back to article Is no browser safe? Security bods poke holes in Chrome, Safari, IE, Firefox and earn $1m

The Pwn2Own and Pwnium hacking contests at the annual CanSecWest conference in Vancouver have earned security researchers over a million dollars in prizes, exposed 34 serious zero-day flaws in popular code, and earned over $82,000 for the Canadian Red Cross. In each of the Pwn2Own and Pwnium competitions, contestants are …

COMMENTS

This topic is closed for new posts.
  1. Paul McClure
    Happy

    This sounds like an outstanding way to fix stuff, and close loopholes the NSA and associates would like to keep open. Given it has touched many OS's and products the cost seems minimal. Kudos for the in house staff for doing their part to build better product. With any finite staff there are limits to what they can test and correct. The bounty process is wonderful.

    1. noominy.noom

      @Paul McClure

      Not sure why you got a downvote. Maybe for mentioning the NSA which is at best only peripherally related to the topic? I'm not as enthusiastic as you about bounties but I think they have their place. Have an upvote just for the heck of it.

      1. Paul McClure

        Thanks for the concern. Not really concerned about popularity, or instigating anything. Just using the forum to voice an opinion, obviously one of many.

        Security relates to administrators, vendors, crooks, and spooks as well as the public using the web for their interests. Better security is helped by better, more robust, software and hardware as well as better design. Design is a standards thing as changes come with a price tag. Better product is better product. Crooks get plenty of attention and are regularly hunted, and periodically shut down. Spooks could use more attention then previous, maybe the Snowden spotlight is a bit much, but ignoring them is not a good thing. Ideally those charged with oversight would step up to the task. Maybe this happens in the UK.

        1. frank ly

          re. "Maybe this happens in the UK."

          No. A senior government minister asks the head of GCHQ (or similar), "Have you been breaking the law?". He answers, "No, of course not.". This is then converted into officialese and stated by the minister in parliament. It's a much better system than in the USA because there's not as much fuss and shouting. We hate fuss and shouting.

          1. Yet Another Anonymous coward Silver badge

            Re: re. "Maybe this happens in the UK."

            That's a ridiculous statement, a good chap would never dream of asking another good chap such an impermanent question, You have to trust a chap.

            It's like asking an MI5 candidate if they are actually a KGB agent - it's just rude really.

      2. Anonymous Coward
        Anonymous Coward

        He got a downvote because VUPEN are one of the prime sellers of exploits to the NSA, yet here they are getting back-pats (indirectly).

        So not only have VUPEN profitted from selling exploits to the NSA/governments but now we have the hacker convenction rewarding them for marketing those exploits and then disclosing them.

    2. goldcd

      Indeed

      But misses out on three key thoughts:

      1) This software had holes in it, and this has just been demonstrated. It doesn't indicate that this is the first time the hole has been exploited.

      2) These people got paid for finding *a* zero-day. Finding these flaws doesn't indicate that all the holes have been found

      3) Bounties have been paid out for finding these, but worth of these defects is potentially many many times more on the open market - so why claim the reward?

      Vupen (and their ilk) base their livelihoods on selling on these exploits privately. The benefit reaped by these contestants is winning isn't the prize, but a seat in the premier league of exploit resellers (and I accept this is assuming they're all the money-grabbing-gits I'd be if I was in their position).

      1. Trevor_Pott Gold badge

        @goldcd

        Whitehat

        Greyhat

        Blackhat

        There are differences

        1. Yet Another Anonymous coward Silver badge

          Re: @goldcd

          Do you think the limited range of colours for head attire is what limits the number of women in technology?

          1. Michael Wojcik Silver badge

            Re: @goldcd

            Do you think the limited range of colours for head attire is what limits the number of women in technology?

            Limited?!! It's, like, 8-bit grayscale! That was good enough for us in the '80s and it should be damned well good enough for anyone.

            Well, except maybe for Jenny Joseph.

        2. Pookietoo
          Coat

          Re: Whitehat Greyhat Blackhat

          You forgot Arsehat.

        3. Michael Wojcik Silver badge

          Re: @goldcd

          Whitehat

          Greyhat

          Blackhat

          There are differences

          Or in somewhat more precise terminology, there are intangible benefits to exchanging information regarding IT security, and different parties will assign different values to those intangibles, and so in many cases the behavior with the greatest incentives for a given researcher is to give the information to some party other than the one that provides the greatest financial component to their incentive.

          There is a thing. It is called behavioral economics. It explains that people do not always make the choice that nets them the most filthy lucre.

