Slashdot Mirror

← Back to Stories (view on slashdot.org)

Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards

Posted by Soulskill on from the another-four-bite-the-dust dept.

darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.

4 of 237 comments (clear)

  1. Exploit details (sort of) by Nermal · · Score: 5, Informative

    The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:

    Broad strokes for new discoveries

    Details for older exploits

  2. How much would NoScript mitagte the FF Vulns? by SirBitBucket · · Score: 5, Insightful

    Curious how much NoScript would mitigate the Firefox vulnerabilities. I find the mild annoyance of having to enable scripting occasionally is well worth it.

  3. Re:Plug-ins were scapegoats but now we can't go ba by ThePhilips · · Score: 5, Insightful

    [...] they are also trying to write secure software in unsuitable programming languages like C++.

    Right. So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code in under 0.5 second? (200K == JQuery + few JQ plug-ins, 500K - JQuery + lots of JQ plug-ins.) Anyway, browsers already do resort to optimizations in assembler, because even C++ is not fast enough for what the web has become.

    So now we can't use tried and tested plug-in technologies to actually make stuff, and we all have to use HTML5+JS instead, even though in some areas they are still far inferior to what we had before with Flash or Silverlight or Java applets.

    Integration with 3rd parties is a bitch. That was and remains the main reason why plug-ins suck.

    Portability is another big reason. Windows, iOS and Android do things in starkly different ways, making portable plug-ins even harder.

    The problem are not plug-ins per se. The problem is that Google steers development of the Web toward its own goal which is to make the OSs obsolete. The short-sighted strategy resulted in overbloated browsers, with all the consequences for the security. Worse, they keep "optimizing" the browsers instead of e.g. integrating the JQuery/etc right into the browser to avoid repeating the loading of the same every time user clicks a link.

    --
    All hope abandon ye who enter here.
  4. Re:IE Fell first. by Anonymous Coward · · Score: 5, Funny

    Shaka, When the Browsers Fell