendors how to find the bugs themselves.
Well, there's an idea. Is it something that really can be taught?
the very fact that these people know what to do beforehand is proof that app security is generally terrible.
Well, I think you have a very good point there - but on the other hand, the developers do have to prioritize the work they do. Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort. In principle "security through obscurity" isn't a good policy but in practice it's often good enough. If the software has a serious flaw but nobody knows about it, that's good enough, at least temporarily.
Bow-ties are cool.
Unfortunately for the messenger, sometimes they are the only ones at hand for some violence.
back to what? 10 and 20 years ago was way more easy to exploit computers, we are better, not good enough but better
I'm positive, don't belive me look at my karma
Aww, another knee-jerk Apple fanboy.
*pats you on the head* There there, little man, Mr. Jobs will make it all shinier so you don't have to think about it.
So if you're such a badass programmer please link to your assembly-coded web browser that contains zero exploits. Oh, you don't have one and you're just a posturing tard? Yeah, that's what I thought.
While I'm all for tight code where every byte is important, one could just as well argue that languages used aren't high-level enough.
Operating systems and apps are often coded in languages like C or C++, that allow a lot of things, which turn into vulnerabilities down the road. Assembly is king of this: it allows a progammer to do anything, including things that aren't safe, smart or correct. No matter how good the code you produce or how comprehensive your testing procedures are, the sheer size of software systems guarantees a number of bugs to be lurking.
Personally I think that security is dead as long as these languages are the tools, testing code is the norm (vs. some sort of formal verification), and coders are looking for bugs rather than proving they're not there. Fixing this will take a combination of new methods for building software, new design principles to manage system complexity, and safe(r) languages to write the code in. There's a lot of research around (see seL4 microkernel or Coyotos for example), but results rarely finds its way into mainstream products. There's a long way to go still... or users just don't care enough.
Isn't your point about Chrome invalidated by your point about the time taken?
Did no one attack Chrome because none of these researchers had an exploit that would work against it?
There are no trails. There are no trees out here.
I believe what you really meant to say was that we shouldn't fall into the trap of believing that Chrome is actually safer due to the fact that no one really targeted it in this contest.
I've done my share of "Digital Combat Exercises" and you are correct that we should only view the contest as a verification that flaws exist, and not as a certification that a particular platform is safe.
For my first competition, my team concentrated on all the windows machine on the network because we had a list of known exploits and figured that we could exploit them the quickest and therefore accumulate the highest score possible within the time limits. All teams used the same strategy, and the Linux machines weren't even targeted. This wasn't because Linux was safer, it was because we all knew Windows was a softer target. This made for a some very close final scores.
For the following year's contest (which I couldn't participate due to a schedule conflict), my old team paid attention to the known exploits for Linux and started targeting them to guarantee a larger lead going into the final minutes of the contest.
I think you'll see this pattern in all "hacker" contests. Each year more platforms will fall as each team strategize on what will give them the edge during the time alloted. You'll probably see Chrome fall next year. Look at Safari in Pwn2Own, it wasn't until 2 years ago before people started to seriously attack it for the points.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Chrome is in the list of targeted browsers, but apparently nobody tried it...
That's analogous to suggesting that getting rid of all the drug-sniffing dogs will cut down on drug smuggling. What kind of world do you live in where the argument "If I don't know about it, then it must not exist!" is considered logical?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
FTFY. If you're going to reflexively slam Mac users, get your in-jokes right.
Why would you ever imagine something called "Pwn2Own" might ever have credibility in the first place?
"However, neither the Firefox nor the IE 8 exploit could overcome the sandboxing features in Windows 7 Protected Mode."
big, good, relevant, no, yes?
You make it seem like there's more to the saying that we're supposed to recall. Like, we lean back and think for a second, and then our eyes light up as we have an epiphany about how that multi-part proverb that relates to not killing the messenger is the perfect metaphor for the OP's lack of analytical thought.
