Slashdot Mirror
Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own
mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."
Installing Windows 8 doesn't count as hacking it...
Right?
So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)
Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that while shopping / releasing credit card data / etc. is fun and may be necessary, but it is in the best interest to pay a little more for a (less advanced) system that does not and can not be exploited?
$100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.
$65K was not enough to bang up Safari?
Where is this country? I can't find it on a map. Mind you, as an American, I can't even find Kansas on a map. Go figure.
Candian?
They weren't hacking toys.
Does that knowledge also remain in the hands of organisers only?
Do any of these exploits work on Linux?
AccountKiller
Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable).
- at this point I have to wonder what are the underlying reasons for the obvious bias present on /. against Java, because clearly there is something at work here, so where does the money trail lead? Is Dice holding a short position against Oracle or something? Is there something else going on? Is it a pro-Apple product and anti-Android stand?
Personally I dislike Oracle as a company because of their insidious penetration of all facets of medium to large businesses (everything must be Oracle), but not Java as a language or as a VM. Obviously the sandboxed JVM browser plugin has various issues, but the slander against the entire Java platform is getting repetitive.
While a Java browser plugin may have security problems, I fail to see how this relates to server side Java usage (as an example).
OTOH even /. comments are so confused, mixing terms, mixing notions such as Java and Javascript and browser plugin, etc., permanently labelling JVM (or Java, I don't know which anymore) as a 'slow language' or 'slow platform' (again, there are too many of these too keep track) and whenever somebody says something to this effect without upfront stating exactly what they are talking about, it leads to page long threads that can't even agree on teh terms they are using.
This is destructive, not constructive.
You can't handle the truth.
Wow, you mean really large complex systems can be hacked by smart people with a lot of time and sophisticated tools? Knock me over with a feather.
You care if you own a smartphone. The new BB10 browser from BlackBerry outperforms desktop browsers in HTML5, and runs on top of QNX, which is like a more stable, secure version of Linux. I'd like to see someone try to hack that, especially in comparison to Android and iPhone.
But...but.. this is going to be the year of the linux desktop, isn't it? Yet?
Not the IE ones :) maybe the Java one
Probably the Firefox one
The chrome one partially, they used a kernel exploit to break out of the chrome sandbox
It's not like you're going to type most of your Internet passwords and your credit card details in a web browser, right?
Those of us that don't run a server.
From what I read, all the affected systems were Windows based.
QNX is a NetBSD
Not hacked? First time ever! :D
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html
Pwn2Own will target IE, Firefox, Safari and Chrome all running on Windows 7. Windows XP isn't on the target list and neither is Linux, for different reasons.
I spoke with Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint the other day and asked him why Linux wasn't being included. Apparently the question is among the most common questions he is ever asked about Pwn2Own.
"Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share. If we were to include Linux, we'd have even more controversy and we just don't want to deal it."
Once again, pwn2own ignores the Opera web browser. This makes me sad...I recently switched exclusively to Opera after toying around with it for almost 10 years now. I've been completely happy since. I will say this, Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:
This was the default setting in opera.
In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see.
Insert_Ending_Here
Invulnerable or did nobody try?
I guess not. I just installed lynx on my server to prove you wrong, but it looks like the reply button on slashdot uses javascript. I could compile links2 with javascript enabled, but I have work to do.
Browser, like anything in our life, cannot be 100% safe. You don't have any security system (at houses, banks, computers) 100% failsafe. Best you can do is make the "thief" life a little bit harder.
-1, ignorant and factually incorrect. It uses the NetBSD TCP/IP stack, but that doesn't make it a NetBSD. Period.
captcha: amateurs. Indeed.
The sky is blue and therefore I like rollercoasters.
Just..... no. It's like saying VMS is a more stable secure version of Windows, the two platforms have about as much in common. Probably more, given they're both the children of Dave Cutler.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I don't understand why the bashing of Java? .Net. All of them have way more vulnerabilities then Java but you don't see them to be bashed all the time.
First, the vulnerabilities of Java are only for the Java Applets. And seconds, Java it not really a system critical component. Is more like Flash or Silverlight, or
So, sure you should call out vulnerabilities so the company is going to fix them as soon as possible, but it's not that critical anyway. It's not like you just connect to the Internet and get a virus without to open any browsers first (Windows XP without SP). Any software have vulnerabilities but Java Applets are not so bad like Flash for example.
