Slashdot Mirror
Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own
mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."
Installing Windows 8 doesn't count as hacking it...
$100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.
$65K was not enough to bang up Safari?
They weren't hacking toys.
Humans have been building infrastructure, houses, buildings, for thousands of years, and they still make mistakes (honest or out of greed by cutting corners) and these life critical infrastructure still fail left and right.
Software is often more complex, require more people to build, and often have stricter constraints for people who don't understand it, even though we haven't been writing software all that long.
In a few thousand years, if software doesn't have the same failure rate as building bridges does today, wake me up.
Do any of these exploits work on Linux?
AccountKiller
ChromeOS was designed to be tamper resistant, so it can detect changes on the installed code. but the UI is a freaking browser and because of that any vulnerability on the browser that doesn't need changes on the installed code is possible, like reading your stored passwords, accessing your web sites sessions, etc.
People will not pay extraordinary amounts for slightly better hardware and software. (no apple doesn't count, they are good value for money, though you can't get good enough for low money from them.) Take for instance houses. People still make wood stick frame houses, even though they are quite lousy for insulation and longevity. A much better masonry or adobe house costs roughly 5-10% more, but they are very few and far between. Now take what most people are willing to pay for hardware ($0, free with subscription!) and software ($0). Now how does that figure into building them?
Tonights forecast: Dark. Continued dark throughout most of the evening, with some widely-scattered light towards morning
So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)
This insight is as old as the hills. Or at least the '80s. It is the fundamental driver behind the "full disclosure" movement which has, in a sense, been and gone.
Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that while shopping / releasing credit card data / etc. is fun and may be necessary, but it is in the best interest to pay a little more for a (less advanced) system that does not and can not be exploited?
Start by defining "trusted". Should my local system block me from putting my Visa card number into a web site because the web site isn't safe?
If you mean "locally trusted"; top level, secure operating systems running on very secure hardware have been build. Even in military applications they have become a commercial failure because it takes too long to build a feature on such a system so they mostly don't do the things that people need of them.
So; in the end; the answer to this is that things will only get better when people are willing to sacrifice some feature development for more secure development. Ask yourself; how many of us today are posting from OpenBSD? How many of us are posting from inside an SELinux sandbox? Both of those already have all of the features needed to do so. If you aren't willing to make the small sacrifices needed to run OpenBSD or web browse from inside a proper sandbox, how can you complain about the fact that the rest of the world which is even less interested in technology won't do anything about it?
Just start giving companies selling (N.B. not programmers writing; it has to be commercial system distributors) computer systems some liability for security failures (e.g. up to a max. of 10 times the price of the product they sold) and this will become much much better. As long as nobody's willing to do that nothing will happen.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
When pigs fly.
Seriously, this is like saying "why doesn't someone just make a car that can't crash, or a plane that will never stop flying?".
We can make computers that you can bet your life on. They still fail, but the failure rate is so low that we can bet people's lives on them every day (I'm not talking traffic lights - whose total failure isn't really that big of a deal in the long run, but things like life-support machines, nuclear reactors, etc.). It's EXTRAORDINARILY expensive, and relies on there being an absolute minimum of human input at runtime.
Even spacecraft and aircraft send two or three of the same computers up so they can just swap them out or take the majority vote. You can design systems all you like to be infallible, the fact is that they aren't - even in terms of hardware, and certainly not in terms of software. And the more you want to do with them, the more the work needed to eliminate problems increases - usually exponentially.
Have you seen how much it costs to formally prove code? Hell, just putting the requirements to begin the process can be something more expensive than an entire development cycle of conventional programming, and still contain human errors that the computer will happily prove to be correct (because they are) even if that's not what the humans involved intended (and thus you have a classic software bug again).
By comparison, your web browser is more complex, has more to do, updates more often (new specs and features, etc.) and is business-class programming, not critical. It would take decades or even centuries of man-hours to formally prove even a tiny section of it and every time it changes you need to do it again.
You can't design a secure language to express these things in. You can't design a machine that will cope with anything. You can't design a process involving humans that will be infallible.
Hell, we can't even design a piece of software that will find these bugs by itself (or else we wouldn't need bug-testing) - and yet MILLIONS is spent every year on products that help do just that (static code analysers, fuzz-testers, standard-compliance suites, etc.).
You will never have a "secure" computer, as long as its users and designers are human. When machines start to replicate themselves and write their own operating systems, then maybe it's possible (but how to get there without relying on the output of a human to do that job in the first place?).
Until then, honestly, what do you suggest? A "secure" programming language? There's been hundreds of attempts and ironically Java was one of them (it's all contained within a virtual machine, don't you know?, and thus can't damage the computer it's installed on.... least that's how it was sold for over TWO DECADES).
Summary: It ain't gonna happen in your lifetime. You can deal with it, or prove everyone in CS wrong.
http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html
Pwn2Own will target IE, Firefox, Safari and Chrome all running on Windows 7. Windows XP isn't on the target list and neither is Linux, for different reasons.
I spoke with Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint the other day and asked him why Linux wasn't being included. Apparently the question is among the most common questions he is ever asked about Pwn2Own.
"Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share. If we were to include Linux, we'd have even more controversy and we just don't want to deal it."
Once again, pwn2own ignores the Opera web browser. This makes me sad...I recently switched exclusively to Opera after toying around with it for almost 10 years now. I've been completely happy since. I will say this, Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:
This was the default setting in opera.
In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see.
Insert_Ending_Here
"Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. "
Perhaps it's also telling that the prizes for winning are Mac Laptops.