.
When, in reality, the entire proverb is:
Don't kill the messenger
So I vote we come up with some new clauses to add to that proverb. Like:
Don't kill the messenger, lest he rise from the dead with a hunger for brains.
Or:
Don't kill the messenger, because he might not have given you the whole message yet, in which case you have less information and so you might make an uninformed decision.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
All of these hacks are real-world drive-by attacks against fully patched machines with default OS mitigations in place (ASLR, DEP, sandboxing).
You get pwn3d if you go to a malicious page, go to a legit page with a malicious banner ad/embedded iframe, get redirected (via malicious WiFi AP) to a malicious page, etc.
This is the third year in a row that Miller did this. He has street cred, so think before you call BS.
As secure and hardened as they can make them, 100% standards compliant. And then cry and whine like little bitches as everybody sneers and calls them pathetic lamer noobs because their browsers totally suck at delivering content.
If you were blocking sigs, you wouldn't have to read this.
Assembler, by a rule, is just harder. Most 'programmers' couldn't understand the machine's native language if their life depended upon it. They are relying upon someone else's code to translate down to that, and if those methods are flawed they're screwed.
All security begins with the basics, and for computing devices, that basic is their native machine language. If you ignore the basics, you're going to be fucked later on.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This wasn't because Linux was safer, it was because we all knew Windows was a softer target.
Whoa, whoa, WHOA. Just stop right there, Bill. I'm going to have to teach you a thing or to about what you're allowed to write here on Slashdot. Now give me a second to get on my high-horse.
Reasoning is not welcome here.
That's right Bill. We don't need your reasoning here. We know we are right. This is Slashdot! We are the tech community. We know our OSes. We know our software. Just because of some contest with some rules and some teams that want to win the contest by the rules doesn't automatically invalidate our knowledge and wisdom as Slashdot.
Linux is more secure because it is open source and licensed under the GPL. It doesn't matter if it is still unsafe by your standards.
You see, Bill, we on Slashdot do not need to review the source code of Linux because we have declared it safe. Why is it safe? Because it is GPL. And everyone knows the GPL is safe. Therefore Linux is safe, Bill.
IE8 is mentioned first because it is owned by Microsoft, and Microsoft is evil due to historical technology atrocities against other for-profit software corporations. Therefore IE8 is the worst piece of software ever to exist.
So the reason why IE8 falls faster is not because you and your team thought the Microsoft product was "softer". It was because it was the spawn of the devil! Even wackos know the spawn of the devil should be hacked first. Don't you agree?
Firefox is not listed in the title because we need to get a head start on bashing proprietary software rather than reading the summary.
As a real Slashdotter, I pride myself in not reading the article let alone the summary. The title effectively summarizes the direction of all comments in the thread. And that direction is to bash proprietary software, starting with Microsoft first.
Here's a tip, Bill. The headline on Slashdot should give you a hint at what kind of comment you should post on Slashdot. If you are not capable of discerning that from the title, only then may you read the summary. Reading the article is only reserved for picking out additional points to backup your original claim, not to invalidate Slashdot's wisdom. And that would never happen because Slashdot's wisdom is never wrong in the first place.
Apple and Google are bad... but did you know that OSX is really UNIX and Webkit and Chrome are open source?
See, once again open source products are good for you. You should use open source products!
I hope that clears things up, Bill. Please refrain from posting useless comments in the future.
Thanks,
/.
"If I don't know about it, then it must not exist!"
I gather that is a paraphrasing of "what you can not see can not hurt you", which is more accurately "what you can not perceive can not effect you" which oddly enough is an actual fact.
Now I'm not saying this is how we should handle security, just say it is actually a valid statement.
It's also not what the GP was saying. They were saying that if we kill all the people that are smart enough to exploit the security holes then we would need not be concerned with anyone exploiting those security holes. Which also happens to be a fact, but seems like a lot of wasted intelligence.