  2. Anonymous Coward
    Anonymous Coward

    The only approach is multiple secure layers with full backup scheme and redundancy where possible.

    Never depend on any one ultra secure thing, because they'll either crack it or just go around it. The Germans learned that with Enigma.

    1. Anonymous Coward
      Anonymous Coward

      The Germans learned that with Enigma.

      not very well it seems, since they still seem to have rubbish communications security.

      1. Anonymous Coward
        Anonymous Coward

        Maybe

        A slightly more sophisticated approach is to have state-of-the-art (but still inadequate) electronic security - and just be careful what you communicate through those electronic channels. A clever player could seriously mislead eavesdroppers, who are so busy hugging themselves with glee at their superior technology that they don't think to question whether they are deliberately being fed misleading information.

        Just saying.

      2. This post has been deleted by its author

      3. Yet Another Anonymous coward Silver badge

        re: The Germans learned that with Enigma.

        Every side in WWII broke at least some of the codes of their opposition - while assuming that all their own codes were perfectly safe.

      4. Volker Hett
        Happy

        Yes, but now that it isn't homegrown anymore it's not our fault! :)

    2. Anonymous Coward
      Anonymous Coward

      Makes me wonder what happens when you have constraints that keep your ideal model from being useable. Perhaps the security is too resource-intensive or there's not enough memory.

      It's a real-world issue. What happens when you need security but the resources needed for that security are too limited?

      1. Anonymous Coward
        Anonymous Coward

        Practicality

        >>Makes me wonder what happens when you have constraints that keep your ideal model from being useable.

        Exactly: security says, disable cross mounted file systems, remote logins, just about all practicable file transfers, USB ports and internet access.

        Now, with even a few such restrictions, just how does one conduct any business involving more one computer in the infrastructure or that requires customer access for ordering, information etc.? How do your employees send each other data, other than by printing it out (security could forbid that too). Developers, researchers, marketing, recruiters may want internet access to get documentation, software update, market information, exchange information.

        It's a question of balance: you can make your house secure by surrounding it with lights, barbed wire, sensors, removing all trees and shrubs, closing the streets around it, steel shutters …. Not much fun to live there though. But safe.

        1. Yet Another Anonymous coward Silver badge

          Re: Practicality

          > Not much fun to live there though. But safe.

          I don't know - I think it would be entertaining to have a moat and drawbridge.

          People trying to get me to change gas supplier - meet boiling oil.

        2. Michael Wojcik Silver badge

          Re: Practicality

          Exactly: security says, disable cross mounted file systems, remote logins, just about all practicable file transfers, USB ports and internet access.

          Only to people who have no idea what "security" means.

          Outside a threat model and risk assessment, "security" is at best no more than a vague concept. Specific restrictions ("disable cross mounted file systems') are pointless without that framework.

          It's a question of balance

          There's no need for that sort of handwaving vacillation. It's possible - indeed not particularly difficult - to be formally precise (to the precision of your risk probabilities) in evaluating every aspect of securing a system. Pretending there's some Snowian two-cultures divide between "the secure" and "the free" is just obscurantism, and it plays into the hands of both attackers and the police state by positing a dichotomy that does not exist.

  3. Roo

    Core Wars, 2014 style. :)

    "Gorenc said staff at Google found six zero-day vulnerabilities in Microsoft code, as well as a kernel issue in Apple's iOS."

    Love how Google scored some hits there, hopefully MS & Apple will retaliate and the customer will win with better quality software. :)

  4. Anonymous Coward
    Anonymous Coward

    Haha, people used to poke fun at Safari and IE.

    But all software has holes since every software has mistakes, bugs or sloppy code.

  5. Lars Silver badge
    Linux

    No mention of Linux

    ??? (no good) needs a letter. Have some.

    1. Hit Snooze

      Re: No mention of Linux

      Maybe because it is a sponsored event that was for bugs in browsers. So if no one is going to pay for a bug, why submit it?

      1. JDX Gold badge

        Re: No mention of Linux

        Would bugs found in ChromeOS be potentially reproducible on other Linux setups? How much of ChromeOS IS Linux?

  6. Herby

    This begs the question...

    Will these flaws actually get fixed?

    This is the more pressing issue.

    1. Anonymous Bullard

      Re: This begs the question...

      Well, it would be an incredible waste of time and money if not!

    2. boondox
      Coffee/keyboard

      Re: This begs the question...

      They usually do.

      I'm wondering what'll happen to other 'sploits weren't revealed by the contenders.

