Internet browser security took a beating during Day 1 of an annual hacking competition, with Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox all being felled in a matter of hours. The uncontested champion of the contest was a University of Oldenburg, master's candidate, who managed to fell Safari, IE 8 and …
What, no Opera hacking? I'm disappointed...
Not to mention chrome? I also dont like the sound of sitting on bugs for 12 months just for the order of a contest... Oh well, these are man made projects
I heard you can get up to five quid for an Opera exploit on the black market.
So this guy's been sitting on a bug for nigh on a year in order to get his 15 minutes of fame, rather than doing the decent thing and passing it on to the manufacturer?!
He clearly thought that he was the only one smart enough to find this vuln, and not disclosing it for such a ridiculously long amount of time would be perfectly safe.
Technical knowledge, combined with hubris and monumental stupidity. Fantastic mixture.
If he was sitting on it for a year...
then perhaps the competition should be run monthly or something. I've got no objection to him getting lots more macbooks if vulnerabilities don't sit around *that* long...
How much did Opera software pay to not get included in that list?
Opera and Chrome
Shame they didn't include Opera.
I can't help but wonder if it's because it's not open source? How many of these clever hackers spend months looking through the source code of webkit and mozilla looking for flaws, before turning up and seemingly finding a hole within hours? IE is closed sources, but it's from the evil beast and the percesption is that it's the worst browser for security right now, so they can hardly leave that out of the test.
It's not as if Opera doesn't have a few security holes occasionally, but it's surely easier to find them when it's open source.
And there's no mention of Chrome either, with it's fancy architecture that's supposed to stop problems in one tab affecting the rest of the browser.
Perhaps they left out the difficult ones?
What no linux?
Checking the tipping point website shows that no computers using linux are involved.... must be because ubuntu made them cry last time. Before the usual wha, wha, linux is not that popular to be exploited. The via laptop is running Windows 7?!!!!! How many have that. At least microcrud is consistent. You exploites will still be compatible with their new OS.
Wonder if a deal was done to keep linux out of the picture so that there would be no headlines of linux not being exploitable.
I run both Windows and OSX on my PC's so I have no axe to grind, but seriously this is a pointless contest as the "contestants" are using bugs they discovered months or years ago and didn't tell anyone, just so they could show how clever they are, Clever would be telling the OS providers so they could fix the problem before innocent people get hacked, cos these numpties didn't tell anyone about the bug in question.
Any software is hackable, end of story, and particularly if you can get the operator to install the hack!
Operas market share is so insignificant it's not worth their time bothering to try and hack it.
I too would like to see how they fared against Opera
Contests a sham
Back when it was attack the os it was as exciting as wathcing the grass grow with 500,000 attempts and no progress at hacking. They had to make it easy and picked the large surface attack vector of browsers. All browsers will fall as they have the most hostile environment and job parsing good and bad html and ecmascript and all sorts of nasties.
The contest is now lame and reeks of easy low hanging fruit discoveries that are kept private soley for the chance to score a free computer and money in as little time as possible.
-1 for the sham the contes has degraded itself to
they never said which one failed first...
now how are the zelots going to argue abut which is best...
on a verified by visa hack?
I had no idea.
Must get out more.
Nils also doesn't have to worry about
the cops coming to throw him in the clink or being pwned by the people to whom he thinks he is selling his exploit. I think that's worth a 95% discount.
so they have been sitting on bugs
waiting for either someone to offer $$ or they can use them in competitions like this, wish I could do that in my job!
Yet Nils, was willing to accept just $5,000 and a new Sony Vaio for his attack.
Which when added together makes $100,000.
What about opera? i'm sure it's used by enough people to be considered and exploited in the competition, or is it just too damn good muhahaha...
I'll just get my coat.
Safari was hacked in seconds, IE and Firefox took considerably longer.
but...but... surely Macs are completely invulnerable to anything bad. That's what Mac owners keep telling me.
It couldn't be that they are just as vulnerable but that hackers and virus writers don't bother targetting them due to the fact that there as so few of them in comparrison to PCs. That would just be silly. You'll be saying that I-Pods actually give rubbish sound quality next. Lies. All lies!
...no browsers running on Linux - too tough? Would have been nice to see at least.
Am I the only person who read this...
