Slashdot Mirror

← Back to Stories (view on slashdot.org)

Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards

Posted by Soulskill on from the another-four-bite-the-dust dept.

darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.

39 of 237 comments (clear)

  1. Browsers getting too complex by ron_ivi · · Score: 3, Insightful

    Is it reasonable to expect browser makers to hold their own in an arms race against exploits?

    The problem is that browsers are trying to become an OS - with all the complexities associated with one.

    If we want back to a world where HTML was mostly about content -- that could be displayed in everything down to things like the Lynx browser -- they coudl be made secure.

    People wanted more, though -- so they decided to allow extensions like Java Applets, Flash Plugins, and ActiveX controls. Obviously more complex, those were not surprisingly insecure.

    So now people decide to take all the complexity and insecurity and build it directly into the browser itself?!? WTF.

    Makes me miss gopher clients. Maybe we should go back.

    TL/DR: Javascript+HTML5 is the new Java applet + Flash Player + ActiveX control.

    1. Re:Browsers getting too complex by dave420 · · Score: 4, Insightful

      There's nothing stopping you from going back. The rest of us can still use the vastly more functional modern web applications to get stuff done. Yes, there are security issues, but security issues exist regardless of whether they are in the browser or in software. It's not as if we never had any computer security issues before Web 2.0...

    2. Re:Browsers getting too complex by jellomizer · · Score: 4, Insightful

      I wouldn't say a browser is trying to be an OS but more of an interpreted language compiler.
      But if you turn off those nostalgia blinders. Of the days of the old web. We needed to install a program for almost everything, you needed an encyclopedia, then you put in that Encarta CD. Every piece of software worked for a particular OS. We had some multi-platform but they required other software that you needed to be lucky enough to have a version for your system as well. You needed ports open to share data with an other system...

      This is why back in the 1990's nearly everyone had to use windows. It is because buying a Mac, or using Linux will give you disadvantage in available software. The advanced browser opened up your Linux and Mac to the world, and people really don't care much what freaking OS you are using, because the content renders nearly the same.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:Browsers getting too complex by ShanghaiBill · · Score: 2

      The problem is that browsers are trying to become an OS

      No, the problem is executing downloaded content. Doing that directly in the OS would be even worse than doing it in a browser. At least the browser executes in a sandbox. A defective sandbox is better than none at all.

      If you want security, then don't execute downloaded content. Disable Java, disable flash, disable JavaScript. Only turn them on for sites that you trust.

    4. Re:Browsers getting too complex by tlhIngan · · Score: 4, Insightful

      TL/DR: Javascript+HTML5 is the new Java applet + Flash Player + ActiveX control.

      But it's far better than before. Because Flash Player and ActiveX you were limited to waiting for a third party to fix the flaw. There's nothing the browser vendor or the user could do. JavaScript/HTML5? The browser vendor's at fault and hell, it may even be possible to fix it yourself.

      JavaScript/HTML5 may be the new vulnerability, but it's a lot easier to fix the issue. If the vulnerability was in Flash Player or some random ActiveX object, you're stuck waiting for Adobe or other third party to make the fix. With JavaScript/HTML5, the browser vendor can fix it, if it's open source, you or the community can fix it.

      So yeah, there's vulnerabilities, but the resolution of which is far easier. It may even be simply switching browsers!

    5. Re:Browsers getting too complex by Actually,+I+do+RTFA · · Score: 2, Insightful

      I really don't know what "vastly more functional modern web applications" even means. I get what AJAX and HTML4 added... and even there it seems like just a bit of an optimization over just using HTML. But I still have no clue what HTML5 added that is useful... other than built in video/audio playback.

      As far as I can tell, the biggest users of the new technology are trackers/ads.

      And there is a lot stopping me from going back. Old, functional pages keep getting replaced with JS ridden bullshit. Look, if you want to talk about applications, I'm happy to use ones that are on my desktop. But if you want to talk about content, I gain nothing but insecurity, tracking and difficulty from the javascriptification.

      --
      Your ad here. Ask me how!
    6. Re: Browsers getting too complex by cinky · · Score: 2

      The thing is - everybody is responsible for their security. We don't need to "go back" - we need to teach users how to be safe. I check my parents computer whenever I come see them. No toolbars, no malware, no viruses - because me and my brother took the time to teach them basics of computer security (and mostly to click "no/cancel" if unsure).