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
"Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. "
Perhaps it's also telling that the prizes for winning are Mac Laptops.
Some drink at the fountain of knowledge. Others just gargle.
So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?
That's hardly a secret. It's a cost/benefit question, and there is enough benefit around right now that most people are willing to pay the cost/accept a modest risk rather than going without.
Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure?
You'll never have perfect security, because many useful things are inherently insecure on some level. But yes, we could certainly do a lot better than we do right now.
I personally suspect that any qualitative shift in the industry first needs the development of an industrial-scale application programming language (and a comprehensive supporting ecosystem in terms of tools and libraries) that manages to combine reasonably high performance and flexible low-level access with much stronger architectural support features than any mainstream language offers today.
We know a lot about how to build such a programming language already, and many useful techniques are already tried and tested in more academic/obscure/innovative languages. Unfortunately, this is a chicken and egg kind of problem: you need to get enough developers using your language that the ecosystem develops enough for mainstream industrial use, but attracting the non-enthusiast developers needs some sort of ecosystem to be there already. And as long as most customers are willing to pay significant money for software that doesn't have lots of bugs/vulnerabilities, accepting these things are somehow inevitable in the way that most non-geeks today probably do, there isn't sufficient commercial incentive for the few organisations that could actually do it to throw megabucks into developing the language and a bootstrappable ecosystem from scratch right now.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
TFA says, "Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only." Who wants to bet the organisers are China?
n/t
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
For operating system, why do they only try Windows there? I, for one, would love them to try Linux as well, to help find exploits, which I'm pretty sure they'd find just as well.
"Listen, we got a higher purpose here, alright? A wake up call for the Nintendo Generation. We demand free access to data, well, it comes with some responsibility." - Cereal Killer, Hackers. Like it or not security in either the software or the physical world comes with some freedom violations. You cannot have your cake and eat it too. You either want the developers to tie you down and spoon feed you only what they will allow or you want to operate the system the way you want. They are mutually exclusive until we invent Skynet. Needs of the user are a constantly moving target. Anytime we lock down something for security reasons a new paradigm comes along and causes us to have to violate our own security measures. On top of all that, the hacker world does not sit still and stop trying to exploit vulnerabilities. If you want to be safe you can't go running around the internet willy-nilly doing whatever the hell you want without proper security safeguards. If you're going to go to Pirate Bay and download some torrent or other, then you better damn well have kick ass security tools to verify that all you got was the illegal movie and not some virus or other. Risky behavior is RISKY, stupid. Stop complaining about it to me and get proactive. Your security and safety is YOUR responsibility.
Hey! How goes the effort to gain access to Jennifer's pants? Debbie's? Becky's?
"I stand on the shoreline, having hacked a few shells, while the great undiscovered ocean of life remains before me."
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Apparently it is. Any other 'excuse' is merely a "cop out", nothing more, nothing less.
* :)
(That's what it tells ME @ least... opinions may vary!).
So, does Opera possibly have "holes" in it too? Possibly. Only thing is, I'm not being shown CONCRETE SOLID UNDENIABLE & VERIFIABLE evidence thereof is all, so I have to assume what you have is all.
Like MOST /.'ers? I am a "show me" person... & I'm NOT being shown any differently, thus, I am free to make statements like yours also!
(These contests, much like I feel hacker/cracker types do (the ONLY "good" thing they do), expose weakness, & in a better manner than outright online criminals do, in that they DETAIL how it was done... when you know that, you can DO something about it!).
APK
P.S.=> So, sure/yes - Exclusing Opera also makes me wonder as well on WHY it's excluded from these tests, other than the fact they make it rather OBVIOUS there are no "holes" in it by such omissions, unfairly, imo @ least...
... apk
There's no mention of any vulnerabilities on any other OS. Does this mean they're only windows-specific issues?
http://developers.slashdot.org/comments.pl?sid=3525253&cid=43105565
* :)
APK
P.S.=>
"Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:
Browsers that do not have protection against blocked revocation lists will need to rapidly issue an update to fix any new certificate abuse. In Opera, users are protected automatically when the certificate is revoked. If the CA has a general problem, or a CA is no longer being used, we can remove it from our list of trusted CAs behind the scenes, and the user will also be secure, without needing to change anything in her browser.
This was the default setting in opera.
