Feeds

back to article Is no browser safe? Security bods poke holes in Chrome, Safari, IE, Firefox and earn $1m

The Pwn2Own and Pwnium hacking contests at the annual CanSecWest conference in Vancouver have earned security researchers over a million dollars in prizes, exposed 34 serious zero-day flaws in popular code, and earned over $82,000 for the Canadian Red Cross. In each of the Pwn2Own and Pwnium competitions, contestants are …

COMMENTS

This topic is closed for new posts.

Page:

Happy

This sounds like an outstanding way to fix stuff, and close loopholes the NSA and associates would like to keep open. Given it has touched many OS's and products the cost seems minimal. Kudos for the in house staff for doing their part to build better product. With any finite staff there are limits to what they can test and correct. The bounty process is wonderful.

29
3

@Paul McClure

Not sure why you got a downvote. Maybe for mentioning the NSA which is at best only peripherally related to the topic? I'm not as enthusiastic as you about bounties but I think they have their place. Have an upvote just for the heck of it.

8
2

Thanks for the concern. Not really concerned about popularity, or instigating anything. Just using the forum to voice an opinion, obviously one of many.

Security relates to administrators, vendors, crooks, and spooks as well as the public using the web for their interests. Better security is helped by better, more robust, software and hardware as well as better design. Design is a standards thing as changes come with a price tag. Better product is better product. Crooks get plenty of attention and are regularly hunted, and periodically shut down. Spooks could use more attention then previous, maybe the Snowden spotlight is a bit much, but ignoring them is not a good thing. Ideally those charged with oversight would step up to the task. Maybe this happens in the UK.

5
0
Silver badge

re. "Maybe this happens in the UK."

No. A senior government minister asks the head of GCHQ (or similar), "Have you been breaking the law?". He answers, "No, of course not.". This is then converted into officialese and stated by the minister in parliament. It's a much better system than in the USA because there's not as much fuss and shouting. We hate fuss and shouting.

7
2

Indeed

But misses out on three key thoughts:

1) This software had holes in it, and this has just been demonstrated. It doesn't indicate that this is the first time the hole has been exploited.

2) These people got paid for finding *a* zero-day. Finding these flaws doesn't indicate that all the holes have been found

3) Bounties have been paid out for finding these, but worth of these defects is potentially many many times more on the open market - so why claim the reward?

Vupen (and their ilk) base their livelihoods on selling on these exploits privately. The benefit reaped by these contestants is winning isn't the prize, but a seat in the premier league of exploit resellers (and I accept this is assuming they're all the money-grabbing-gits I'd be if I was in their position).

0
7
Gold badge

@goldcd

Whitehat

Greyhat

Blackhat

There are differences

5
0
Anonymous Coward

He got a downvote because VUPEN are one of the prime sellers of exploits to the NSA, yet here they are getting back-pats (indirectly).

So not only have VUPEN profitted from selling exploits to the NSA/governments but now we have the hacker convenction rewarding them for marketing those exploits and then disclosing them.

1
0
Silver badge

Re: re. "Maybe this happens in the UK."

That's a ridiculous statement, a good chap would never dream of asking another good chap such an impermanent question, You have to trust a chap.

It's like asking an MI5 candidate if they are actually a KGB agent - it's just rude really.

3
0
Silver badge

Re: @goldcd

Do you think the limited range of colours for head attire is what limits the number of women in technology?

8
0
Bronze badge
Coat

Re: Whitehat Greyhat Blackhat

You forgot Arsehat.

0
1
Bronze badge

Re: @goldcd

Whitehat

Greyhat

Blackhat

There are differences

Or in somewhat more precise terminology, there are intangible benefits to exchanging information regarding IT security, and different parties will assign different values to those intangibles, and so in many cases the behavior with the greatest incentives for a given researcher is to give the information to some party other than the one that provides the greatest financial component to their incentive.

There is a thing. It is called behavioral economics. It explains that people do not always make the choice that nets them the most filthy lucre.

1
0
Bronze badge

Re: @goldcd

Do you think the limited range of colours for head attire is what limits the number of women in technology?

Limited?!! It's, like, 8-bit grayscale! That was good enough for us in the '80s and it should be damned well good enough for anyone.

Well, except maybe for Jenny Joseph.

1
0
Anonymous Coward

The only approach is multiple secure layers with full backup scheme and redundancy where possible.

Never depend on any one ultra secure thing, because they'll either crack it or just go around it. The Germans learned that with Enigma.

