back to article A grim day for browser security at hacker contest

Internet browser security took a beating during Day 1 of an annual hacking competition, with Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox all being felled in a matter of hours. The uncontested champion of the contest was a University of Oldenburg, master's candidate, who managed to fell Safari, IE 8 and …

COMMENTS

This topic is closed for new posts.
  1. Dr. Vesselin Bontchev
    Flame

    Opera

    What, no Opera hacking? I'm disappointed...

  2. James
    Unhappy

    Chrome

    Not to mention chrome? I also dont like the sound of sitting on bugs for 12 months just for the order of a contest... Oh well, these are man made projects

  3. Euan Johnstone
    Flame

    Fiver

    I heard you can get up to five quid for an Opera exploit on the black market.

  4. Anonymous Coward
    Unhappy

    WTF?

    So this guy's been sitting on a bug for nigh on a year in order to get his 15 minutes of fame, rather than doing the decent thing and passing it on to the manufacturer?!

    He clearly thought that he was the only one smart enough to find this vuln, and not disclosing it for such a ridiculously long amount of time would be perfectly safe.

    Technical knowledge, combined with hubris and monumental stupidity. Fantastic mixture.

  5. Rachel Greenham

    If he was sitting on it for a year...

    then perhaps the competition should be run monthly or something. I've got no objection to him getting lots more macbooks if vulnerabilities don't sit around *that* long...

  6. greg
    Happy

    I wonder

    How much did Opera software pay to not get included in that list?

  7. Anonymous Coward
    Paris Hilton

    Opera and Chrome

    Shame they didn't include Opera.

    I can't help but wonder if it's because it's not open source? How many of these clever hackers spend months looking through the source code of webkit and mozilla looking for flaws, before turning up and seemingly finding a hole within hours? IE is closed sources, but it's from the evil beast and the percesption is that it's the worst browser for security right now, so they can hardly leave that out of the test.

    It's not as if Opera doesn't have a few security holes occasionally, but it's surely easier to find them when it's open source.

    And there's no mention of Chrome either, with it's fancy architecture that's supposed to stop problems in one tab affecting the rest of the browser.

    Perhaps they left out the difficult ones?

  8. Anonymous Coward
    Stop

    What no linux?

    Checking the tipping point website shows that no computers using linux are involved.... must be because ubuntu made them cry last time. Before the usual wha, wha, linux is not that popular to be exploited. The via laptop is running Windows 7?!!!!! How many have that. At least microcrud is consistent. You exploites will still be compatible with their new OS.

    Wonder if a deal was done to keep linux out of the picture so that there would be no headlines of linux not being exploitable.

  9. James Robertson
    Stop

    pointless

    I run both Windows and OSX on my PC's so I have no axe to grind, but seriously this is a pointless contest as the "contestants" are using bugs they discovered months or years ago and didn't tell anyone, just so they could show how clever they are, Clever would be telling the OS providers so they could fix the problem before innocent people get hacked, cos these numpties didn't tell anyone about the bug in question.

    Any software is hackable, end of story, and particularly if you can get the operator to install the hack!

  10. NB
    Flame

    @Opera

    Operas market share is so insignificant it's not worth their time bothering to try and hack it.

  11. Patrick O'Reilly

    Opera Too

    I too would like to see how they fared against Opera

  12. Anonymous Coward
    Thumb Down

    Contests a sham

    Back when it was attack the os it was as exciting as wathcing the grass grow with 500,000 attempts and no progress at hacking. They had to make it easy and picked the large surface attack vector of browsers. All browsers will fall as they have the most hostile environment and job parsing good and bad html and ecmascript and all sorts of nasties.

    The contest is now lame and reeks of easy low hanging fruit discoveries that are kept private soley for the chance to score a free computer and money in as little time as possible.

    -1 for the sham the contes has degraded itself to

  13. DR

    dammit

    they never said which one failed first...

    now how are the zelots going to argue abut which is best...

  14. Sam

    Any news..

    on a verified by visa hack?