In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see." - by TheKeyboardSlayer (729293) on Thursday March 07, @10:16AM (#43104503) Homepage
Well said, & with BACKING evidence to reinforce your statement too (doesn't GET any better, than that)... again, agreed, 110% per my subject-line above!
Their lead dev, afaik, Mr. Hakom Lie (sp?) is really, Really, REALLY "on top of his game" here & always is (he's on the standards for the web committee)... which also makes me wonder WHY he's willing to drop his engine (excellent in latest/greatest 12.14 builds, especially in 64-bit, which is what I use personally) for WebKit.
However - it also shows me he IS concerned with solidifying the web... even to the point of taking a "personal beating" & giving up HIS motor/engine, to make the web more "unified" via WebKit.
It's the "why" of WHY I use it (as well as years of dominating speed/performance online on ALL fronts, even javascript (which I feel needs some SERIOUS shoring up in its faulty exploitable DOM model) - speeding javascript up is like speeding up being tossed in front of a speeding car, as it stands currently))...
... apk
The article points out that the hacks were done on Windows & Mac's. So simply saying "oh, these browsers are all flawed", is suggesting something that is either not true or something unknown. After all, it's entirely possible that the flaws do not exist in Linux or non-Mac-BSD versions of the browsers. I've seen articles go on like this before... about how all the browsers are hackable, but they only really know (or mean) that all the browsers are hackable on a certain platform. I'm tired of that FUD.
Yep, must be... ;^) So far, at least, since the article (but who (else) reads those?) makes no mention of it being compromised this time.
$65,000 if you can through, though.
Right?
Nobody is scheduled to attempt an attack against Safari this year. Contestants have to pre-register which platform they wish to attack, and have 30 minutes to demonstrate it. So usually the reason you see a platform ignored is because all the entrants already have plans for one of the other platforms and it's more about who can hack the other one faster and get the money.
So, I must wonder how many people who "win" these have known about problems, holding back disclosure to profit (either from selling the hack or winning the contest).
I'm not going to go so far as to say the cash incentive caused otherwise scrupulous people to not report the bugs (delay reporting, certainly), but it seems to have turned into it's own little economy, hasn't it?
All of the 'news' the last six months about Java insecurities . . . well is it news? Someone knew.
Given that it was always the first platform hacked at these events, I guess the competitors decided to step up to a real challenge and move to other platforms...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Does that make elinks2 the safest browser out there?
Despite the fact that zero-day vulnerabilities still exist, we should note that software has gotten harder to exploit over the years. For example:
Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) in Windows, Vupen said...Windows 8 also fell to the security consultancy which cracked Microsoft's Surface Pro using two Internet Explorer zero day vulnerabilities and a sandbox bypass.
So in each case they had to chain 3 vulnerabilities together to make this work. That means that we are at least improving security, albeit not enough. Fixing any 1 of those vulnerabilities makes the exploit no longer work.
Hehheh, good one...
AppArmor is actually quite intuitive and moderately complicated to work with. I once did an AppArmor profile for firefox in two days. I am not privy to the details of firefox, but I do develop in C++ on Windows and Linux and I know a little about the DLL loading process on Linux.
I also created a memory safe and efficient (unlike Java and C#) programming language, but the sad fact is that software developers are not exactly enlightened when it comes to ditching their deficient programming language in favor of something more secure.
Here it is: http://sourceforge.net/projects/sappeurcompiler/
As I wrote somewhere else:
"
Drumming For Sappeur
"Popular languages in this category don't exist"
That statement is true, but there "exist" languages which are both memory-safe and efficient. You can have most of the efficiency and realtime capabilities of C++ without all the nasty Java properties such as voracious memory consumption and GC freezes. You can have your little command line program start up in less than 10 milliseconds.
More than 50% of all serious exploits in the CVE database are artifacts of the C and C++ languages. Real-world C and C++ programs will have them, because programmers are not superhumans. They don't live in a world of infinite funding and infinite project deadlines. Quite the opposite.
I designed a language called Sappeur and wrote a compiler (or call it a translator if you wish), which assures memory safety. Sappeur is (essentially) a memory-safe subset of C++ and adds some novel support for memory-safe multithreading. The compiler will generate C++ code to be compiled into machine code by GCC or msvc (or potentially any other modern C++ compiler). That took me about 10000 lines of C++ code. I do think the right people could prove correctness of a 10k LOC project, given reasonable time and budget.