"The challenge was enough to motivate him to dust off a separate Safari bug he had been sitting on for more than 12 months for this year's competition"
and thought that this guy was pretty irresponsible for sitting on this for over a year instead of notifying the powers that be?
I can only presume
that whilst trying to develop exploits for these browsers, they donned the mantle of most stupid user ever in addition to that of uber hacker. In other words they used the browsers in the most irresponsible way, clicking on any link rendered by the browser, and obviously links to their own exploit code. Did they also use these browsers without any limits on what 3rd party web extension code (ActiveX, Java, Flash etc.,etc) could do.
I am not trying to defend insecure coding by any of the developers of these browsers, what I am saying is that security begins and ends with the user. They certainly would have had a harder time exploiting the browser of web wise users who don't automatically trust every link rendered, who do take measures to limit the the ability of third party code to execute and have a healthy paranoia of the web in general.
"Still, browsers have a lot of problems. It's really a lot of codes that are exposed to the internet."
Not to mention the underlying OS if one uses a browser that is so tightly integrated with the OS that it is hard to determine where browser ends and OS begins.
The use of a computer has been dumbed down to the point that having an IQ which barely reaches double figures is sufficient to use one. Now whilst this maybe seen as a good thing, it is also very dangerous. There are child proof lids on medicine bottles for a reason.
The average computer/web user is far easier to exploit than the underlying technology he/she uses to access the web (with the exception of a certain operating system). I would be impressed if an exploit was developed for any of those browsers exploited that did not require user interaction.
What? No Opera?
http://cansecwest.com/ says they have only the following combinations running:
Vaio - Windows 7
Pity. I would have liked to see how my browser of choice, Opera, would have survived. However, I realise that Chrome has twice Opera's market share.
the question is...
...which browser has the highest number of exploitable flaws?
Paris because she has had all her flaws exploited
Was Opera in the competition?
I don't know the details of the Firefox exploit used but I wonder if it would still work with the no script addin running?
I bet none of them have ever kissed a girl.
The second, and perhaps much more interesting part of this contest, is how quickly the various maintainers get patches out to fix the identified bugs...
Title? We don't need no stinking titles!
Desktop OS hacking like last year. Would have been nice
to watch the penguin shame them all again.
To break Lynx? Thought not :)
Sitting on a bug for 12 months!
people saying words to the effect of 'shame on nils for sitting on a bug for 12 months' should realize that 'nils' is not a professional security researcher and might have better things to do than give free bug reports to Apple/Moz/MS. If he finds a bug, he is under no obligation to report it -- if he wants to make it his personal plaything, that's up to him.
I usually either work around bugs or use a different program -- I have a job to do and I don't always have the time to file reports. Usually, once I've figured out the workaround, the bug gets forgotten and I go back to my job. However if some contest came up and said "hey, you can make some dough if you further explore and exploit that bug you found a year back," depending on how hard up for cash I was, it might grab my attention.
A contest like this is to give folks like 'nils' incentive to develop a workable exploit (not the same as discovering the bug) and come forward. It also gives these bugs a higher profile than they might otherwise have had (especially when reporting to the 'Queen of Denial' ... not sure if that refers to Apple or MS this week, but either way if my bug report vanishes in to the 'ether' and can't be properly tracked, I'm much less inclined to give them the benefit of my free quality control.)
Mine's the one with the chip on the shoulder.
better to sit on it than sell
to be honest, it was better of him to sit on it for a year than sell it to the underworld for $100k - yes, the exploit may have been found by someone else during the year and he should have told Apple but i return to my first point.
to use is a VM session that can be 0wned and then reloaded started from scratch when that happens :-(
In defense of Charlie Miller
To those criticizing Charlie Miller for sitting on a Safari bug for more than 12 months, please consider the following:
A bug isn't the same thing as an exploit. While Miller discovered the bug more than a year ago, it was only recently that he figured out a way to exploit it so he could remotely execute code. Charlie told me he spent considerable time an effort making this happen. Meanwhile, he has paying clients and hard deadlines to meet. Under the circumstances, I don't think there's anything wrong with him dusting off an old bug when entering this contest.
Not quite cycical enough.
What a lot of peeps here use Opera - I might give it a look...
Course here's another way of looking at the competition.
Sell your exploit to a few blackhats.
