Pwn2Own: IE10, Firefox, Chrome, Reader, Java hacks land $500k It's back to the drawing board for coders at Microsoft, Google, Adobe, Mozilla, and Oracle after entrants in the annual Pwn2Own contest waltzed off with over half a million dollars in prizes for exploiting security holes in popular software. At this year's CanSecWest security conference in Vancouver, contestants had a choice …
"VUPEN Security's crack on IE 10 running on Surface Pro was an eye-opener," Gorenc said. "The vulnerability was so elegant it didn't even crash the browser. They launched the process from outside the sandbox so the user wouldn't even know if they had been hacked."
Since this is the Pro version and not the RT, this pretty much means that Windows 8 is hackable (possibly 7 if you upgraded to IE 10)
Pretty much all OSs are hackable. It is worth noting that Windows 8 has one of the lowest vulnerability counts versus time of any current OS, as does IE 10 - much lower than Chrome or Firefox for instance.
To fully exploit the IE10 hole, you would also need a further vulnerability to elevate your rights.
It is worth noting that Windows 8 has one of the lowest vulnerability counts versus time of any current OS, as does IE 10
No, it really isn't worth noting. Not been on the market for six months and not getting a great deal of use. Expect the number of known vulnerabilities to rise as more chumps are forced to use it.
All systems have vulnerabilities and an open approach to dealing with them is far more important than cock-crowing about the numbers.
'Ummm, he did say "lowest vulnerability counts versus time".'
The problem with that statement is that it relies on the assumption of a linear scale. On the release to manufacturing date, let's be naive nice and assume there are 0 known vulnerabilities in the product. If you rely on that statistic of 0 vulnerabilities over one day, it is therefore the lowest vulnerability count over time.
The problem is that growth in vulnerability discovery is nowhere anywhere remotely near linear, and you need a much larger sample size. Even a full year on the market is too small a sample size to judge vulnerabilities in systems. For example, take a look at Mac OS X. It has historically been promoted as being malware-free, but that's been since thoroughly disproved after several years, even if most (though not all) vulnerabilities have risen from third-party software.
This post has been deleted by its author
That's just rubbish. Mac OS-X has over 1700 known vulnerabilities - mostly nothing to do with third party software. That's over 3 times as many as Windows XP!
A new operating system will obviously have more undiscovered vulnerabilities than a mature one so you are likely to get more patches in the first few months, not less. I would also say a year is a very reasonable period to be able to make an first assessment of an operating system's security vulnerability statistics...
Just counting the number of vulnerabilities is a lazy way to judge the security of a product. You should count how many days something has been actively exploited.
"If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited. That number is almost certainly conservative.."
http://krebsonsecurity.com/2012/10/in-a-zero-day-world-its-active-attacks-that-matter/
The last known active exploit for Firefox was in 2010 for the Noble peace prize which was patched in a day. Chrome has no known history of an active exploit in the wild.
Of course this quote was earlier Windows and Windows 8 is a different especially IE in win32 vs IE in winRT, but the point is Microsoft security record is probably the worst out of all the major browsers, slow to respond to threats and issue patches in part b/c of the whole patch Tuesday nonsense to pamper to lazy control freak IT workers.
Interesting reading "in 2011 Google’s Chrome had an all time high of 275 new vulnerabilities reported, the current peak of an upward trend since its day of release. Mozilla Firefox, while currently trending down from its 2009 high, still had a reported 97 vulnerabilities. Microsoft’s Internet Explorer has been trending gradually down for the past five years and 2011 saw only 45 new vulnerabilities, less than any other browser"
"It is worth noting that Windows 8 has one of the lowest vulnerability counts versus time of any current OS, as does IE 10"
If you read the article (*if*), then you would know that Windows 8 is lower than Chrome OS, so you should of left this comment in your head. Then again, with fuzzy statements like "one of the lowest" and "versus time", maybe Microsoft is written on your paycheck.
Not to sound like a dick, but with Windows 8's user base, I think Windows 8 will go for very long periods without exploits, largely because it is going to take very long periods of time for people to switch to it.
Why is the hacking contest held in affluent Vancouver? They'd surely get far more hacks if they offered a half-million dollars in prize money in China or Russia. These two countries are also the source of much of the world's most advanced hacking, so they'd be drawing on a knowledge pool that is both wide and deep.
Sadly despite the obvious need for this sort of security proofing, none of them are really interested in it. The one good thing about all the problems MS has had, is that it has roused some sense that they do have to address security. Granted they do still put too much of the effort into PR and not enough into engineering.
[Mark 63]
"HP paid 480k of the 1/2/ mill?
You'd think Google, Adobe, Mozilla, and Oracle would be able to come up with more than $20k between them if they were serious about security"
..and Microsoft ?
"Posted Friday 8th March 2013 12:50 GMT Tom 13
Re: Prize funding?
Sadly despite the obvious need for this sort of security proofing, none of them are really interested in it."
Why do you say that ? Certainly as far as Google is concerned, they have been paying for exploits for a while now and the Pwnium contest had quite a fund on it to encourage breaking it....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