      Plus, what's up with Charlie Miller? He's usually a hit at these things...

      1. Anonymous Coward
        Anonymous Coward

        Re: This begs the question...

        >Plus, what's up with Charlie Miller? He's usually a hit at these things...

        Probably keeping a low profile as an ex-NSA bod.....can't be much fun for him at such events even if he didn't know about Prism etc I suspect he'd get his ears bent

  7. Christian Berger

    We need something more simple than webbrowsers

    Modern web browsers are extremely complex. Not only do they contain support for multiple image and video files, but also complex layout languages and plugins.

    Maybe it might make sense to have a much simpler way to display web pages, combined with a simple way to do "web applications". It would need to have to be so simple you could implement it in a day.

    1. Paul Crawford Silver badge

      Re: We need something more simple than webbrowsers

      That ain't going to happen now that world+dog expect to run javascript/HTML5/etc to display "hello world". The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing.

      Probably the best we can hope for is sandboxing becoming robust enough to stop break-outs, and maybe aggressive enough to just kill browsers when something dodgy happens.

      But there are problems in terms of actually using that - for example you might use Linux's apparmor to limit file access so a browser can't write to sensitive place, nor snaffle your files for uploading to spooks/criminals, but most users will simply howl when they find the browser dies on trying to navigate to, say, their collection of cat photos for uploading to facebook, etc. Sadly so far usability always triumphs over security.

      1. bazza Silver badge

        Re: We need something more simple than webbrowsers

        "The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing."

        It is very dumb indeed. Anyone thinking that a browser as an OS is going to be any more secure than a traditional OS is deluded. In fact it's almost certainly worse.

        The traditional OSes have been put through the mill and a lot of problems have been fixed. Whereas a brand new execution ecosystem (which we call a web browser) has got all of it's day-one bugs still extant, and they keep adding more features (and more bugs) all the time.

        "Probably the best we can hope for is sandboxing becoming robust enough to stop break-outs, and maybe aggressive enough to just kill browsers when something dodgy happens."

        Sandboxing is in itself a useful way of guarding the OS underneath the browser, and I'd rather have it than not. I agree - I think it's is indeed the best we can hope for. Alas, if the browser is acting more like an OS within an OS, then the sandbox isn't adequate. What's to stop some nasty code running riot inside the browser stealing / deleting data stored within the browser? The browser would need adequate protections within itself, as well as the sandbox barrier outside.

        There's already proof of concept in-browser viruses floating around (El Reg passum), but there's nothing you can do outside the browser to prevent them causing harm inside it. So what's it to be? A special Macafee webpage that's always running inside your browser checking up on other web pages to make sure they're not doing anything nefarious? Sounds less efficient than an ordinary OS + apps + AV to me.

        So far as I can tell HTML5 is making a similar mistake to Android. HTML5 is designed to keep different web apps separate, and no web app can influence another. At least, that's the intention. It doesn't work out that way though because the HTML5 implementation is not perfect. It does make it very difficult to add a third party package (an AV product, a 'Macaffee' web page) to protect the whole browser and the apps and data it's storing. So we're totally dependent on the browser writers immediately fixing bugs, etc. Bit like AV in Android can detect nasties, but can't actually do anything about them because the OS won't let it.

        1. Yet Another Anonymous coward Silver badge

          Re: We need something more simple than webbrowsers

          Except a "browser as an OS" has less local state.

          My chromebook could be hacked - although the attack surface is probably less than Windows - but I can do a full restart and lose any locally stored data.

          So I would have to visit the attacking site immediately before doing my online banking

      2. Christian Berger

        Re: We need something more simple than webbrowsers

        "That ain't going to happen now that world+dog expect to run javascript/HTML5/etc to display "hello world". The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing."

        Yes, but I'm not necessarily talking about "changing the web", but about providing a much more secure and restricted alternative. I mean we (normal people) are not using webmail since it's far to insecure, we use special protocols like IMAPS. We use ssh which even uses key pinning. Both protocols however are inconvenient for GUI tasks over high latency connections. (though there is an alternative to ssh called mosh which can do predictive echoes and stuff)

        Imagine we had some trivial "GUI over IP" protocol which simply uses a GUI toolkit on one side and transmits events. It could run over a severely cut down version of Websocket, and you could even write a client for it which runs in browsers.

        With a client in HTML5 you could have a migration strategy to native clients.

        1. Vic

          Re: We need something more simple than webbrowsers

          > I mean we (normal people) are not using webmail since it's far to insecure,

          I do...