0
1
Anonymous Coward

The Germans learned that with Enigma.

not very well it seems, since they still seem to have rubbish communications security.

4
0
Anonymous Coward

Makes me wonder what happens when you have constraints that keep your ideal model from being useable. Perhaps the security is too resource-intensive or there's not enough memory.

It's a real-world issue. What happens when you need security but the resources needed for that security are too limited?

1
0
Silver badge

Maybe

A slightly more sophisticated approach is to have state-of-the-art (but still inadequate) electronic security - and just be careful what you communicate through those electronic channels. A clever player could seriously mislead eavesdroppers, who are so busy hugging themselves with glee at their superior technology that they don't think to question whether they are deliberately being fed misleading information.

Just saying.

0
0
Anonymous Coward

Practicality

>>Makes me wonder what happens when you have constraints that keep your ideal model from being useable.

Exactly: security says, disable cross mounted file systems, remote logins, just about all practicable file transfers, USB ports and internet access.

Now, with even a few such restrictions, just how does one conduct any business involving more one computer in the infrastructure or that requires customer access for ordering, information etc.? How do your employees send each other data, other than by printing it out (security could forbid that too). Developers, researchers, marketing, recruiters may want internet access to get documentation, software update, market information, exchange information.

It's a question of balance: you can make your house secure by surrounding it with lights, barbed wire, sensors, removing all trees and shrubs, closing the streets around it, steel shutters …. Not much fun to live there though. But safe.

2
0

This post has been deleted by its author

Silver badge

Re: Practicality

> Not much fun to live there though. But safe.

I don't know - I think it would be entertaining to have a moat and drawbridge.

People trying to get me to change gas supplier - meet boiling oil.

3
0
Silver badge

re: The Germans learned that with Enigma.

Every side in WWII broke at least some of the codes of their opposition - while assuming that all their own codes were perfectly safe.

0
0
Happy

Yes, but now that it isn't homegrown anymore it's not our fault! :)

0
0
Bronze badge

Re: Practicality

Exactly: security says, disable cross mounted file systems, remote logins, just about all practicable file transfers, USB ports and internet access.

Only to people who have no idea what "security" means.

Outside a threat model and risk assessment, "security" is at best no more than a vague concept. Specific restrictions ("disable cross mounted file systems') are pointless without that framework.

It's a question of balance

There's no need for that sort of handwaving vacillation. It's possible - indeed not particularly difficult - to be formally precise (to the precision of your risk probabilities) in evaluating every aspect of securing a system. Pretending there's some Snowian two-cultures divide between "the secure" and "the free" is just obscurantism, and it plays into the hands of both attackers and the police state by positing a dichotomy that does not exist.

1
0
Roo
Silver badge

Core Wars, 2014 style. :)

"Gorenc said staff at Google found six zero-day vulnerabilities in Microsoft code, as well as a kernel issue in Apple's iOS."

Love how Google scored some hits there, hopefully MS & Apple will retaliate and the customer will win with better quality software. :)

6
0
Anonymous Coward

Haha, people used to poke fun at Safari and IE.

But all software has holes since every software has mistakes, bugs or sloppy code.

0
5
Silver badge
Linux

No mention of Linux

??? (no good) needs a letter. Have some.

2
5

Re: No mention of Linux

Maybe because it is a sponsored event that was for bugs in browsers. So if no one is going to pay for a bug, why submit it?

6
0
JDX
Gold badge

Re: No mention of Linux

Would bugs found in ChromeOS be potentially reproducible on other Linux setups? How much of ChromeOS IS Linux?

0
0
Silver badge

This begs the question...

Will these flaws actually get fixed?

This is the more pressing issue.

0
1

Re: This begs the question...

Well, it would be an incredible waste of time and money if not!

6
0
Coffee/keyboard

Re: This begs the question...

They usually do.

I'm wondering what'll happen to other 'sploits weren't revealed by the contenders.

Plus, what's up with Charlie Miller? He's usually a hit at these things...

0
0
Anonymous Coward

Re: This begs the question...

>Plus, what's up with Charlie Miller? He's usually a hit at these things...

Probably keeping a low profile as an ex-NSA bod.....can't be much fun for him at such events even if he didn't know about Prism etc I suspect he'd get his ears bent

3
0
Silver badge

We need something more simple than webbrowsers

Modern web browsers are extremely complex. Not only do they contain support for multiple image and video files, but also complex layout languages and plugins.