Putting all the server/database exploits aside. The whole client process of pushing a value in and seeing if it breaks will never go away. Web browsers are one of the worst possible tools to secure. The nature of their job seems to predict failure. As soon as some creative web monkey pushes the envelope another exploit is found. The Gecko and Trident engines can be pushed to break over and over. Chrome and Safari are not any different. You can follow the standards as much as you like. At the end of day these tools are reading XML and Script and rendering/compiling. If you consider a browser for what it is, most of them have come a long way. I remember when a harsh sneeze would cause catastrophic failure and crashing =)
LMFAO. If I could, I would mod you funny.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
It's not that I can't understand it, it's that I can't read it. Alas, I simply cannot tell the difference between 2.8V and 0V.
The post would make just as much sense if you substituted the terms "Linux" for "OS X" and "Firefox" for "Safari," so I'd say it's not really very apologetical. And to be fair, they're valid questions because this kind of article does seem to come up a lot around here, a la "OMG they found an exploit for Linux! Oh wait, you have to be logged in as root, manually set it to executable, and ignore the security warning when you run it."
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
This is not about just Safari and OS X - all the details about browser exploits, including for Firefox and Windows are just too scant in detail.
How about:
IE8, Safari, FF, iPhone All Fall At Pwn2Own
It has fewer characters.
Or, focus on one area: IE8, Safari, Firefox all Fall At Pwn2Own
And they didn't bother to mention Firefox in the description either, which clearly had enough space to include the word "Firefox."
So if you're such a badass programmer please link to your assembly-coded web browser that contains zero exploits. Oh, you don't have one and you're just a posturing tard? Yeah, that's what I thought.
You don't have to be a master of the subject to be able to point out it's flaws. Pointing them out helps to see the problems so they can be fixed. I can tell when a cars engine is not working, doesn't mean that I shouldn't keep quiet about it if I can't build a better one.
Attention... all grammer nazi"s! Is they're anything; wrong with: my post,
Chrome (on Windows) came out of beta back in 2008.
Why would anyone engrave "Elbereth"?
"But that's not a W3C standard! We shouldn't parse that, that would be immoral!"
Software Engineering is an engineering discipline.
Only when it applies "technical, scientific, and mathematical knowledge to design and implement materials, structures, machines, devices, systems, and processes that safely realize a desired objective or invention."
http://en.wikipedia.org/wiki/Engineering
Most coders don't do engineering, and that's part of the problem. In most other disciplines there are also standards:
I really hate to point this out but ... there are two reasons that, in other
engineering and technological fields, we *do* manage to avoid repeating at
least the reasonably common mistakes:
1. We develop standards and practices that have the force of law.
Electrical circuitry in houses is subject to a variety of such standards.
So is plumbing. [...]
2. We require training and passing of exams *on those standards and
practices*. We enforce this requirement by requiring licenses to work in
many fields - and those licenses depend on passing the exams. [...]
We in the software industry have been leading charmed lives for many years.
We've managed to avoid liability, avoid serious training in good practices,
avoid any kind of standards - all by arguing that this would cramp our style
and keep us from continuing to innovate. Maybe that's true - but we've been
building up a massive debt side by side with all that innovation.
Eventually, that debt's going to come due. If we don't clean up our own
mess, the greater society will come along and do it for us - and the results
won't be pleasant.
Actually, I bet their browsers are gonna suck at security too. It's much easier to find one exploit from 1 million lines of code than to make sure your 1 million lines of code have absolutely no security holes.
Isn't your point about Chrome invalidated by your point about the time taken?
Did no one attack Chrome because none of these researchers had an exploit that would work against it?
I'd like to see whether the exploit was specific to WebKit or the Cocoa layer.
