Slashdot Mirror
IE8, Safari, iPhone All Fall At Pwn2Own Contest
SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it."
Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."
Title misleading maybe... just a bit? Firefox got owned as well.
Apparently none of them wanted to take on Google Chrome..I believe no one was able to crack it last year.
It is no coincidence that in no known language does the phrase 'As pretty as an Airport' appear.
... these guys (and gals?) all know what they are going to try before they ever get to this contest. It's not like they discover all these vulnerabilities during some epiphany once they arrive.
On the other hand, these security holes are real and need to be addressed by anyone and everyone that was shamed (this means MS, Apple, Mozilla, everyone) pronto!
It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.
Pretty good is actually pretty bad.
The exploits were of course not found in the 5, 10 or 15 minutes advertised. They were all worked on for weeks, and even months, and were well-tested and prepared before being executed at the contest like a rehearsed stage play. Also worth to note is that the reason behind "Chrome only browser that withstood security breach" was that NO ONE TESTED CHROME AT ALL. I give this particular "Pwn2Own" show no credibility what so ever because of these details.
Yeah, especially in BASIC.
Opera was not one of the targeted browsers. Check out this page for info and updates on pwn2own.
Pretty good is actually pretty bad.
Instead Charlie Miller will show the vendors how to find the bugs themselves.
Well, there's an idea. Is it something that really can be taught?
the very fact that these people know what to do beforehand is proof that app security is generally terrible.
Well, I think you have a very good point there - but on the other hand, the developers do have to prioritize the work they do. Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort. In principle "security through obscurity" isn't a good policy but in practice it's often good enough. If the software has a serious flaw but nobody knows about it, that's good enough, at least temporarily.
Bow-ties are cool.
So if you're such a badass programmer please link to your assembly-coded web browser that contains zero exploits. Oh, you don't have one and you're just a posturing tard? Yeah, that's what I thought.
While I'm all for tight code where every byte is important, one could just as well argue that languages used aren't high-level enough.
Operating systems and apps are often coded in languages like C or C++, that allow a lot of things, which turn into vulnerabilities down the road. Assembly is king of this: it allows a progammer to do anything, including things that aren't safe, smart or correct. No matter how good the code you produce or how comprehensive your testing procedures are, the sheer size of software systems guarantees a number of bugs to be lurking.
Personally I think that security is dead as long as these languages are the tools, testing code is the norm (vs. some sort of formal verification), and coders are looking for bugs rather than proving they're not there. Fixing this will take a combination of new methods for building software, new design principles to manage system complexity, and safe(r) languages to write the code in. There's a lot of research around (see seL4 microkernel or Coyotos for example), but results rarely finds its way into mainstream products. There's a long way to go still... or users just don't care enough.
Isn't your point about Chrome invalidated by your point about the time taken?
Did no one attack Chrome because none of these researchers had an exploit that would work against it?
There are no trails. There are no trees out here.
I believe what you really meant to say was that we shouldn't fall into the trap of believing that Chrome is actually safer due to the fact that no one really targeted it in this contest.
I've done my share of "Digital Combat Exercises" and you are correct that we should only view the contest as a verification that flaws exist, and not as a certification that a particular platform is safe.
For my first competition, my team concentrated on all the windows machine on the network because we had a list of known exploits and figured that we could exploit them the quickest and therefore accumulate the highest score possible within the time limits. All teams used the same strategy, and the Linux machines weren't even targeted. This wasn't because Linux was safer, it was because we all knew Windows was a softer target. This made for a some very close final scores.
For the following year's contest (which I couldn't participate due to a schedule conflict), my old team paid attention to the known exploits for Linux and started targeting them to guarantee a larger lead going into the final minutes of the contest.
I think you'll see this pattern in all "hacker" contests. Each year more platforms will fall as each team strategize on what will give them the edge during the time alloted. You'll probably see Chrome fall next year. Look at Safari in Pwn2Own, it wasn't until 2 years ago before people started to seriously attack it for the points.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
That's analogous to suggesting that getting rid of all the drug-sniffing dogs will cut down on drug smuggling. What kind of world do you live in where the argument "If I don't know about it, then it must not exist!" is considered logical?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
"However, neither the Firefox nor the IE 8 exploit could overcome the sandboxing features in Windows 7 Protected Mode."
big, good, relevant, no, yes?
All of these hacks are real-world drive-by attacks against fully patched machines with default OS mitigations in place (ASLR, DEP, sandboxing).
You get pwn3d if you go to a malicious page, go to a legit page with a malicious banner ad/embedded iframe, get redirected (via malicious WiFi AP) to a malicious page, etc.
This is the third year in a row that Miller did this. He has street cred, so think before you call BS.
This wasn't because Linux was safer, it was because we all knew Windows was a softer target.
Whoa, whoa, WHOA. Just stop right there, Bill. I'm going to have to teach you a thing or to about what you're allowed to write here on Slashdot. Now give me a second to get on my high-horse.
Reasoning is not welcome here.
