back to article Firefox, Chrome, IE, Safari EXPLOITED to OWN Mac, PCs at Pwn2Own 2015

Security vulns in every one of the big four web browsers were exploited at the Pwn2Own hacking contest on Friday to remotely execute arbitrary code on Windows PCs. Firefox, Safari, Chrome and Internet Explorer all fell to the skills of the competition entrants, some in less than a second. All the vulnerabilities exploited …

  1. Blitterbug
    Thumb Up

    Dare I say it...

    Lordy, will I get DVd for this... but I hope this will at least open some people's eyes to the very real possibility of remote Mac pwnage that doesn't involve stupid user error.

    I say this in the spirit of concerned citizenry rather than as a 'nyer nyer' at OSX, I might add.

    For the record, I am a Windows user and I acknowledge that most of the reported pwnage occurred, as usual, on Windows.

    1. Ole Juul

      Re: Dare I say it...

      I say this in the spirit of concerned citizenry rather than as a 'nyer nyer' at OSX, I might add.

      I'm a confirmed FreeBSD user, but I don't go 'nyer nyer' either. Yes, my machines are tighter than most, but the minute I get smug, is likely the minute I get pwned. One can be safer, but one can't be safe.

      1. 404
        Coat

        Re: Dare I say it...

        I always thought it was ' neener neener'..

        ... the Carhartt with a RasPi in the pocket....

    2. Anonymous Coward
      Anonymous Coward

      Re: Dare I say it...

      Lordy, will I get DVd for this... but I hope this will at least open some people's eyes to the very real possibility of remote Mac pwnage that doesn't involve stupid user error.

      I say this in the spirit of concerned citizenry rather than as a 'nyer nyer' at OSX, I might add.

      Ah, comprehensive reading. My son needed help with that too at some point - but he was 6 at the time. Let's revisit the very first line of the article:

      Security vulnerabilities in every one of the big four web browsers were exploited at the Pwn2Own hacking contest on Friday to remotely execute arbitrary code on Windows PCs.

      Now, I personally wonder why anyone would bother installing Safari on Windows, but there was AFAIK no OSX in sight.

      I personally would have loved a wider focus - I would love to see that contest also done for OSX and Linux because they DO have vulnerabilities too. Just going for the low hanging fruit strikes me as a somewhat limited approach to the issue.

      1. dmacleo

        Re: Dare I say it...

        For his finale, Lee nailed Apple's Safari with a use-after-free (UAF) vulnerability involving an uninitialized stack pointer, and bypassed the sandbox to perform remote code execution on an OS X Mac

        it was on OS X

      2. PrivateCitizen

        Re: Dare I say it...

        Ah, comprehensive reading. My son needed help with that too at some point - but he was 6 at the time.

        This would have been hilarious and cutting if you had actually read the article properly first.

        Let's revisit the very first line of the article:

        Well done for getting that far, but how about we revisit the third from last paragraph and show some real comprehensive reading:

        For his finale, Lee nailed Apple's Safari with a use-after-free (UAF) vulnerability involving an uninitialized stack pointer, and bypassed the sandbox to perform remote code execution on an OS X Mac.

        That kind of implies a Mac was pwn'd, dont you think? (and no, I still didnt downvote anyone on this thread)

        1. Robert Helpmann??
          Childcatcher

          Re: Dare I say it...

          That and the fact Apple stopped putting out Safari for Windows some time ago. I don't get the bit about browser manufacturers and customers being less pleased. As a user, I am pleased that browsers are being evaluated and improved rather than the obvious alternatives. I can't speak for the folks who write the browsers, but I would hope they manage to bounce back from the trauma. I can't imagine anyone thought the browsers were bulletproof.

      3. Blitterbug
        Facepalm

        Re: Ah, comprehensive reading. My son needed help with that too at some point ...

        Wow, AC - and I actually took the time and care to avoid sounding snarky. Ah well... Would have been more of a zinger, though, if you had actually read the article, don't you think?