Given a bit of time the secret will get out and they're using your exploit without paying you.
Develop a new exploit, but the blackhats all have a perfectly good working one and so don't want to pay.
Your nasty old exploit that has long since ceased paying out.
Give your exploit to some grad student as a way to look good and get some cash to fund the studies (likely enough into the next exploit, which he may feel indebted enough to share with you) and let him win the competition. Doesn't really matter if he does or not.
Nasty old exploit becomes public domain and gets closed.
Black hats have to pay top dollar again for the new one.
Repeat next year at a different hacking contest so as not to raise suspicion.
@Dan Goodin : in defense (sic) of Charlie Miller
You can't blame people for reading that into it.
They could only go on what you told us.
"the mantle of most stupid user ever in addition to that of uber hacker"
Fair point, but I always like to say that social engineering works much better on victims who have social skills...
I found a bug in Opera, reported it twice and had no acknowledgement either time. The bug was still there last time I checked. Not a security issue, but why bother having a bug list in the first place?
Perhaps, I am a bit pessimistic, but I have a feeling that reporting bugs leads to no response at all, or a text saying the bug is well known and very very non critical or the police will search your house and confiscate your computers .
I also know of a 'bug'
in all major browsers (and including Opera) that allows me to spot user-agent spoofing regardless of the method. I can spot FF with its User-Agent Switcher spoofing IE, Opera or any other browser's header that can be put into it; I can also spot Opera's Mask As... and Identify As... feature. I've known about this flaw for nearly two years now, and it seems to have survived in all new versions of each browser.
Needless to say, I'm sitting on it and have no intention of revealing it to anyone, for several reasons, notably that banks and other sites like Microsoft that try to force you to use IE would inevitably use it to counter browser spoofing (and I like being able to use my bank's website without being forced into using Suxplorer). I also use it on our own company's websites to prevent them breaking when IE is spoofed by a non-MS browser (IE requires a different CSS than other browsers and spoofing it normally causes the IE CSS to load, breaking the site in the non-IE browser.) It also allows me to adjust site layouts to a particular browser (e.g. Opera uses a different line-height and letter-spacing than other browsers given the same values for these attributes in a CSS file) so that the site renders exactly the same in all browsers. I use this ability as part of my 'sell' to clients when I demonstrate how other sites break under these conditions, while our sites don't. Revealing it would be to give away that part of our 'edge'.
It's not a security problem as far as I can see, although an attacker might be able to use it to reliably determine which browser the user has and tailor their attacks accordingly; it's just the way each browser inadvertently reveals itself that lets me spot what it really is. But it does show some of the reasoning why people like Nils who discover such bugs and flaws might want to sit on them - knowing about a particular flaw can give you an edge in the fiercely competitive Web development market, quite aside from any financial rewards you may obtain by waiting for a better offer than just handing it over for nothing!
Dan, please. As a security professional Charlie should hide bugs he knows about because he has clients and deadlines to meet? What, like everyone else, you mean?
This is why the black hats manage to get away with remote exploits for so long, because people with Charlie's mentality give them carte blanche to do so. The black hats aren't going to publish the keys to the kingdom. It helps if the supposed white hats do, for the security of all. If they don't give a shit unless they're getting a laptop out of it then we've got a problem ...
Perhaps you don't realise how many security products are based on open source tools and o/s? If everyone involved in open source had that attitude no security products would exist at all.
Re: Anyone manage...
> To break Lynx? Thought not :)
I bet there was plenty worn there though!!!
I'm no better.
I have not revealed any bugs to anyone. That's mainly because I haven't found any, but I've done as much harm as Charlie and made no money out of it.
I'll just keep using windows 98 then
Security through obscurity. All these new hacks just bounce off win-98.
Why' don't companies just pay for bug reports
Organise a contest like this every day. The first exploitable flaw of the day gets 100K.
You'll habe hackers racing to be first !.
After a few weeks the exploits will al be known. for a coupl of million dollars all your codebase is fixed.
You can;t beat that !
"...no browsers running on Linux - too tough? Would have been nice to see at least."
uhh... correct me if I'm wrong, the contest is to exploit security vulnerabilities in the BROWSER not the OS.
- Review Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
- MEN WANTED to satisfy town full of yearning BRAZILIAN HOTNESS
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series