Maybe it might make sense to have a much simpler way to display web pages, combined with a simple way to do "web applications". It would need to have to be so simple you could implement it in a day.

7
0
Silver badge

Re: We need something more simple than webbrowsers

That ain't going to happen now that world+dog expect to run javascript/HTML5/etc to display "hello world". The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing.

Probably the best we can hope for is sandboxing becoming robust enough to stop break-outs, and maybe aggressive enough to just kill browsers when something dodgy happens.

But there are problems in terms of actually using that - for example you might use Linux's apparmor to limit file access so a browser can't write to sensitive place, nor snaffle your files for uploading to spooks/criminals, but most users will simply howl when they find the browser dies on trying to navigate to, say, their collection of cat photos for uploading to facebook, etc. Sadly so far usability always triumphs over security.

6
0
Anonymous Coward

Re: We need something more simple than webbrowsers

Yes to this.

And it needs to have secure channels and distributed trust built in so subverting it wouldn't be so easy. What about starting from something pre-existing and well known like Dalvik?

0
2
Silver badge

Re: We need something more simple than webbrowsers

"The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing."

It is very dumb indeed. Anyone thinking that a browser as an OS is going to be any more secure than a traditional OS is deluded. In fact it's almost certainly worse.

The traditional OSes have been put through the mill and a lot of problems have been fixed. Whereas a brand new execution ecosystem (which we call a web browser) has got all of it's day-one bugs still extant, and they keep adding more features (and more bugs) all the time.

"Probably the best we can hope for is sandboxing becoming robust enough to stop break-outs, and maybe aggressive enough to just kill browsers when something dodgy happens."

Sandboxing is in itself a useful way of guarding the OS underneath the browser, and I'd rather have it than not. I agree - I think it's is indeed the best we can hope for. Alas, if the browser is acting more like an OS within an OS, then the sandbox isn't adequate. What's to stop some nasty code running riot inside the browser stealing / deleting data stored within the browser? The browser would need adequate protections within itself, as well as the sandbox barrier outside.

There's already proof of concept in-browser viruses floating around (El Reg passum), but there's nothing you can do outside the browser to prevent them causing harm inside it. So what's it to be? A special Macafee webpage that's always running inside your browser checking up on other web pages to make sure they're not doing anything nefarious? Sounds less efficient than an ordinary OS + apps + AV to me.

So far as I can tell HTML5 is making a similar mistake to Android. HTML5 is designed to keep different web apps separate, and no web app can influence another. At least, that's the intention. It doesn't work out that way though because the HTML5 implementation is not perfect. It does make it very difficult to add a third party package (an AV product, a 'Macaffee' web page) to protect the whole browser and the apps and data it's storing. So we're totally dependent on the browser writers immediately fixing bugs, etc. Bit like AV in Android can detect nasties, but can't actually do anything about them because the OS won't let it.

2
0
Silver badge

Run them in a chroot jail

If you ran the web browser within a chroot/FreeBSD jail it could surely do what the hell it liked and not hurt anyone.

1
2
Silver badge

Re: We need something more simple than webbrowsers

"That ain't going to happen now that world+dog expect to run javascript/HTML5/etc to display "hello world". The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing."

Yes, but I'm not necessarily talking about "changing the web", but about providing a much more secure and restricted alternative. I mean we (normal people) are not using webmail since it's far to insecure, we use special protocols like IMAPS. We use ssh which even uses key pinning. Both protocols however are inconvenient for GUI tasks over high latency connections. (though there is an alternative to ssh called mosh which can do predictive echoes and stuff)

Imagine we had some trivial "GUI over IP" protocol which simply uses a GUI toolkit on one side and transmits events. It could run over a severely cut down version of Websocket, and you could even write a client for it which runs in browsers.

With a client in HTML5 you could have a migration strategy to native clients.

0
1
Anonymous Coward

Re: Run them in a chroot jail

FreeBSD/Solaris jails is a good idea but chroots are trivial to break out of.

0
0
Vic
Silver badge

Re: We need something more simple than webbrowsers

> I mean we (normal people) are not using webmail since it's far to insecure,

I do...

> Imagine we had some trivial "GUI over IP" protocol

ssh already does X forwarding. Has done for years.

It's very useful - but generally rather slow. Most users will not want to use it.

There are also security issues to consider - do you reallly want to send all your keystrokes in real-time to a server you don't control?