      4. Tom 13
        FAIL

        Re: Dare I say it...

        And therein is the folly of reading the headline instead of the article.

    3. User McUser

      Re: Dare I say it...

      [...] bypassed the sandbox to perform remote code execution on an OS X Mac.

      At what privilege level? I ask because the description of all the other exploits includes this info.

    4. Anonymous Coward
      Anonymous Coward

      Re: Dare I say it...

      I see Chrome has now passed over 1,000 known holes: http://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224

      Twice as many as all versions of IE. Ouch.

      1. Michael Wojcik Silver badge

        Re: Dare I say it...

        Twice as many as all versions of IE.

        A meaningless statistic, since reporting isn't standardized.

        I'm no fan of Chrome - I only ever use it to compare against other browsers when investigating a rendering issue - but your comment is pointless.

        1. Anonymous Coward
          Anonymous Coward

          Re: Dare I say it...

          "since reporting isn't standardized."

          Looks pretty standardised to me on that web site....

  2. Anonymous Coward
    Alert

    And...

    ...this is the_good_ guys. God knows what the real black hats suss out each day.

  3. gubbool

    false security

    That Apple takes fewer hits in these contents gives false since of security. These good-bad guys, like any hungry hunter, simply hunt 1) the easier game; 2) in a land which with they are familiar; 3) with tools they have; 4) with ambition to garner the most meat per kill.

    1. Destroy All Monsters Silver badge

      Re: false security

      WOOLY WINDOWS MAMMUTH: It's got more meat in it!

  4. Mike Bell

    "vulnerability involving an uninitialized stack pointer"

    That's quite a feat. By that, I mean creating such a bug in the first place. I'm not sure how I'd go about doing that in any of my code, even if I wanted to.

    1. silent_count

      // I've seen this one done in production code. :(

      void someFunc( SmallStruct smallStruct)

      {

      BigStruct *pBigStruct;

      // doesn't need to be allocated

      // cause it was passed on the stack (right?)

      bigStruct->someMember = pSmallStruct.someMember;

      // ...do stuff with pBigStruct

      }

    2. Dan 55 Silver badge

      Making a function call from a pointer and not passing the parameters to the function call correctly?

      By the time you're doing things like that it's probably time to nuke the code from orbit just to be safe and start again.

    3. Michael Wojcik Silver badge

      "uninitialized stack pointer"

      We'll know for sure when the vulnerability is published, but I suspect this was intended to mean "an uninitialized pointer on the stack".

      I'm not sure how I'd go about doing that in any of my code, even if I wanted to.

      If you want to actually set the stack pointer (assuming you're executing in an environment that has such a thing) to an invalid value, there are generally a few ways you can go about it. Thread implementations typically keep a stack per thread (there are other ways to do it, but they're less efficient), so whacking internal threading data structures can do the job. Exception-handling mechanisms may be coerced into it. In C, muck around with the internals of a jmp_buf and longjmp with it. That last even gives you a way to set it to an "uninitialized value", in some implementations.

  5. Joe Drunk

    Doesn't matter what browser/OS/platform, all are and will ever be vulnerable

    when you have REAL l337 hax0rz like lokihardt or ilxu1a who are experts at penetrating the chinks in your adamantite security.

    1. Anonymous Coward
      WTF?

      Re: Doesn't matter what browser/OS/platform, all are and will ever be vulnerable

      I'm sorry, can someone translate that for me?

      1. Anonymous Coward
        Anonymous Coward

        Re: Doesn't matter what browser/OS/platform, all are and will ever be vulnerable

        leetspeek i5 v41id 4 4rt1c13 0n h4xx0r1ng old man!

  6. Anonymous Coward
    Anonymous Coward

    Why doesn't someone actually ask hackers to design a secure(er) CPU, OS and programming language from the ground up ?

    I suppose the NSA wouldn't like it.

    1. Destroy All Monsters Silver badge

      "Hackers" don't design (except the ones of the old school and even then their designs generally sucked raw eggs security-wise).