  15. The Dorset Rambler

    $100K?

    I had no idea.

    Must get out more.

  16. Tom

    Nils also doesn't have to worry about

    the cops coming to throw him in the clink or being pwned by the people to whom he thinks he is selling his exploit. I think that's worth a 95% discount.

  17. Anonymous Coward
    Anonymous Coward

    so they have been sitting on bugs

    waiting for either someone to offer $$ or they can use them in competitions like this, wish I could do that in my job!

  18. Mat

    Same thing...

    Yet Nils, was willing to accept just $5,000 and a new Sony Vaio for his attack.

    Which when added together makes $100,000.

  19. Anonymous Coward
    Coat

    I agree...

    What about opera? i'm sure it's used by enough people to be considered and exploited in the competition, or is it just too damn good muhahaha...

    I'll just get my coat.

  20. Stef

    iPawned

    Safari was hacked in seconds, IE and Firefox took considerably longer.

  21. Tony

    But...

    but...but... surely Macs are completely invulnerable to anything bad. That's what Mac owners keep telling me.

    It couldn't be that they are just as vulnerable but that hackers and virus writers don't bother targetting them due to the fact that there as so few of them in comparrison to PCs. That would just be silly. You'll be saying that I-Pods actually give rubbish sound quality next. Lies. All lies!

  22. Ian McNee
    Linux

    And...

    ...no browsers running on Linux - too tough? Would have been nice to see at least.

  23. Anonymous Coward
    Unhappy

    Am I the only person who read this...

    "The challenge was enough to motivate him to dust off a separate Safari bug he had been sitting on for more than 12 months for this year's competition"

    and thought that this guy was pretty irresponsible for sitting on this for over a year instead of notifying the powers that be?

  24. adnim

    I can only presume

    that whilst trying to develop exploits for these browsers, they donned the mantle of most stupid user ever in addition to that of uber hacker. In other words they used the browsers in the most irresponsible way, clicking on any link rendered by the browser, and obviously links to their own exploit code. Did they also use these browsers without any limits on what 3rd party web extension code (ActiveX, Java, Flash etc.,etc) could do.

    I am not trying to defend insecure coding by any of the developers of these browsers, what I am saying is that security begins and ends with the user. They certainly would have had a harder time exploiting the browser of web wise users who don't automatically trust every link rendered, who do take measures to limit the the ability of third party code to execute and have a healthy paranoia of the web in general.

    "Still, browsers have a lot of problems. It's really a lot of codes that are exposed to the internet."

    Not to mention the underlying OS if one uses a browser that is so tightly integrated with the OS that it is hard to determine where browser ends and OS begins.

    The use of a computer has been dumbed down to the point that having an IQ which barely reaches double figures is sufficient to use one. Now whilst this maybe seen as a good thing, it is also very dangerous. There are child proof lids on medicine bottles for a reason.

    The average computer/web user is far easier to exploit than the underlying technology he/she uses to access the web (with the exception of a certain operating system). I would be impressed if an exploit was developed for any of those browsers exploited that did not require user interaction.

  25. Ralph B
    Pirate

    What? No Opera?

    http://cansecwest.com/ says they have only the following combinations running:

    Vaio - Windows 7

    - IE8

    - Firefox

    - Chrome

    Macintosh

    - Safari

    - Firefox

    Pity. I would have liked to see how my browser of choice, Opera, would have survived. However, I realise that Chrome has twice Opera's market share.

  26. Tim Roberts
    Paris Hilton

    the question is...

    ...which browser has the highest number of exploitable flaws?

    Tim R

    Paris because she has had all her flaws exploited

  27. Adam

    Opera?

    Was Opera in the competition?

  28. Robert Maughan

    I wonder...

    I don't know the details of the Firefox exploit used but I wonder if it would still work with the no script addin running?

  29. Name

    Yeah but...

    I bet none of them have ever kissed a girl.