          > Imagine we had some trivial "GUI over IP" protocol

          ssh already does X forwarding. Has done for years.

          It's very useful - but generally rather slow. Most users will not want to use it.

          There are also security issues to consider - do you reallly want to send all your keystrokes in real-time to a server you don't control?

          Vic.

        2. Michael Wojcik Silver badge

          Re: We need something more simple than webbrowsers

          Imagine we had some trivial "GUI over IP" protocol which simply uses a GUI toolkit on one side and transmits events.

          X11. NeWS. Display Postscript. VNC. Windows RDT.

          Now if only someone had created, say, some sort of private network that could be established virtually over IP. Or even added a secure-channel mechanism to a newer version of IP. Then by gosh we'd have something!

          (Have you seen my latest invention, the "wheel"? Still having some trouble with the corner cases.)

      3. Anonymous Coward
        Anonymous Coward

        Re: We need something more simple than webbrowsers

        Referring back to the recent thread about TBL and how good his original Web was, may I point out that it was at least potentially far more secure (or securable) than the mess we have nowadays. Dynamic HTML, scripting, etc. was touted as the way to make the Web more like TV (and hence more profitable). Unfortunately, it was a bit like modifying a helicopter to make it more like a submarine - the end product is not something a smart person would climb into under any circumstances.

    2. Anonymous Coward
      Anonymous Coward

      Re: We need something more simple than webbrowsers

      Yes to this.

      And it needs to have secure channels and distributed trust built in so subverting it wouldn't be so easy. What about starting from something pre-existing and well known like Dalvik?

    3. Charles Manning

      Run them in a chroot jail

      If you ran the web browser within a chroot/FreeBSD jail it could surely do what the hell it liked and not hurt anyone.

      1. Anonymous Coward
        Anonymous Coward

        Re: Run them in a chroot jail

        FreeBSD/Solaris jails is a good idea but chroots are trivial to break out of.

        1. mtp

          Re: Run them in a chroot jail

          Maybe trivial if you have full access and known kernel bugs but from the restricted environment of a subverted browser it is going to me much tougher. A chroot adds a simple extra layer of protection for minimal cost. To break out requires low level access and a known kernel bug but the chroot makes exploiting the bug harder.

          1. Christian Berger

            Re: Run them in a chroot jail

            I think last time I checked, you could simply chroot out of a chroot "jail". I don't think it ever was designed to be a security feature.

            1. Destroy All Monsters Silver badge

              Re: Run them in a chroot jail

              I think last time I checked, you could simply chroot out of a chroot "jail". I don't think it ever was designed to be a security feature.

              So what do you think it was designed to be for?

              To "break out", you need to be root. This is already a little bit of an impediment:

              Breaking chroot()

              It should be noted that this document was written with protecting web servers from rogue CGI scripts in mind. Therefore it is not unreasonable to assume that a user has access to a Perl interpreter. It is then a matter for the user to gain root access via security holes on the box running the web server. Whilst this is outside the topic of the document, an attacker could make use of application programs which are setuid-root and have security holes within them. In a well maintained chroot() area such programs should not exist. However, it should be noted that maintaining a chroot()ed environment is a non-trival task, for example system patches which fix such security holes will not know about the copies of the programs within the chroot()ed area. Ensuring that there are no setuid-root executables within the padded cell is going to be a must.

              Well, today we have Virtual Machines.

      2. Michael Wojcik Silver badge

        Re: Run them in a chroot jail

        If you ran the web browser within a chroot/FreeBSD jail it could surely do what the hell it liked and not hurt anyone.

        Gah. Look at the OWASP Top Ten. How many of those would be affected by sandboxing?

        Most browser-based exploits affect server-side resources and attack protocol flaws. Sandboxing has no effect on them. A sandboxed browser will be just as vulnerable to XSS, CSRF, etc.

    4. Michael Wojcik Silver badge

      Re: We need something more simple than webbrowsers

      Maybe it might make sense to have a much simpler way to display web pages, combined with a simple way to do "web applications". It would need to have to be so simple you could implement it in a day.

      Telnet. If you want more functionality pushed to the client side, TN3270 (or any of the other smart-terminal Telnet variations).

      OK, "implement in a day" is pushing it (oh, you gloriously-overengineered Telnet negotiation protocol, you!). But a week should suffice.

