Slashdot Mirror

← Back to Stories (view on slashdot.org)

Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards

Posted by Soulskill on from the another-four-bite-the-dust dept.

darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.

13 of 237 comments (clear)

  1. Re:Browsers getting too complex by dave420 · · Score: 4, Insightful

    There's nothing stopping you from going back. The rest of us can still use the vastly more functional modern web applications to get stuff done. Yes, there are security issues, but security issues exist regardless of whether they are in the browser or in software. It's not as if we never had any computer security issues before Web 2.0...

  2. Exploit details (sort of) by Nermal · · Score: 5, Informative

    The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:

    Broad strokes for new discoveries

    Details for older exploits

  3. Re:Browsers getting too complex by jellomizer · · Score: 4, Insightful

    I wouldn't say a browser is trying to be an OS but more of an interpreted language compiler.
    But if you turn off those nostalgia blinders. Of the days of the old web. We needed to install a program for almost everything, you needed an encyclopedia, then you put in that Encarta CD. Every piece of software worked for a particular OS. We had some multi-platform but they required other software that you needed to be lucky enough to have a version for your system as well. You needed ports open to share data with an other system...

    This is why back in the 1990's nearly everyone had to use windows. It is because buying a Mac, or using Linux will give you disadvantage in available software. The advanced browser opened up your Linux and Mac to the world, and people really don't care much what freaking OS you are using, because the content renders nearly the same.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. How much would NoScript mitagte the FF Vulns? by SirBitBucket · · Score: 5, Insightful

    Curious how much NoScript would mitigate the Firefox vulnerabilities. I find the mild annoyance of having to enable scripting occasionally is well worth it.

  5. Re:Build it yourself -- from source by rudy_wayne · · Score: 4, Informative

    By building the browser yourself (with CFLAGS, CXXFLAGS and even CC and CXX set to something unusual — such as to target only your specific -march) — rather than downloading prebuilt binaries — you make the attacker's job much harder. To successfully exploit your browser, he'll now need to make a custom exploit just for you.

    And, if you include -fstack-protector or equivalent among your compiler-flags, you may even be able to make such attacks impossible for good.

    Technically, this is correct.

    However, I've tried to make my own custom builds of Firefox and it's a nightmare. The build process used by Firefox is so complicated and convoluted, it would make Rube Goldberg laugh. I haven't tried building Chrome, but reading the build instructions, it appears to be only marginally better.

  6. Re:Browsers getting too complex by tlhIngan · · Score: 4, Insightful

    TL/DR: Javascript+HTML5 is the new Java applet + Flash Player + ActiveX control.

    But it's far better than before. Because Flash Player and ActiveX you were limited to waiting for a third party to fix the flaw. There's nothing the browser vendor or the user could do. JavaScript/HTML5? The browser vendor's at fault and hell, it may even be possible to fix it yourself.

    JavaScript/HTML5 may be the new vulnerability, but it's a lot easier to fix the issue. If the vulnerability was in Flash Player or some random ActiveX object, you're stuck waiting for Adobe or other third party to make the fix. With JavaScript/HTML5, the browser vendor can fix it, if it's open source, you or the community can fix it.

    So yeah, there's vulnerabilities, but the resolution of which is far easier. It may even be simply switching browsers!

  7. Re:How many of the exploits can be blamed on C? by Lunix+Nutcase · · Score: 4, Insightful

    Because they lack any historical perspective like most language hipsters.

  8. Re:Plug-ins were scapegoats but now we can't go ba by ThePhilips · · Score: 5, Insightful

    [...] they are also trying to write secure software in unsuitable programming languages like C++.

    Right. So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code in under 0.5 second? (200K == JQuery + few JQ plug-ins, 500K - JQuery + lots of JQ plug-ins.) Anyway, browsers already do resort to optimizations in assembler, because even C++ is not fast enough for what the web has become.

    So now we can't use tried and tested plug-in technologies to actually make stuff, and we all have to use HTML5+JS instead, even though in some areas they are still far inferior to what we had before with Flash or Silverlight or Java applets.

    Integration with 3rd parties is a bitch. That was and remains the main reason why plug-ins suck.

    Portability is another big reason. Windows, iOS and Android do things in starkly different ways, making portable plug-ins even harder.

    The problem are not plug-ins per se. The problem is that Google steers development of the Web toward its own goal which is to make the OSs obsolete. The short-sighted strategy resulted in overbloated browsers, with all the consequences for the security. Worse, they keep "optimizing" the browsers instead of e.g. integrating the JQuery/etc right into the browser to avoid repeating the loading of the same every time user clicks a link.

    --
    All hope abandon ye who enter here.
  9. Re:IE Fell first. by Anonymous Coward · · Score: 4, Funny

    IE Fell First...

    But then George Lucas decided to edit it?

  10. Re:IE Fell first. by Anonymous Coward · · Score: 5, Funny

    Shaka, When the Browsers Fell

  11. Re:IE Fell first. by barbariccow · · Score: 4, Interesting

    These are "stock" browsers without security plugins or addons, correct? None too surprising really.

    You mean malware like Symantec? I agree, exploiting anything on a Symantec infested machine would take much longer... but only because everything running on that system would run at about 1/17th max throughput.

  12. dodged another bullet. by nimbius · · Score: 4, Funny

    I was at Pwn2own and NEVER ONCE experienced an exploit thanks to my browser of the future: Links.

    now if youll excuse me i need to gloat...there are some arpanet users on gopher that are going to be mighty impressed by this.

    --
    Good people go to bed earlier.
  13. Re:Plug-ins were scapegoats but now we can't go ba by ThePhilips · · Score: 4, Informative

    Slashdot is pretty "lightweight" and yet:

    The size of JS embedded on this page I'm replying from is 33K in about 890 lines of code.

    Externally loaded libraries are (most minimified):

    http://a.fsdn.com/sd/all-minified.js?release_20150309
    http://player.ooyala.com/v3/85...
    http://a.fsdn.com/sd/html5.js
    http://a.fsdn.com/sd/comments-...
    http://www.googleadservices.co...

    Total size: 1147446 bytes, aka 1.1MB.

    You are welcome.

    --
    All hope abandon ye who enter here.