    7. Re:Browsers getting too complex by The+MAZZTer · · Score: 2

      You'll be happy to hear Chrome is killing insecure plugin support. It's already deprecated, but come September, only sandboxed plugins will be allowed.

    8. Re: Browsers getting too complex by cinky · · Score: 2

      Canvas, local storage and bunch of other stuff important for developers. Why do you think flash and activex are pretty much dead?

    9. Re: Browsers getting too complex by Actually,+I+do+RTFA · · Score: 2

      I know about some of the features, among other things, canvas and local storage. I wasn't saying "what technical features" I was saying "why do I, as a consumer, want this". It's unclear to me what value Canvas will supply. Nor do I particularly want local storage from websites. One of the first things I did on new installations of flash was turn off it's local storage. Again, I see why developers^H^H^H^H^H^H^H^H advertisers want it. But I have no idea why I as a consumer would.

      To be honest, I have no idea why I, as a developer, want any of the new features.

      --
      Your ad here. Ask me how!
    10. Re:Browsers getting too complex by linuxrocks123 · · Score: 2

      In OO language, we don't want any friends and we want to make sure that no data is exposed and all functions that provide functionality (get, set, do_something, whatever) are checked properly.

      Friends are irrelevant. In C and C++, you have the ability to set pointers to arbitrary values, cast them to whatever you want, and then use them to overwrite arbitrary memory. Friends matter for minimizing code complexity, but, as Stroustrup said, C++'s object model is intended to prevent accidents, not fraud. If you have evil code with access to an object, whether or not the code is friends with the object's class is entirely irrelevant.

      --
      vi ~/.emacs # I'm probably going to Hell for this.
  2. If the browser authors spent more time... by Viol8 · · Score: 3, Insightful

    ... getting their code airtight and less time constantly fucking about with GUI and javascript interpreter - sorry, "engine" - changes perhaps these exploits could become less of an issue.

    1. Re:If the browser authors spent more time... by LordLimecat · · Score: 2

      Your post displays an astonishing level of both confidence and ignorance. Find me a piece of software half as complex as a browser (which has the unenviable task of running arbitrary code from untrusted sources in a secure manner) that doesnt have any CVEs and I'd happily retract my statement.

    2. Re:If the browser authors spent more time... by Richard_at_work · · Score: 3, Insightful

      Most people dont want shitty static pages, they want the application experience. Which is why we have the heavy browsers we have today.

    3. Re:If the browser authors spent more time... by Whorhay · · Score: 2

      I'm pertty confident most people would be happier with static pages whether they know it or not. The only exception I can think of is video and audio, which could still be done easily enough without building massive pages of shitty java script. I have used noScript for years and it is amazing how improved most sites are when you block the scripts from their two dozen partner sites.

  3. Build it yourself -- from source by mi · · Score: 3, Informative

    A security researcher identified by HP only as ilxu1a delivered the first exploit of the day with an out-of-bounds memory vulnerability in Firefox that took less than one second to execute. For his efforts, ilxu1a was awarded $15,000.

    To successfully exploit such a vulnerability (other than to make the browser to simply crash), and attacker needs to craft the attack to place just the right content into memory.

    By building the browser yourself (with CFLAGS, CXXFLAGS and even CC and CXX set to something unusual — such as to target only your specific -march) — rather than downloading prebuilt binaries — you make the attacker's job much harder. To successfully exploit your browser, he'll now need to make a custom exploit just for you.

    And, if you include -fstack-protector or equivalent among your compiler-flags, you may even be able to make such attacks impossible for good.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Build it yourself -- from source by mi · · Score: 2

      From the towering heights of FreeBSD (and other BSDs), the puny differences between your various Linux distributions are negligible, inconsequential, and uninteresting.

      --
      In Soviet Washington the swamp drains you.
    2. Re:Build it yourself -- from source by rudy_wayne · · Score: 4, Informative

      By building the browser yourself (with CFLAGS, CXXFLAGS and even CC and CXX set to something unusual — such as to target only your specific -march) — rather than downloading prebuilt binaries — you make the attacker's job much harder. To successfully exploit your browser, he'll now need to make a custom exploit just for you.