      Meanwhile

      1) Propose something like Mercury

      2) ????

      3) 10'000 retards will demand "C"

      1. Sarah Balfour

        I've tried Mercury…

        …only on, iOS, I'll grant you, but it irritates; the small tab limit is frustrating (only around 20, if memory serves), and the dev's complete inability to offer any kind of support (I recall having an issue with bookmarked pages refusing to remain bookmarked, sent an email never heard back). Got sick of it crashing every 5ns too. Deleted it about a week after I bought it (£3, as I recall). Hasn't been updated in months, either.

        Quite honestly, I really don't think the developer give a shit. Tried Photon, which looked promising, but it's completely unintuitive, and I can't for the life of me figure out bookmarking. It also has this irritating habit of refreshing the page if you switch apps for longer than 5 mins, meaning you have to continually scroll back to where you were, not good for those of us with CTS. It's also one of those offering pseudo-Flash, so I'm slightly concerned about security (hey, if Android can get pwned…). That cost £3, too; I did get a response when I emailed the dev re bookmarks, but it was obvious they'd not bothered to actually READ my question, as they simply told me to do exactly what I'd told THEM I couldn't. Gave up.

        Reluctantly back using Chrome (unless anyone has any better suggestions…?)

        1. Michael Wojcik Silver badge

          Re: I've tried Mercury…

          DAM was talking about the programming language, not the browser. See the Wiki page he linked to.

      2. Michael Wojcik Silver badge

        3) 10'000 retards will demand "C"

        Well, it's that or rewrite a lot of existing code. And while I think that's a swell idea in principle, it's economically infeasible.

    2. Anonymous Coward
      Anonymous Coward

      Because it's much easier to exploit a single bug than to design and implement a whole, complex system bug free. What those hackers are doing is very valuable, but being able to exploit vulnerabilities requires different skills than designing and implementing sound systems.

      Sure, many of the techniques they use can be also used to spot issues before deliver, but not always, and often it's the "human tool" which is not up to the task, for several reasons.

    3. Michael Wojcik Silver badge

      Why doesn't someone actually ask hackers to design a secure(er) CPU, OS and programming language from the ground up ?

      Why doesn't someone ask doctors to design better people from the ground up?

      As others have pointed out, security analysis and secure design are different fields, though related. And practical security analysis - finding and exploiting vulnerabilities - is very different from practical system design and development. "Hackers" is irrelevant here; those are simply different jobs.

      And there's no such thing as a "secure" anything. Forget that concept - it's meaningless. Even "more secure" is only meaningful in context.

      And we already have CPUs, operating systems, and programming languages designed to be more secure than the popular ones against common attack vectors. We have capability CPUs (Intel i432, IBM's i version of POWER). We have Orange Book A-level certified OSes. We have languages like Ada, Erlang, and Haskell.

      For the most part they haven't seen wide use1 because of cost. CPU security features cost performance. OS security features slow down users, developers, and administrators, and require more highly-skilled, less-common staff. Language security features require less-common programmers, who can charge correspondingly more for their labor. And businesses have a huge investment in existing systems which they are disinclined to simply throw away.

      Even in an era when businesses can suffer large, expensive, embarrassing losses due to security failures - think Target, for example - the economics don't favor switching to equipment with more security features. Target can't afford the capital expenditure to switch to a POS system written in Erlang and running a formally-verified OS. For one thing, they'd have to build it themselves, with staff they trained.

      1The IBM AS/500 / i machines are successful, but their numbers are dwarfed by x86, obviously.

  7. This post has been deleted by its author

    1. Novex

      As far as I can tell, Javascript is probably the biggest risk on any browser at the moment (not the browser itself, which will still have flaws of course regardless of which one a person uses), due to it being allowed too much freedom (if any at all). But because JS allows a number of fancy things to be done outside of web standards, it will probably never go away completely.

      1. phil dude
        Linux

        security box?

        @80s_coder: My whacky JS code does gene predictions and other molecule/protein calculations - as you can spit out JS data to HTML5 very easily.

