Feeds

back to article Pwn2Own: IE10, Firefox, Chrome, Reader, Java hacks land $500k

It's back to the drawing board for coders at Microsoft, Google, Adobe, Mozilla, and Oracle after entrants in the annual Pwn2Own contest waltzed off with over half a million dollars in prizes for exploiting security holes in popular software. At this year's CanSecWest security conference in Vancouver, contestants had a choice of …

COMMENTS

This topic is closed for new posts.

Surface Pro

"VUPEN Security's crack on IE 10 running on Surface Pro was an eye-opener," Gorenc said. "The vulnerability was so elegant it didn't even crash the browser. They launched the process from outside the sandbox so the user wouldn't even know if they had been hacked."

Since this is the Pro version and not the RT, this pretty much means that Windows 8 is hackable (possibly 7 if you upgraded to IE 10)

3
0

Re: Surface Pro

You're assuming the hack doesn't work in IE9 as well.

2
0
Anonymous Coward

Re: Surface Pro

Pretty much all OSs are hackable. It is worth noting that Windows 8 has one of the lowest vulnerability counts versus time of any current OS, as does IE 10 - much lower than Chrome or Firefox for instance.

To fully exploit the IE10 hole, you would also need a further vulnerability to elevate your rights.

2
11
Silver badge
FAIL

Re: Surface Pro

It is worth noting that Windows 8 has one of the lowest vulnerability counts versus time of any current OS, as does IE 10

No, it really isn't worth noting. Not been on the market for six months and not getting a great deal of use. Expect the number of known vulnerabilities to rise as more chumps are forced to use it.

All systems have vulnerabilities and an open approach to dealing with them is far more important than cock-crowing about the numbers.

10
4
Silver badge
FAIL

Re: Surface Pro

"Not been on the market for six months"

Ummm, he did say "lowest vulnerability counts versus time".

6
3
FAIL

You should judge based on active attacks

Just counting the number of vulnerabilities is a lazy way to judge the security of a product. You should count how many days something has been actively exploited.

"If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited. That number is almost certainly conservative.."

http://krebsonsecurity.com/2012/10/in-a-zero-day-world-its-active-attacks-that-matter/

The last known active exploit for Firefox was in 2010 for the Noble peace prize which was patched in a day. Chrome has no known history of an active exploit in the wild.

Of course this quote was earlier Windows and Windows 8 is a different especially IE in win32 vs IE in winRT, but the point is Microsoft security record is probably the worst out of all the major browsers, slow to respond to threats and issue patches in part b/c of the whole patch Tuesday nonsense to pamper to lazy control freak IT workers.

10
0
Silver badge

Re: Surface Pro

I'd have been more impressed if someone used an IE exploit to pwn and jailbreak a WinRT Surface tablet.

3
1
Silver badge

Re: Surface Pro

And? They've still managed a zero-day in only those few months. It's still cherry-picking the figures that suit. I think OpenBSD still has the best record but I don't think you'll find anyone on the security team there thinking they have a truly bullet-proof system.

3
0

Re: Surface Pro

'Ummm, he did say "lowest vulnerability counts versus time".'

The problem with that statement is that it relies on the assumption of a linear scale. On the release to manufacturing date, let's be naive nice and assume there are 0 known vulnerabilities in the product. If you rely on that statistic of 0 vulnerabilities over one day, it is therefore the lowest vulnerability count over time.

The problem is that growth in vulnerability discovery is nowhere anywhere remotely near linear, and you need a much larger sample size. Even a full year on the market is too small a sample size to judge vulnerabilities in systems. For example, take a look at Mac OS X. It has historically been promoted as being malware-free, but that's been since thoroughly disproved after several years, even if most (though not all) vulnerabilities have risen from third-party software.

1
0

This post has been deleted by its author

Bronze badge
Linux

Shot yourself in the foot.

"It is worth noting that Windows 8 has one of the lowest vulnerability counts versus time of any current OS, as does IE 10"

If you read the article (*if*), then you would know that Windows 8 is lower than Chrome OS, so you should of left this comment in your head. Then again, with fuzzy statements like "one of the lowest" and "versus time", maybe Microsoft is written on your paycheck.

Not to sound like a dick, but with Windows 8's user base, I think Windows 8 will go for very long periods without exploits, largely because it is going to take very long periods of time for people to switch to it.

0
0
Anonymous Coward

Re: Surface Pro

That's just rubbish. Mac OS-X has over 1700 known vulnerabilities - mostly nothing to do with third party software. That's over 3 times as many as Windows XP!