Vic.

5
0
Silver badge

Re: We need something more simple than webbrowsers

Referring back to the recent thread about TBL and how good his original Web was, may I point out that it was at least potentially far more secure (or securable) than the mess we have nowadays. Dynamic HTML, scripting, etc. was touted as the way to make the Web more like TV (and hence more profitable). Unfortunately, it was a bit like modifying a helicopter to make it more like a submarine - the end product is not something a smart person would climb into under any circumstances.

5
0
mtp

Re: Run them in a chroot jail

Maybe trivial if you have full access and known kernel bugs but from the restricted environment of a subverted browser it is going to me much tougher. A chroot adds a simple extra layer of protection for minimal cost. To break out requires low level access and a known kernel bug but the chroot makes exploiting the bug harder.

1
1
Silver badge

Re: Run them in a chroot jail

I think last time I checked, you could simply chroot out of a chroot "jail". I don't think it ever was designed to be a security feature.

0
0
Silver badge

Re: We need something more simple than webbrowsers

Except a "browser as an OS" has less local state.

My chromebook could be hacked - although the attack surface is probably less than Windows - but I can do a full restart and lose any locally stored data.

So I would have to visit the attacking site immediately before doing my online banking

1
0
Silver badge

Re: Run them in a chroot jail

I think last time I checked, you could simply chroot out of a chroot "jail". I don't think it ever was designed to be a security feature.

So what do you think it was designed to be for?

To "break out", you need to be root. This is already a little bit of an impediment:

Breaking chroot()

It should be noted that this document was written with protecting web servers from rogue CGI scripts in mind. Therefore it is not unreasonable to assume that a user has access to a Perl interpreter. It is then a matter for the user to gain root access via security holes on the box running the web server. Whilst this is outside the topic of the document, an attacker could make use of application programs which are setuid-root and have security holes within them. In a well maintained chroot() area such programs should not exist. However, it should be noted that maintaining a chroot()ed environment is a non-trival task, for example system patches which fix such security holes will not know about the copies of the programs within the chroot()ed area. Ensuring that there are no setuid-root executables within the padded cell is going to be a must.

Well, today we have Virtual Machines.

1
0
Bronze badge

Re: We need something more simple than webbrowsers

Maybe it might make sense to have a much simpler way to display web pages, combined with a simple way to do "web applications". It would need to have to be so simple you could implement it in a day.

Telnet. If you want more functionality pushed to the client side, TN3270 (or any of the other smart-terminal Telnet variations).

OK, "implement in a day" is pushing it (oh, you gloriously-overengineered Telnet negotiation protocol, you!). But a week should suffice.

"A simpler way to display web pages" won't do much for web security, though. Take a look at the

OWASP Top Ten. Several are primarily or exclusively on the server (including some, such as A2, that are mitigated by using advanced client-side capabilities). The others mostly do not rely on advanced client capabilities, except for CSRF - and it's very hard to see how non-trivial "web applications" could be constructed without opening the door to CSRF attacks.

1
0
Bronze badge

Re: Run them in a chroot jail

If you ran the web browser within a chroot/FreeBSD jail it could surely do what the hell it liked and not hurt anyone.

Gah. Look at the OWASP Top Ten. How many of those would be affected by sandboxing?

Most browser-based exploits affect server-side resources and attack protocol flaws. Sandboxing has no effect on them. A sandboxed browser will be just as vulnerable to XSS, CSRF, etc.

1
0
Bronze badge

Re: We need something more simple than webbrowsers

Imagine we had some trivial "GUI over IP" protocol which simply uses a GUI toolkit on one side and transmits events.

X11. NeWS. Display Postscript. VNC. Windows RDT.

Now if only someone had created, say, some sort of private network that could be established virtually over IP. Or even added a secure-channel mechanism to a newer version of IP. Then by gosh we'd have something!

(Have you seen my latest invention, the "wheel"? Still having some trouble with the corner cases.)

1
0
Silver badge

"Only Java held up to the time-limited attacks"

Say what you want, but kudos to Oracle who actually fix bugs rather than just pretend to, not mentioning any names Adobe.

5
0
Vic
Silver badge

Re: "Only Java held up to the time-limited attacks"

> not mentioning any names Adobe

"Better than Adobe" is very much damning with faint praise...

Vic.

6
0
Silver badge

Why

aren't the hackers being employed to write the software?

1
4

Page:

This topic is closed for new posts.