        I *never* expect my code to be used in a security environment, I would hope it was locally tethered.

        In that case, surely a proper "sandbox" so that EVERY piece of javascript is isolated form harming the system? I can imagine how this would work in Linux, but not sure if Microsoft has the technology.

        And this is a shout out to Mozilla - get the per-process tabs default working as a first security order of business. Tabs that can crash the browser are security holes waiting to be exploited. Then a good *hard* look at plugins...

        P.

    2. Cameron Colley

      There are no decently secure browsers out there because most users want shiny new features and not security. I know it's a slightly different issue but notice how many people moved to Google Chrome because it was shiny and new and didn't give two hoots about the fact that Google were collecting all their browsing data?

      Of course there are a minority of users who do want a more secure browser but the finding the resources fro such a project would be a tough job.

    3. Bump in the night
      Coat

      Real soon now

      Yes that solution is on the horizon. Real Soon Now a software will be out that is built with Security From The Ground Up (SFTG). Plus at the same time the last bug will be found by paying for guys to find the Final Bug (FB).

      In this not too distant future it will simply mean checking the box that asks the user if s/he desires Secure or Unsecure. This will also mean an end to the truckloads of security upgrades and there will no longer be a need for so many programmers. Oh wait a tick, I think I see a problem here . . .

    4. Christian Berger

      "Seriously, when is a project going to be formed to write a new browser and rendering engine from the ground up with security in mind?"

      We have gone past that point. The problem browsers need to solve is far to complex to re-implement them with a reasonable amount of effort. Plus even keeping up with web standards now takes a fairly large development team.

      What we would need now is to define 2 successor standards to our web. One for static pages, and another one for "web applications". The later one could, for example, be some sort of "remote framebuffer" standard.

    5. Ken Hagan Gold badge

      "Seriously, when is a project going to be formed to write a new browser and rendering engine from the ground up with security in mind?"

      Microsoft are working on Spartan even as we speak. Naturally, they claim that it is completely fresh, just like Vista, 7, 8, etc... were completely re-written, and therefore have none of the security problems of their predecessors. We'll see.

      Sadly, at least part of the problem is probably that a browser has to implement existing web standards and few of them were designed with security in mind. As far as I know, they don't explicitly require insecurity, but neither are they explicitly designed to be provably secure. I think the last time someone tried to design such a thing was back in the 90s, but client-side Java never caught on.

    6. Tom 13

      I'm not sure it's possible any more.

      For all the fuzzers and good coding practices help, to build a secure anything one person has to be able to hold the entire design from big picture to little details in their mind. With tens of thousands of lines of code in even the simplest projects, that simply can't happen.

      That being said, most of the yammering I see in these comments is because on these big projects it seems like they aren't even TRYING to use good coding practices and standard security auditing techniques.

  8. illiad

    how about PaleMoon then????

    build anew one, from the ground up??? I dont think there is enough MONEY, time, and ability to do this, bearing in mind it will be then have it ripped to shreds by the audience...

  9. Tim99 Silver badge
    Joke

    I will be (nearly) secure

    OS platform fan boys, you are not secure.

    I have a computer that I can set up with only the default install of OpenBSD on it and curl.

    Then I can curl the websites I need and download them; then transfer the files that I created to a computer with a browser. Now, what can I use to do the transfer? Maybe SFTP; copy to floppy; burn to CD; transfer to USB - Oh crap, they are all potentially insecure.

    I suppose I could always write my own compiler and OS and browser...

  10. Elmer Phud

    would that explain

    why Ffox has had two updates in the past two days?

    1. phil dude
      Thumb Up

      Re: would that explain

      yes that seem to be correct. 36.0.3 was "in response to PWN to own competition", see here.

      And then 4 hours later there was 36.0.4 and the only difference I could make out was:

      2015-28 Privilege escalation through SVG navigation

      and

      2015-29 Code execution through incorrect JavaScript bounds checking elimination

      Interestingly, the latter was patched before the former...!

      P.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like