Slashdot Mirror

← Back to Stories (view on slashdot.org)

Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards

Posted by Soulskill on from the another-four-bite-the-dust dept.

darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.

3 of 237 comments (clear)

  1. Exploit details (sort of) by Nermal · · Score: 5, Informative

    The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:

    Broad strokes for new discoveries

    Details for older exploits

  2. Re:Build it yourself -- from source by rudy_wayne · · Score: 4, Informative

    By building the browser yourself (with CFLAGS, CXXFLAGS and even CC and CXX set to something unusual — such as to target only your specific -march) — rather than downloading prebuilt binaries — you make the attacker's job much harder. To successfully exploit your browser, he'll now need to make a custom exploit just for you.

    And, if you include -fstack-protector or equivalent among your compiler-flags, you may even be able to make such attacks impossible for good.

    Technically, this is correct.

    However, I've tried to make my own custom builds of Firefox and it's a nightmare. The build process used by Firefox is so complicated and convoluted, it would make Rube Goldberg laugh. I haven't tried building Chrome, but reading the build instructions, it appears to be only marginally better.

  3. Re:Plug-ins were scapegoats but now we can't go ba by ThePhilips · · Score: 4, Informative

    Slashdot is pretty "lightweight" and yet:

    The size of JS embedded on this page I'm replying from is 33K in about 890 lines of code.

    Externally loaded libraries are (most minimified):

    http://a.fsdn.com/sd/all-minified.js?release_20150309
    http://player.ooyala.com/v3/85...
    http://a.fsdn.com/sd/html5.js
    http://a.fsdn.com/sd/comments-...
    http://www.googleadservices.co...

    Total size: 1147446 bytes, aka 1.1MB.

    You are welcome.

    --
    All hope abandon ye who enter here.