But certainly the current version of the compiler will contain bugs. Still, I do think it demonstrates what is possible. It is another line of defence and given that hardware designers are not infallible creatures, we should look for any opportunity to add useful layers into the defence-in-depth armour. Is your MMU proven correct ? If not, will your sandbox ever work as promised ?
Actually, Sappeur programs could *remove* the need for MMUs and consequentially save cost and electric power.
"
..having "use after free" errors in 2013. The truth is that most software developers and software development managers are plain idiots. For most of them, "delivering features" is the one and only objective. They are too lazy to even consider alternatives to their long-practised approach of using C and C++. They will find 1001 reasons why they should change Exactly Nothing.
They use the same line of argument as you do "we can never be 100% secure, so why should we improve anything at all ?".
The truth is that "use after free" "heap overflow", "DSLR outwitted" really does not need to occur in 2013. It occurs because most managers and developers are actually Programming Whores. They are in this purely for money and nothing else.
Here's a nickel boy. Download yourself a Memory Safe Programming Language:
http://sourceforge.net/projects/sappeurcompiler/
http://www.rust-lang.org/
http://dlang.org/memory-safe-d.html
Safari for Windows was abandoned (no version 6) and this year Pwn2own is targeting Windows browsers only.
From the post you're replying to, quoting TFA:
$100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.
$65K was on offer for a Safari/Mac crack.
I agree. By (consciously) using the word "hacking" instead of "cracking" when refering to activity related to circumventing computer security we show our disrespect of those who contributed to the development of computing as we know it and who once asked us to differentiate the costructive "hacking" from the destructive "cracking". This is an example of constructive "cracking" though which is a special case.
My bullshit detector just hit 10 out of a scale of 0 to 9. If I had a kernel-level zero day for the latest Ubuntu it would probably work on most other modern distros latest version, too. Because the kernel is the same.
The HP guy does not want to embarrass the PC division who are in bed with MS.
Most likely, I'd guess that some of them would be hitting cross-platform parts of the browser, and so the exploit would work in order to break out of the browser sandbox. Because Windows code doesn't run directly on Linux, the rest of the exploit would have to be changed to work correctly on Linux, but that would be a reasonably routine porting job.
If the exploit hits a platform-specific part of the browser, it wouldn't work on any other OS, because the part it was trying to attack wouldn't exist.
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Year right. That is why Linux is very much deployed on Desktop Computers. Like in Governments and in companies.
Here is a list: http://en.wikipedia.org/wiki/List_of_Linux_adopters
The only reason is that Linux was not busted in the last 5 (or something like that) pown2own contests. It looks really bad if your system (ehem Microsoft) is busted in 5 minutes and a Linux system like Ubuntu will not get busted at all.
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
$65,000 if you can through, though.
$45,000 less than hacking Java so you can't claim that nobody hacked the mac because the reward was too low.
Given that it was always the first platform hacked at these events, I guess the competitors decided to step up to a real challenge and move to other platforms...
In previous events, the "first platform hacked was determined by the order of the events. So the "first to be hacked" was meaning less. Since then, they changed the rules so "first to be hacked" is meaning less. Now quickest to be hacked is meaning full. Mac OS Safari was not in that category.
Now the anti-apple fanboys will argue that the meager $65,000 was too little of an incentive to be hacked but Java only paid out $20,000. You cannot use the excuse that they paid too little to hack the mac.
Erm, no.
The Pwn2Own contest offers cash prizes, they have done this since 2011. In fact they haven't given away a laptop since 2010. This year it's US$60,000 for first place, US$30,000 for second and US$15,000 for third. Laptop type has nothing to do with it, in fact they're targeting browsers exclusively which are running on a fully patched Win7 or latest OSX version. Points are awarded for each exploit, 0day's are worth the most, known exploits (2 have been left deliberately unpatched and will be announced) are worth fewer points. The winner is the team with the most number of points and must include at least one 0day.
Sorry, but the idea that OSX is targeted first because it's more desirable is a complete myth made up by sad fanboys. The entire Pwn2Own competition was created to demonstrate the insecurity of OS X. The first competition only included OS X (Windows and Linux were introduced in the second P2O).
Calling someone a "hater" only means you can not rationally rebut their argument.
Nice. That reminds me of something my first networking instructor (Novell, back in 1995) wrote on the white board when someone asked how well Apple computers worked on a network: "We don't do fruit."