      And, if you include -fstack-protector or equivalent among your compiler-flags, you may even be able to make such attacks impossible for good.

      Technically, this is correct.

      However, I've tried to make my own custom builds of Firefox and it's a nightmare. The build process used by Firefox is so complicated and convoluted, it would make Rube Goldberg laugh. I haven't tried building Chrome, but reading the build instructions, it appears to be only marginally better.

    3. Re:Build it yourself -- from source by LordLimecat · · Score: 2

      I love seeing history repeat itself.

      Years ago, it was OSX that was impenetrable. "Find us an active exploit or virus", they said, "and dont give us any of that market share nonsense". All the while the clues were there, with OSX getting exploited in seconds at Pwn2Own when actual cash and computer swag was on the line.

      Here again, we have an OS with a minute market share boasting about its impenetrability and lack of exploits. I might propose that a great deal of the lack of exploits is the lack of any real incentive to go after such a tiny group of OSes which are invariably set up by fairly skilled IT persons.

      Develop a BSD distro with a desktop environment and a modern web browser, and set it out for a million end users to use with a $50k cash prize for the first exploit, and you'll be paying out in a day, tops.

      The amount of arrogance in some of these "My *Nix is best" threads is staggering. There is NOT code out there that is significantly more complex than Hello World that is bug free.

    4. Re:Build it yourself -- from source by Lunix+Nutcase · · Score: 2

      Good to see that Arch users are still ever vigilant in being the most obnoxious and attention whoring Linux users on the planet.

  4. How many of the exploits can be blamed on C? by Pinky's+Brain · · Score: 3, Insightful

    Are the majority of exploits due to bugs which would be trivially detected at compile time let alone runtime in a modern language as usual?

    1. Re:How many of the exploits can be blamed on C? by Lunix+Nutcase · · Score: 3, Interesting

      What a joke. "Modern" languages allow all sorts of security exploits through. Such as this hilarious one involving Ruby on Rails.

    2. Re:How many of the exploits can be blamed on C? by Lunix+Nutcase · · Score: 2

      Rust? Pssssssh. Everyone knows all the language hipsters have already moved on to Nim.

    3. Re:How many of the exploits can be blamed on C? by Lunix+Nutcase · · Score: 4, Insightful

      Because they lack any historical perspective like most language hipsters.

  5. Exploit details (sort of) by Nermal · · Score: 5, Informative

    The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:

    Broad strokes for new discoveries

    Details for older exploits

  6. How much would NoScript mitagte the FF Vulns? by SirBitBucket · · Score: 5, Insightful

    Curious how much NoScript would mitigate the Firefox vulnerabilities. I find the mild annoyance of having to enable scripting occasionally is well worth it.

    1. Re:How much would NoScript mitagte the FF Vulns? by Anonymous Coward · · Score: 3, Insightful

      Nearly all of them likely.

      99.9% of exploits are delivered via JS as sort of obfuscation mechanism. Otherwise said exploits would be immediately be caught by simple heuristics facilities and input sanitization.

      Honestly, that's the real problem with Web security. We've got a system where it's seen as acceptable to run un-trusted, un-signed code, from unknown or untrusted sources, requested by websites with similarly deficient credentials.

      Really, just point your browser at any modern website and you'll be loading and executing dozens of scripts from dozens of domains, all with absolutely zero credential checking. Web developers will tell you this is "standard practice" and "necessary". Computer security experts just laugh, shake their heads, and enjoy their job security.

  7. There was a happy middle ground by Anonymous+Brave+Guy · · Score: 2

    The thing is, that was all true with even relatively early browsers, because it's the uniform access to information that was the radical improvement on what we had before.

    Nothing about that necessarily means moving complex executable software to the browsers or making browsers a thin client for code running in the cloud is a similarly significant improvement. Plenty of us would argue that in many ways it has been a huge step backward, leading to dumbed-down software, security and privacy concerns, rent-seeking behaviours, inherent unreliability, and so on.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  8. Re:Plug-ins were scapegoats but now we can't go ba by ThePhilips · · Score: 5, Insightful

    [...] they are also trying to write secure software in unsuitable programming languages like C++.

    Right. So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code in under 0.5 second? (200K == JQuery + few JQ plug-ins, 500K - JQuery + lots of JQ plug-ins.) Anyway, browsers already do resort to optimizations in assembler, because even C++ is not fast enough for what the web has become.