That's right Bill. We don't need your reasoning here. We know we are right. This is Slashdot! We are the tech community. We know our OSes. We know our software. Just because of some contest with some rules and some teams that want to win the contest by the rules doesn't automatically invalidate our knowledge and wisdom as Slashdot.
Linux is more secure because it is open source and licensed under the GPL. It doesn't matter if it is still unsafe by your standards.
You see, Bill, we on Slashdot do not need to review the source code of Linux because we have declared it safe. Why is it safe? Because it is GPL. And everyone knows the GPL is safe. Therefore Linux is safe, Bill.
IE8 is mentioned first because it is owned by Microsoft, and Microsoft is evil due to historical technology atrocities against other for-profit software corporations. Therefore IE8 is the worst piece of software ever to exist.
So the reason why IE8 falls faster is not because you and your team thought the Microsoft product was "softer". It was because it was the spawn of the devil! Even wackos know the spawn of the devil should be hacked first. Don't you agree?
Firefox is not listed in the title because we need to get a head start on bashing proprietary software rather than reading the summary.
As a real Slashdotter, I pride myself in not reading the article let alone the summary. The title effectively summarizes the direction of all comments in the thread. And that direction is to bash proprietary software, starting with Microsoft first.
Here's a tip, Bill. The headline on Slashdot should give you a hint at what kind of comment you should post on Slashdot. If you are not capable of discerning that from the title, only then may you read the summary. Reading the article is only reserved for picking out additional points to backup your original claim, not to invalidate Slashdot's wisdom. And that would never happen because Slashdot's wisdom is never wrong in the first place.
Apple and Google are bad... but did you know that OSX is really UNIX and Webkit and Chrome are open source?
See, once again open source products are good for you. You should use open source products!
I hope that clears things up, Bill. Please refrain from posting useless comments in the future.
Thanks,
/.
I've had it with these motherfucking bugs on these motherfucking browsers!
This is not about just Safari and OS X - all the details about browser exploits, including for Firefox and Windows are just too scant in detail.
How about:
IE8, Safari, FF, iPhone All Fall At Pwn2Own
It has fewer characters.
Or, focus on one area: IE8, Safari, Firefox all Fall At Pwn2Own
And they didn't bother to mention Firefox in the description either, which clearly had enough space to include the word "Firefox."
From your explanation the issue is then with WebKit and not OS X.
WebKit ships in the box that says "OS X" on it.
(by the same token, IE exploits are counted as Windows security issues - and rightly so)
Whoever modded me a troll obviously did not read the links that I posted. It is a real issue and affected my development environment at work. My 32bit workstation is quite stable but a project that I am working on requires access to copies of production data so we have to do our development on VMs in a separate dev domain and the VM I was given is 64bit to match our target servers. I have useable stability on my VM several hours at a time as long as I run VS 2008 only through that wrapper program and don't kick off the full build script. Eventually, memory corruption problems will bring down either SQL 2008 management studio (has 32bit components) or my wrapped VS 2008 instance. Once the memory is corrupt, I have to reboot the VM.
Jesus was a compassionate social conservative who called individuals to sin no more.
"They are relying upon someone else's code to translate down to that, and if those methods are flawed they're screwed....If you ignore the basics, you're going to be fucked later on."
And the machine code depends on logic circits which in turn depend on complex software tools that design those circits, which depend in turn on, blah, blah, blah,.... Sooner or later you have to face the fact that if you can't trust anyone to do thier job properly then you're fucked before you even start.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
True, but I thought the point being made was that WebKit affects more than just Safari.
It does. Since WebKit is a library, it will affect everything that uses it. Since it's a standard OS library, any OS X application that might want to render some HTML will probably use it.
Isn't it the core of Firefox these days?
Er... no. Firefox is still Gecko, and they don't plan to change.
And others?
Chrome uses WebKit, but I'm not sure if it actually uses OS-wide WebKit library on OS X, or its own version. I suspect the latter, since, supposedly, they did tweak it quite a bit.
Sorry about that. I've really made a confusing comment.
What I meant was that Linux wasn't necessarily safe, it was just a much harder target than Windows. Why? Because there were plenty of working exploits in the wild for Windows, yet all we had were a list of exploits for Linux that needed to be coded.
So Windows proved to be the "softer" target just because of time saved. Linux wasn't necessarily "safer" because we had the RedHat bulletins in hand and could have taken advantage of them but didn't because it would have required more time per point scored when compared to Windows. Why work hard to gain fewer points? The scoring didn't factor difficulty in that first year. I don't even know if they do now.
Unlike Pwn2Own, Digital Combat Exercise (love it when the Army gets involved) did not disclose the network layout. So we had to map it, and exploit it in 2 hours. This made it more of a race than to demonstrate security hardness of an OS. If anything, it more of a demonstration on the importance of a qualified IT staff.
Anyway, the only thing that prevented Linux from being exploited that first year was laziness (and lack of time) on our part. We assumed Linux was hard to exploit, so we didn't bother. The following year the team didn't have that assumption and took advantage of some machines that didn't have up-to-date patches.
Hope that clears up the confusion a little.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...