Pwn2Own 2016 Recap: Hackers Earn $460,000 For 21 Hacks

wiredmikey writes from an article on SecurityWeek: Pwn2Own 2016 has come to an end, with researchers earning a total of $460,000 in cash for disclosing 21 new vulnerabilities in Windows, OS X, Flash, Safari, Edge and Chrome. On the first day of the well-known hacking competition, contestants earned $282,500 for vulnerabilities in Safari, Flash Player, Chrome, Windows and OS X. On the second day, Tencent Security Team Sniper took the lead after demonstrating a successful root-level code execution exploit in Safari via a use-after-free flaw in Safari and an out-of-bounds issue in Mac OS X. The exploit earned them $40,000 and 10 Master of Pwn points. This year's contestants earned nearly $100,000 less for their exploits compared to Pwn2Own 2015, when researchers walked away with more than $550,000 for their exploits.

depressing

[phantomfive]

This kind of stuff is depressing. You'd like to say, "Oh, the programmers are doing the best they can," but when you have an open bug list that looks like this, you can't possibly ensure that your code is secure, not even close. That kind of codebase is like a playground for hackers.

Software has bugs

[paskie]

I thought you were linking to some sort of security-related bugs. But these are just plain bugs. And the codebase involved in rendering web pages is huge, because it's not an easy thing to do (try it; I maintained a text-mode browser for a couple of years). And huge codebases have many bugs, because the effort to keep them without minor bugs is just not worth it to anyone unless it is flying airplanes or directly responsible for hauling over hundreds of millions of dollars.

Welcome to the real world - we just don't know how to write software without bugs without it being too onerous, expensive and boring (and the code running slow). And there's no short term prospect of learning it either. The only thing we can do is fix the major ones and security-wise, design the whole thing so that most bugs don't matter.

Re:Software has bugs

[nuckfuts]

I thought you were linking to some sort of security-related bugs. But these are just plain bugs.

You're making an interesting distinction. When the folks at OpenBSD, (renowned for proactive security), audit their code, they intentionally avoid this distinction:

During our ongoing auditing process we find many bugs, and endeavor to fix them even though exploitability is not proven. We fix the bug, and we move on to find other bugs to fix. We have fixed many simple and obvious careless programming errors in code and only months later discovered that the problems were in fact exploitable.

Re:Firefox FTW

[ChronoReverse]

Actually it's because Firefox is doing so badly in the security front that they're not bothering: https://it.slashdot.org/story/...


I'm typing this from Firefox but it's truly sad how Mozilla is caught up with things that are ultimately worthless (Firefox OS) instead of working on their core competency (or "competency").

Re:use-after-free

[lgw]

I worked on a code base where we took elaborate precautions to be 100% sure we had no use-after-free bugs (macros that would crash the system any time it happened). I was just shocked how many we found, and how frequently people kept generating new ones. Too many C programmers who shouldn't be, I guess.