All of these hacks are real-world drive-by attacks against fully patched machines with default OS mitigations in place (ASLR, DEP, sandboxing). You get pwn3d if you go to a malicious page, go to a legit page with a malicious banner ad/embedded iframe, get redirected (via malicious WiFi AP) to a malicious page, etc. This is the third year in a row that Miller did this. He has street cred, so think before you call BS.
From your explanation the issue is then with WebKit and not OS X.
Yeah... with that attitude I wouldn't be surprised to find out that you're the one responsible for the f00f bug.
Bad example since hydrogen sulfide has a very distinctive smell and a direct affect on the nervous system, the system responsible for perception. But excusing that obvious slip, how would you know that something had an effect on you if you could not perceive it?
If you believe wikipedia on its origins, the whole thing might actually be "don't kill the messenger because he's not lying" (In Henry IV, they threaten to kill the messenger because they don't believe his message) .-* The More You Know.
Sure, you can shut your eyes and refuse to perceive the 2-tonne grizzly bear coming to disembowel you, and in that manner it can't effect you. Yet. Until it reaches you and you realise that the feeling of being ripped to shreds as well as your subsequent death is not something you can refuse to perceive. Oh, you wanted a car analogy?
It's not the first time Apple products fail at pwn2own.
From your explanation the issue is then with WebKit and not OS X.
WebKit ships in the box that says "OS X" on it.
(by the same token, IE exploits are counted as Windows security issues - and rightly so)
Or, even more accurately, "what you cannot perceive cannot affect you."
Middle management.
It's not that I can't understand it, it's that I can't read it. Alas, I simply cannot tell the difference between 2.8V and 0V.
That's actually easier to tell than you think.
Man who leaps off cliff jumps to conclusion.
Whoever modded me a troll obviously did not read the links that I posted. It is a real issue and affected my development environment at work. My 32bit workstation is quite stable but a project that I am working on requires access to copies of production data so we have to do our development on VMs in a separate dev domain and the VM I was given is 64bit to match our target servers. I have useable stability on my VM several hours at a time as long as I run VS 2008 only through that wrapper program and don't kick off the full build script. Eventually, memory corruption problems will bring down either SQL 2008 management studio (has 32bit components) or my wrapped VS 2008 instance. Once the memory is corrupt, I have to reboot the VM.
Jesus was a compassionate social conservative who called individuals to sin no more.
"They are relying upon someone else's code to translate down to that, and if those methods are flawed they're screwed....If you ignore the basics, you're going to be fucked later on."
And the machine code depends on logic circits which in turn depend on complex software tools that design those circits, which depend in turn on, blah, blah, blah,.... Sooner or later you have to face the fact that if you can't trust anyone to do thier job properly then you're fucked before you even start.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
http://www.downloadsquad.com/2010/03/25/pwn2own-2010-google-chrome-is-the-last-man-standing/
Quote by Miller:
"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."
I don't get exploited, nimrod
I don't think Nimrod means what you think it means.
This ain't rocket surgery.
But Three makes a pattern, they can no longer claim the first two were a fluke. It shall certainly be a restless night for the Jobites.
But the fanboi is a resilient beast, the fear shall be wiped from their minds and be filled with the love of Jobs, with this love they will troll the intertubes with twice the gusto, conveniently forgetting that pointless P2O competition
Calling someone a "hater" only means you can not rationally rebut their argument.
As another poster vamman put it the very nature of what a browser tries to do is a time bomb.
The very nature of a web server is the same thing.
Until the web gets itself under control and the people who write browsers and the people who write web servers tell the wc3 to shove their wildly horrible specs straight up their ass ( yes a lot of it will be recursive ) we will continue to see this sort of thing.
Computers were never designed to be infinitely flexible which is to say dealing with things like xml and html that are not well formed, defined and encapsulated in a rigid structure. both xml and html are completely open ended structures with no real boundaries to bump up against, so the machine simply has to keep allocating and allocating until it finds something the closes a section. If their was ever a recipe for a buffer overrun or a stack overflow this is certainly it.