  30. Ian Rogers
    Thumb Up

    patch rush

    The second, and perhaps much more interesting part of this contest, is how quickly the various maintainers get patches out to fix the identified bugs...

  31. Anonymous Coward
    Linux

    Title? We don't need no stinking titles!

    Desktop OS hacking like last year. Would have been nice

    to watch the penguin shame them all again.

  32. Edward Miles

    Anyone manage...

    To break Lynx? Thought not :)

  33. Anonymous Coward
    Happy

    Sitting on a bug for 12 months!

    Pervert!

  34. Anonymous Coward
    Coat

    for shaaaame!

    people saying words to the effect of 'shame on nils for sitting on a bug for 12 months' should realize that 'nils' is not a professional security researcher and might have better things to do than give free bug reports to Apple/Moz/MS. If he finds a bug, he is under no obligation to report it -- if he wants to make it his personal plaything, that's up to him.

    I usually either work around bugs or use a different program -- I have a job to do and I don't always have the time to file reports. Usually, once I've figured out the workaround, the bug gets forgotten and I go back to my job. However if some contest came up and said "hey, you can make some dough if you further explore and exploit that bug you found a year back," depending on how hard up for cash I was, it might grab my attention.

    A contest like this is to give folks like 'nils' incentive to develop a workable exploit (not the same as discovering the bug) and come forward. It also gives these bugs a higher profile than they might otherwise have had (especially when reporting to the 'Queen of Denial' ... not sure if that refers to Apple or MS this week, but either way if my bug report vanishes in to the 'ether' and can't be properly tracked, I'm much less inclined to give them the benefit of my free quality control.)

    Mine's the one with the chip on the shoulder.

  35. Anonymous Coward
    Pirate

    better to sit on it than sell

    to be honest, it was better of him to sit on it for a year than sell it to the underworld for $100k - yes, the exploit may have been found by someone else during the year and he should have told Apple but i return to my first point.

    my wifes PC has had 2 attempted web hacks in the past week - the 'general internet' is getting filled with dodgy exploit and javascript laden sites, false redirects etc. I'd estimate that 70% of sites out there are infected and dodgy now. This competition highlights my usual 'use firefox rather than IE' is becoming a weaker protection layer too. IE with all security settings 100% on and firefox with noscript etc etc are handy stepping stones but its a sad day when the best browsing platform

    to use is a VM session that can be 0wned and then reloaded started from scratch when that happens :-(

  36. Dan Goodin (Written by Reg staff)

    In defense of Charlie Miller

    To those criticizing Charlie Miller for sitting on a Safari bug for more than 12 months, please consider the following:

    A bug isn't the same thing as an exploit. While Miller discovered the bug more than a year ago, it was only recently that he figured out a way to exploit it so he could remotely execute code. Charlie told me he spent considerable time an effort making this happen. Meanwhile, he has paying clients and hard deadlines to meet. Under the circumstances, I don't think there's anything wrong with him dusting off an old bug when entering this contest.

  37. Alex C
    Boffin

    Not quite cycical enough.

    What a lot of peeps here use Opera - I might give it a look...

    Course here's another way of looking at the competition.

    Sell your exploit to a few blackhats.

    Given a bit of time the secret will get out and they're using your exploit without paying you.

    Develop a new exploit, but the blackhats all have a perfectly good working one and so don't want to pay.

    Your nasty old exploit that has long since ceased paying out.

    Give your exploit to some grad student as a way to look good and get some cash to fund the studies (likely enough into the next exploit, which he may feel indebted enough to share with you) and let him win the competition. Doesn't really matter if he does or not.

    Nasty old exploit becomes public domain and gets closed.

    Black hats have to pay top dollar again for the new one.

    Repeat next year at a different hacking contest so as not to raise suspicion.

  38. Anonymous Coward
    Anonymous Coward

    @Dan Goodin : in defense (sic) of Charlie Miller

    You can't blame people for reading that into it.

    They could only go on what you told us.