A new operating system will obviously have more undiscovered vulnerabilities than a mature one so you are likely to get more patches in the first few months, not less. I would also say a year is a very reasonable period to be able to make an first assessment of an operating system's security vulnerability statistics...

0
1
Anonymous Coward

Re: You should judge based on active attacks

Interesting reading "in 2011 Google’s Chrome had an all time high of 275 new vulnerabilities reported, the current peak of an upward trend since its day of release. Mozilla Firefox, while currently trending down from its 2009 high, still had a reported 97 vulnerabilities. Microsoft’s Internet Explorer has been trending gradually down for the past five years and 2011 saw only 45 new vulnerabilities, less than any other browser"

0
2
Silver badge
Linux

Just as I expected.

My little Chromebook is the only machine on Earth that is perfectly safe from attack.

Tux - because my attack-proof Chromebook has a Gentoo underbelly.

2
9
Silver badge
Linux

Re: Just as I expected.

That could well be due to not being able to do much of note on a Chromebook, unlike a full-flavoured penguin.

<= He may look cute, but turn away and he will eat you Uncle Fester.

6
2
Anonymous Coward

Re: Just as I expected.

No proof of vulnerability does not equal proof of no vulnerability.

I suspect no one hacked it primarily as no one uses it...besides - it doesn't do much either, so for that reason has a particularly small attack surface...

5
3
FAIL

Re: Just as I expected.

Google is very good at keeping all the information the accumulate about you for themselves. Google remains the world's largest purveyor of spyware in all their apps and services.

0
0
Bronze badge

Wrong place

Why is the hacking contest held in affluent Vancouver? They'd surely get far more hacks if they offered a half-million dollars in prize money in China or Russia. These two countries are also the source of much of the world's most advanced hacking, so they'd be drawing on a knowledge pool that is both wide and deep.

3
1
Silver badge

Re: Wrong place

Why not hold it in Vancouver and it's simply naive to think that hackers are only in Russia and China. There are plenty all over including Israel and the US or doesn't the name Stuxnet mean anything to you?

3
1
Trollface

Safari

So can we assume that Safari is 100% fine as its not mentioned in the article?

0
1
Pirate

Prize funding?

HP paid 480k of the 1/2/ mill?

You'd think Google, Adobe, Mozilla, and Oracle would be able to come up with more than $20k between them if they were serious about security

2
0
Silver badge

Re: Prize funding?

Sadly despite the obvious need for this sort of security proofing, none of them are really interested in it. The one good thing about all the problems MS has had, is that it has roused some sense that they do have to address security. Granted they do still put too much of the effort into PR and not enough into engineering.

2
1
Silver badge

Re: Prize funding?

HP wanted the bragging rights and MS prefers to pay shills to write on forums that everything is hunky-dory. I think Google has an open policy for Chrome bugs and, of course, has just closed the competition for Chrome OS which had a measly $ 3 million as prize money.

1
4

Re: Prize funding?

[Mark 63]

"HP paid 480k of the 1/2/ mill?

You'd think Google, Adobe, Mozilla, and Oracle would be able to come up with more than $20k between them if they were serious about security"

..and Microsoft ?

"Posted Friday 8th March 2013 12:50 GMT Tom 13

Re: Prize funding?

Sadly despite the obvious need for this sort of security proofing, none of them are really interested in it."

Why do you say that ? Certainly as far as Google is concerned, they have been paying for exploits for a while now and the Pwnium contest had quite a fund on it to encourage breaking it....

2
0
Bronze badge
Joke

Windows 8 vs VXs

"Pretty much all OSs are hackable. It is worth noting that Windows 8 has one of the lowest vulnerability counts versus time of any current OS, as does IE 10 - much lower than Chrome or Firefox for instance."

Even the bad guys despise Windows 8 :-)

4
0
Silver badge

So what you're saying is, so few people have bothered buying Chromebooks that no-one had one to practice on?

1
0
Anonymous Coward

Yes. I think they probably are the only OS platform to have sold fewer systems that Windows RT!

0
0
Silver badge

Forgot this was happening in Vancouver around now, or I'd have gone along. Oh well, next year.

0
0
Paris Hilton

Safari not even worth trying?

Interesting to see nobody even bothered to attempt cracking Safari, why not?

Isn't 65k of Apple's money enough?

Paris because folks eventually won't bother cracking on to her either.....

0
0
This topic is closed for new posts.