Web servers still seem to have trouble caging the requests, again part of the indefinitely flexible nature of what has been built. Why of course you will accept a request that is 90kb long, uhmmm oops wait I just exploded.
There are parts of the web mechanism that must be tightly controlled, they must be highly defined and yes they must be highly restrictive. They must be designed with security as the over riding priority and to hell with convenience . Buffer overflows must simply cease to exist. ANY portion of the code that deals with requests coming in must have hard limits built into it as this the only way to get a handle on this.
The same thing with browsers. There must be hard limits, the rules have to be made and maintained. No more slipping in some code to be able to say, "Hey look at this cool thing I just did!"
Hey KID! Yeah you, get the fuck off my lawn!
The WC3 is the problem. Constantly changing specs, incomplete specs, open ended structures, nothing particularly well defined. The whole "We want it to be able to anything, no matter how hideously deigned it is." attitude has to be defeated at all costs. Hmmmm havent seen the tag yet? Don't worry it will come along any minute now as memory gets consumed at insane rates and the stack overflows or a buffer does.
Failure to do so will simply keep the cycle going.
Hey KID! Yeah you, get the fuck off my lawn!
Not at 3GHz.
Real developers have electrodes attached to their head so that they can read the native machine code directly.
surely a real programmer would lovingly handcraft each bit onto the microprocessor?
failing that I would be interested in seeing this represented through LOGO.
Do you believe that security would be better if applications were coded in assembly, rather than higher-level languages?
I can't see why assembly language makes any difference to coding standards and practices. You can screw up in assembly just as easily as C++, and generally assembly is harder to debug.
Hardware exploits are typically much harder to accomplish versus software, generally because of the straightforward layout of the circuits versus the convoluted nature of software programming.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
If you understand the native language for your target machine, you're better off. If the iPhone kept to the same hardware and only updated hardware revisions every once in a while unlike the current every six months or a year nonsense, it wouldn't be too terribly difficult to write bulletproof code and apps.
Yes, since in order to understand assembler you need to understand both the hardware itself and it's actual physical limitations, and you need to know the language.
I've got a recompiled MenuetOS install on my desktop, built by a friend of mine that knows a fair bit more about AMD64 than I. I've purposely left it wide-open direct-connect to the cable modem and invited people to hack it when I feel like testing a new module he's made. I still do. It's been bulletproof. I'm waiting for his router module/frontend with much anticipation, as I'm getting sick of my Linksys with DD-WRT and it's being written for Atheros.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
WebKit ships in the box that says "OS X" on it.
True, but I thought the point being made was that WebKit affects more than just Safari. Isn't it the core of Firefox these days? And others?
True, but I thought the point being made was that WebKit affects more than just Safari.
It does. Since WebKit is a library, it will affect everything that uses it. Since it's a standard OS library, any OS X application that might want to render some HTML will probably use it.
Isn't it the core of Firefox these days?
Er... no. Firefox is still Gecko, and they don't plan to change.
And others?
Chrome uses WebKit, but I'm not sure if it actually uses OS-wide WebKit library on OS X, or its own version. I suspect the latter, since, supposedly, they did tweak it quite a bit.
It should be noted that they didn't get out of the sandbox of IE8, either. They managed to run arbitrary code within the sandbox, dodging OS protections against that (ASLR & DEP), but it still runs with permission of sandbox identity, which are severely limited - not the user who's running the browser.
It was very sad that Linux wouldnt be allowed in this year as opposed to last time when nobody could crack it. Regardless of how you measure market penetration its nice to have it there as a reference point. Anything you pay for should be much better than something you can get for free.
Chrome has an excellent sandbox, especially compared to IE8 and Safari which makes exploiting stuff very hard even if you know of an open exploit. That nobody even bothered is a testament to that it really works. Nobody hacks at pwn2own, its done long before the competition starts in reality.