  39. J
    Coat

    @adnim

    "the mantle of most stupid user ever in addition to that of uber hacker"

    Fair point, but I always like to say that social engineering works much better on victims who have social skills...

  40. robbie
    IT Angle

    Opera schloppera

    I found a bug in Opera, reported it twice and had no acknowledgement either time. The bug was still there last time I checked. Not a security issue, but why bother having a bug list in the first place?

  41. Anonymous Coward
    Unhappy

    Reporting bugs

    Perhaps, I am a bit pessimistic, but I have a feeling that reporting bugs leads to no response at all, or a text saying the bug is well known and very very non critical or the police will search your house and confiscate your computers .

  42. Steve Roper

    I also know of a 'bug'

    in all major browsers (and including Opera) that allows me to spot user-agent spoofing regardless of the method. I can spot FF with its User-Agent Switcher spoofing IE, Opera or any other browser's header that can be put into it; I can also spot Opera's Mask As... and Identify As... feature. I've known about this flaw for nearly two years now, and it seems to have survived in all new versions of each browser.

    Needless to say, I'm sitting on it and have no intention of revealing it to anyone, for several reasons, notably that banks and other sites like Microsoft that try to force you to use IE would inevitably use it to counter browser spoofing (and I like being able to use my bank's website without being forced into using Suxplorer). I also use it on our own company's websites to prevent them breaking when IE is spoofed by a non-MS browser (IE requires a different CSS than other browsers and spoofing it normally causes the IE CSS to load, breaking the site in the non-IE browser.) It also allows me to adjust site layouts to a particular browser (e.g. Opera uses a different line-height and letter-spacing than other browsers given the same values for these attributes in a CSS file) so that the site renders exactly the same in all browsers. I use this ability as part of my 'sell' to clients when I demonstrate how other sites break under these conditions, while our sites don't. Revealing it would be to give away that part of our 'edge'.

    It's not a security problem as far as I can see, although an attacker might be able to use it to reliably determine which browser the user has and tailor their attacks accordingly; it's just the way each browser inadvertently reveals itself that lets me spot what it really is. But it does show some of the reasoning why people like Nils who discover such bugs and flaws might want to sit on them - knowing about a particular flaw can give you an edge in the fiercely competitive Web development market, quite aside from any financial rewards you may obtain by waiting for a better offer than just handing it over for nothing!

  43. Anonymous Coward
    Unhappy

    @Dan Goodin

    Dan, please. As a security professional Charlie should hide bugs he knows about because he has clients and deadlines to meet? What, like everyone else, you mean?

    This is why the black hats manage to get away with remote exploits for so long, because people with Charlie's mentality give them carte blanche to do so. The black hats aren't going to publish the keys to the kingdom. It helps if the supposed white hats do, for the security of all. If they don't give a shit unless they're getting a laptop out of it then we've got a problem ...

    Perhaps you don't realise how many security products are based on open source tools and o/s? If everyone involved in open source had that attitude no security products would exist at all.

  44. Anthony
    Happy

    Re: Anyone manage...

    > To break Lynx? Thought not :)

    I bet there was plenty worn there though!!!

  45. Anonymous Coward
    Anonymous Coward

    I'm no better.

    I have not revealed any bugs to anyone. That's mainly because I haven't found any, but I've done as much harm as Charlie and made no money out of it.

  46. sumguy99

    I'll just keep using windows 98 then

    Security through obscurity. All these new hacks just bounce off win-98.

  47. vincent himpe

    Why' don't companies just pay for bug reports

    Organise a contest like this every day. The first exploitable flaw of the day gets 100K.

    You'll habe hackers racing to be first !.

    After a few weeks the exploits will al be known. for a coupl of million dollars all your codebase is fixed.

    You can;t beat that !

  48. Nathan
    Alert

    BROWSER SECURITY!

    "...no browsers running on Linux - too tough? Would have been nice to see at least."

    uhh... correct me if I'm wrong, the contest is to exploit security vulnerabilities in the BROWSER not the OS.

This topic is closed for new posts.

Other stories you might like