Slashdot Mirror
Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards
darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.
To successfully exploit such a vulnerability (other than to make the browser to simply crash), and attacker needs to craft the attack to place just the right content into memory.
By building the browser yourself (with CFLAGS, CXXFLAGS and even CC and CXX set to something unusual — such as to target only your specific -march) — rather than downloading prebuilt binaries — you make the attacker's job much harder. To successfully exploit your browser, he'll now need to make a custom exploit just for you.
And, if you include -fstack-protector or equivalent among your compiler-flags, you may even be able to make such attacks impossible for good.
In Soviet Washington the swamp drains you.
The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:
Broad strokes for new discoveries
Details for older exploits
There's nothing stopping you from going back.
Actually, there is. You can't use any of the popular plug-ins on a lot of mobile devices. Chrome is so buggy that even the most basic functionality doesn't work with some of the plug-ins now. As a developer, trying to actually produce a good user experience using any of the formerly popular plug-ins is futile with all the security warnings and all-but-invisible switches to override them in modern browsers.
And yet, after all their bitching about how insecurity is Java's fault or Flash's fault or whatever, it turns out that the browser writers aren't doing much better, because now they also have that complexity to deal with, and they are also trying to write secure software in unsuitable programming languages like C++.
So now we can't use tried and tested plug-in technologies to actually make stuff, and we all have to use HTML5+JS instead, even though in some areas they are still far inferior to what we had before with Flash or Silverlight or Java applets. This is not progress, unless your goal is not to actual provide better results for users but merely to kill off technologies that can threaten your native apps (Apple) or that are not ideal for your commercial model (Google).
At least there have been some moves in the right direction. For example, it will be interesting to see whether the first browser or browser components written in Rust do better.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Slashdot is pretty "lightweight" and yet:
The size of JS embedded on this page I'm replying from is 33K in about 890 lines of code.
Externally loaded libraries are (most minimified):
http://a.fsdn.com/sd/all-minified.js?release_20150309
http://player.ooyala.com/v3/85...
http://a.fsdn.com/sd/html5.js
http://a.fsdn.com/sd/comments-...
http://www.googleadservices.co...
Total size: 1147446 bytes, aka 1.1MB.
You are welcome.
All hope abandon ye who enter here.