Some drink at the fountain of knowledge. Others just gargle.
ChromeOS was designed to make google money out of the box. Secure out of the box is/was primary marketing slogan.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Fool, the setting is customizable.
Allow Applications downloaded from:
â Mac App Store
â Mac App Store and Identified Developers
â Anywhere
Choose either of these 3 options for your preferred level of control vs. safety. Change the setting any time you like.
Yes, the power is is in the hands of the administrator.
Now, don't you feel stupid?
So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?
That's hardly a secret. It's a cost/benefit question, and there is enough benefit around right now that most people are willing to pay the cost/accept a modest risk rather than going without.
Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure?
You'll never have perfect security, because many useful things are inherently insecure on some level. But yes, we could certainly do a lot better than we do right now.
I personally suspect that any qualitative shift in the industry first needs the development of an industrial-scale application programming language (and a comprehensive supporting ecosystem in terms of tools and libraries) that manages to combine reasonably high performance and flexible low-level access with much stronger architectural support features than any mainstream language offers today.
We know a lot about how to build such a programming language already, and many useful techniques are already tried and tested in more academic/obscure/innovative languages. Unfortunately, this is a chicken and egg kind of problem: you need to get enough developers using your language that the ecosystem develops enough for mainstream industrial use, but attracting the non-enthusiast developers needs some sort of ecosystem to be there already. And as long as most customers are willing to pay significant money for software that doesn't have lots of bugs/vulnerabilities, accepting these things are somehow inevitable in the way that most non-geeks today probably do, there isn't sufficient commercial incentive for the few organisations that could actually do it to throw megabucks into developing the language and a bootstrappable ecosystem from scratch right now.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
TFA says, "Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only." Who wants to bet the organisers are China?
They don't try because they say the userbase is too small. But it just hit 300million users. It's also one of the most popular mobile browsers out there...it was tops in May of 2011 iirc.
Sidenote: The organizer of pwn2own, Aaron Portnoy, supposedly uses the Opera Browser. Go figure.
Insert_Ending_Here
You mean it is still customizable. It's not like you can install any software you want legally on your iOS appliance. But that is besides the point: even using Safari browsers, one is still susceptible to MITM, fishing, scamming ... attacks. So it isn't really a question of which browser/OS etc. you use. It is a question of infrastructure and the weakest link will always be the target.
I just use different browsers that are run using different restricted users. That way if my Slashdot browser gets pwned it doesn't affect my banking browsers. Nor does it affect my main user account.
Yes these pwn2own guys probably have zero day privilege escalation exploits, but as the joke goes, I don't have to outrun the bear, I just have to outrun Joe Average. And Joe Average will never do something like this. Especially since the browser won't have enough privileges to update itself normally - I have to use another account for updating the browser. It's not that inconvenient or difficult for me. Just launch the update browser and do the updating. But you can't expect Joe Average to do that regularly (probably have to automate it for them).
If a skilled hacker specifically target me I'd be pwned but why would they bother?
The whole point of java was to run cross platform code in a secure manner. The fact that it is the most insecure software on a typical machine these days is the joke. And no, my browser, and yours is not less secure than Java, which has had way more than 65 vulnerabilities patched in the last month alone.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The article points out that the hacks were done on Windows & Mac's. So simply saying "oh, these browsers are all flawed", is suggesting something that is either not true or something unknown. After all, it's entirely possible that the flaws do not exist in Linux or non-Mac-BSD versions of the browsers. I've seen articles go on like this before... about how all the browsers are hackable, but they only really know (or mean) that all the browsers are hackable on a certain platform. I'm tired of that FUD.
OS X was listed in TFA, but not in the headline of it. That headline was pretty directly re-used for Slashdot.
What, bias in the tech community?? No way...
There's no place I could be, since I've found Serenity...
Slashdot and all other tech sites are full of Safari exploit cases, my friend, including those that are used to jailbreak iOS devices.
Given that it was always the first platform hacked at these events, I guess the competitors decided to step up to a real challenge and move to other platforms...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
If a skilled hacker specifically target me I'd be pwned but why would they bother?
This is the important bit. At this point, the only people this type of thing matters to is government and corporate users that handle sensitive information. And even then, social engineering is far easier and more effective.
Despite the fact that zero-day vulnerabilities still exist, we should note that software has gotten harder to exploit over the years. For example:
Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) in Windows, Vupen said...Windows 8 also fell to the security consultancy which cracked Microsoft's Surface Pro using two Internet Explorer zero day vulnerabilities and a sandbox bypass.
So in each case they had to chain 3 vulnerabilities together to make this work. That means that we are at least improving security, albeit not enough. Fixing any 1 of those vulnerabilities makes the exploit no longer work.
For OS X it still is customizable. It won't be for long, though.
How many years have you been claiming that now? Longer than "The Year of Linux"?
It's more extreme than that. How many houses, bridges, etc are immune to deliberate attempts to make them fail? That is, how many bridges will just shrug off shaped charges attached to each and every support column by a determined attacker? How many bank vaults can be attacked night after night forever while never showing a single mark? How many are impervious to a clever mechanical dial turner guessing the combination?
I agree. By (consciously) using the word "hacking" instead of "cracking" when refering to activity related to circumventing computer security we show our disrespect of those who contributed to the development of computing as we know it and who once asked us to differentiate the costructive "hacking" from the destructive "cracking". This is an example of constructive "cracking" though which is a special case.
Wait! Did someone get a box with Chrome?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
You do understand Google's entire business model, yes? Essentially "you give us your data, we mine it and target ads at you".
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.