Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy)

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

This is a big bitchslap to Mozilla

[Sax+Russell+5449D29A]

As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.

Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...

Re:This is a big bitchslap to Mozilla

[RandomFactor]

"The only advantage Firefox gives is that one can run NoScript to block all scripting completely."

However, that's a pretty significant advantage.

I would love to see how firefox compares with that one addon in place since that's how I run.

Possibly a 'hardened browsers' version of the competition?

Re:what?

[sittingnut]

to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc

Mozilla Foundation's press release in response:

"Yeah, Pwn2own, well.... your MOM is too easy!"

Can't expect Firefox to be secure

The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.

It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!

(I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)

Re:Hey hey hey...

[timritzer]

Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

Re:what?

They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.

Re:Wait a mintue

[BZ]

Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.

Re:what?

[Carewolf]

+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

All the browsers fail every single year.

Re: Then what's the point?

[dj245]

Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?

Obviously Firefox wasn't shamed last year, or they would have tried to improve security. Instead, they made a bunch of useless UI changes, removed features, etc. They didn't get the message. Spending large amounts of money to send them the same message again would be a wasted effort. By ignoring them this year, Pwn2Own is sending an even stronger message that Firefox is a browser to be avoided. And it doesn't cost them any prize money to send that message.

Re:what?

[naris]

Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.

Re:what?

[NotDrWho]

Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:

Me: Where is the menu bar?

Them: You don't need a menu bar, the menu button will do everything instead.

Me: Will it let me open a file?

Them: Uhm....well...no.

Can I at least add a stop button and zoom controls to the toolbar?

Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.

Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?

Them: Why would you need that?

Me: For privacy.

Them: What's "privacy"?

Me: It's something Google has never, and will never, respect.