Google Chrome OS is something really interesting and everything up until now points to it becoming one of the most secure OS in a long time. While MacOS X and Windows 7 is a pile of ugly hacks Chrome OS seems to be built on excellent foundation from a security viewpoint. I really like it how they take the user out of the equation, just in line with Microsofts security researchers (that Microsoft never seems to listen to).
http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
HTTP/1.1 400
I normally don't write these comments, but this time I make an exception: that was hilarious! Thanks for that!
You made one mistake though. This is wrong:
This is Slashdot!
It needs to be:
THIS! IS! /.!
Isn't that what I just said, or where you just trying to supply an illustrative example for those that couldn't understand the simplified form?
Whooooosh
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Sorry about that. I've really made a confusing comment.
What I meant was that Linux wasn't necessarily safe, it was just a much harder target than Windows. Why? Because there were plenty of working exploits in the wild for Windows, yet all we had were a list of exploits for Linux that needed to be coded.
So Windows proved to be the "softer" target just because of time saved. Linux wasn't necessarily "safer" because we had the RedHat bulletins in hand and could have taken advantage of them but didn't because it would have required more time per point scored when compared to Windows. Why work hard to gain fewer points? The scoring didn't factor difficulty in that first year. I don't even know if they do now.
Unlike Pwn2Own, Digital Combat Exercise (love it when the Army gets involved) did not disclose the network layout. So we had to map it, and exploit it in 2 hours. This made it more of a race than to demonstrate security hardness of an OS. If anything, it more of a demonstration on the importance of a qualified IT staff.
Anyway, the only thing that prevented Linux from being exploited that first year was laziness (and lack of time) on our part. We assumed Linux was hard to exploit, so we didn't bother. The following year the team didn't have that assumption and took advantage of some machines that didn't have up-to-date patches.
Hope that clears up the confusion a little.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Indeed. Writing a web browser is bloody nasty work. Even the standards are hellish to have to implement, and then there is all that non-standard crap floating around the web that you're supposed to be able to handle. To make things worse, to make your browser usable you must also write pretty performant code. And you have to be able to stand up to the flak you will get if you don't beat the competition on JavaScript benchmarks and Acidn tests, don't have someone's favorite Firefox extension available, or don't run on someone's favorite platform. And even if you work with a team of demi-gods and somehow accomplish all that, your browser will still be susceptible to vulnerabilities in plugins and in libraries that it uses.
Really, I have immense respect for the developers of today's leading web browsers. It's a herculean task, and I know it. Keep it up, fellows!
Please correct me if I got my facts wrong.
Oh, maybe that was what you said. I assumed you meant "what you can not perceive [now] can not effect you [in the future]". Hence the example, which was just pointing out that things can force you to perceive them (which is I guess a sort of effect on you), even if you can't yet perceive them.
Anyway...
I don't even see the code any more, just blonde, brunette, redhead...
If you don't know where you are going, you will wind up somewhere else.
I did not know the rules of the Pwn2Own contest, so came up with some things that sounded reasonable:
- first hack counts for more than later hacks.
- new exploits count for more than old ones.
- teams succeeding on a given target (be it OS, service, whatever) split a pool of points; the more teams that target a system, the lower the value overall would be.
Looking at Tipping Point's Pwn2Own 2010 page, I find that they took on most of that:
- (it looks like) first hack on a platform gets all the marbles; no counter-weighting appears to have been done for multiple successes against the same target.
- platforms are weighted, presumably (but not necessarily) in difficulty.
As to "Linux vs Windows", I suppose you might count OS X in that category, as well as Android. I don't personally know if any of the other phones are Linux based. But the only general purpose computer + browser platforms in the browser category were windows and mac.
Oh, of course. Since we're talking about browsers, though, userspace is definitely assumed here.
Chrome for Windows might be more used than Safari for Windows, but Safari is far more used than Chrome.
That won't matter unless they can get out of Chrome's sandbox.
There are no trails. There are no trees out here.