    So now we can't use tried and tested plug-in technologies to actually make stuff, and we all have to use HTML5+JS instead, even though in some areas they are still far inferior to what we had before with Flash or Silverlight or Java applets.

    Integration with 3rd parties is a bitch. That was and remains the main reason why plug-ins suck.

    Portability is another big reason. Windows, iOS and Android do things in starkly different ways, making portable plug-ins even harder.

    The problem are not plug-ins per se. The problem is that Google steers development of the Web toward its own goal which is to make the OSs obsolete. The short-sighted strategy resulted in overbloated browsers, with all the consequences for the security. Worse, they keep "optimizing" the browsers instead of e.g. integrating the JQuery/etc right into the browser to avoid repeating the loading of the same every time user clicks a link.

    --
    All hope abandon ye who enter here.
  9. Re:IE Fell first. by Anonymous Coward · · Score: 4, Funny

    IE Fell First...

    But then George Lucas decided to edit it?

  10. Re:IE Fell first. by suutar · · Score: 3, Insightful

    so, since the attackers came with prewritten exploits, that essentially means that IE got tested first. And this means what?

  11. Re:IE Fell first. by Anonymous Coward · · Score: 5, Funny

    Shaka, When the Browsers Fell

  12. Re:IE Fell first. by barbariccow · · Score: 4, Interesting

    These are "stock" browsers without security plugins or addons, correct? None too surprising really.

    You mean malware like Symantec? I agree, exploiting anything on a Symantec infested machine would take much longer... but only because everything running on that system would run at about 1/17th max throughput.

  13. dodged another bullet. by nimbius · · Score: 4, Funny

    I was at Pwn2own and NEVER ONCE experienced an exploit thanks to my browser of the future: Links.

    now if youll excuse me i need to gloat...there are some arpanet users on gopher that are going to be mighty impressed by this.

    --
    Good people go to bed earlier.
    1. Re:dodged another bullet. by VAXcat · · Score: 2

      Links? Perhaps you meant Lynx?

      --
      There is no God, and Dirac is his prophet.
  14. Re: Dave what's it taste like eating your words? by cinky · · Score: 2

    Just ignore him and he'll go away...

  15. Re:Plug-ins were scapegoats but now we can't go ba by ThePhilips · · Score: 4, Informative

    Slashdot is pretty "lightweight" and yet:

    The size of JS embedded on this page I'm replying from is 33K in about 890 lines of code.

    Externally loaded libraries are (most minimified):

    http://a.fsdn.com/sd/all-minified.js?release_20150309
    http://player.ooyala.com/v3/85...
    http://a.fsdn.com/sd/html5.js
    http://a.fsdn.com/sd/comments-...
    http://www.googleadservices.co...

    Total size: 1147446 bytes, aka 1.1MB.

    You are welcome.

    --
    All hope abandon ye who enter here.
  16. Re:IE Fell first. by Anonymous Coward · · Score: 2, Insightful

    Nonsense. A browser can fall before the contest even takes place, which is what happened here. Or do you think they honestly found an attack in one second? Some people just wait for the contest to exploit the browser; others try to create one on-the-fly. That doesn't speak to the quality of ANY of the software involved. For all we currently know, it took months of work to exploit Firefox/IE, and only a few hours to exploit Chrome. But sensationalizing is the order of the day with these events, because browser users like to treat their browsers as sports teams, when in reality ALL of them lost in this competition (were compromised) and ALL of them won (discovered those exploits so proper fixes could be made).

  17. Re:Plug-ins were scapegoats but now we can't go ba by sexconker · · Score: 3, Interesting

    window.onbeforeunload = function(){while(1);}

    Throw that on a page, close the tab, and lol.

    Browsers happily execute what the page commands it to before considering what you the user commanded it to do. There are poorly-documented restrictions on things you can do during beforeunload or unload, all varying across browsers. I don't think you can alert(), you can return 'Some Shit' but it always displays a stock message ("Do you want to leave this page?"), IE will block window.open calls, etc. There's still plenty of room for you to fuck the user's experience over, however.

    Eventually the browser's long-running script timer will grant you, the pitiful user, the option to fucking do what you want.