      "A simpler way to display web pages" won't do much for web security, though. Take a look at the

      OWASP Top Ten. Several are primarily or exclusively on the server (including some, such as A2, that are mitigated by using advanced client-side capabilities). The others mostly do not rely on advanced client capabilities, except for CSRF - and it's very hard to see how non-trivial "web applications" could be constructed without opening the door to CSRF attacks.

  8. John Tserkezis

    "Only Java held up to the time-limited attacks"

    Say what you want, but kudos to Oracle who actually fix bugs rather than just pretend to, not mentioning any names Adobe.

    1. Vic

      Re: "Only Java held up to the time-limited attacks"

      > not mentioning any names Adobe

      "Better than Adobe" is very much damning with faint praise...

      Vic.

  9. adnim

    Why

    aren't the hackers being employed to write the software?

    1. Mage Silver badge
      Alert

      Re: Why

      Maybe "hacking" and designing and writing are three different skills,

      Why is so much time and money spent on appearance and tools continue to be poor, underlying design poor etc?

      It's daft to claim these contests are part of testing or QA. Quality and security is DESIGNED in, and implemented, not hacked and patched after the fact.

      It [patching] leads to messy code and new bugs.

      Why about 30 years after C++, Modula-2 and Objects etc are we still seeing Array Bounds vulnerabilities in SW?

      I'm on a lot of security mailing lists and the bugs and vulnerabilities on for example PHP based CMS are all the more of the same year in year out.

      We are doing it wrong in the first place.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why

        Everyone PLEASE upvote Mage's comment!

        "Why is so much time and money spent on appearance and tools continue to be poor, underlying design poor etc?"

        That hits the nail precisely on the head. The answer, in brief, is that appearance yields a lot of quick up-front profit, and poor underlying design (including security) mostly harms others and can thus be swept under the carpet as an "externality".

        Things would be a lot better if everyone who writes serious software (defined as software that is relied on by a lot of people for anything that matters) had to be properly qualified. But that would entail a solid background of computer science and software engineering - as well as management willing to pay for those things to be used - instead of hiring and firing people who just read the latest book on the latest version of the latest framework for the latest language on the currently fashionable platform.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Why

          There is no fun in watching cats falling down stairs on secure software!

        2. Anonymous Coward
          Anonymous Coward

          Re: Why

          Oh God.

          Yes, I know of a company with a fairly mature product that needed an updated web front end. They hired someone who had just left university and invited him to choose the web framework and security model - because his information was "more up to date" than that of the existing developers.

          While people like that exist, security is going to be an afterthought - if that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why

            Your story is very apt. The very idea that being "up to date" is intrinsically important demonstrates a frightening lack of understanding. The fundamentals of security do not change, any more than the fundamentals of reliability, maintainability, or for that matter user-friendliness.

        3. Anonymous Coward
          Anonymous Coward

          Re: Why

          While I agree with what you are saying in general, qualifications mean nothing. That's just adding a whitewash to a turd. A turd is a turd. Someone who wants to make money of software is someone who wants to make money off software. So no certification or qualification will change that.

          Greed is the problem. Enough compromises and everyone does it. I mean just imagine if... It's already happened. It's like I woke up in the dystopian future.

    2. JDX Gold badge

      Re: Why

      Hackers shouldn't be employed to code. But employing them as testers and/or in-house security specialists wouln't be a bad plan.

  10. jason 7

    So what happened to the...

    windows 8.1 running EMET challenge?

    1. jason 7

      Re: So what happened to the...

      Ahhh...

      "The largest single prize not awarded was the $150,000 for successful demonstration of the grand-prize Exploit Unicorn, a triple-play puzzle specifically designed to provide the greatest challenge for researchers. Though no entrants made that attempt, the record-setting number of entrants and the diverse and creative approaches taken to crafting attacks made this a Pwn2Own for the ages."

      http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-s-New-Exploit-Unicorn-Prize-Additional-Background-for/ba-p/6357753

  11. Anonymous Coward
    Anonymous Coward

    "Gorenc said staff at Google found six zero-day vulnerabilities in Microsoft code, as well as a kernel issue in Apple's iOS."

    Macs on the rise? Maybe because of the erroneous advice given by friends/family about how great mac is? That's definitely it.

    At least 'dows users know to protect themselves and take security seriously. The only security OSX users have is their belief in the system being secure.

    1. Anonymous Coward
      Anonymous Coward

      "At least 'dows users know to protect themselves and take security seriously."

      I presume that is ironic?

      Corporate IT departments with a Windows fleet to administer, yes.

      Joe public - no. They buy anti-virus, believe the system is secure (just like OSX users) and then proceed to navigate recklessly around gambling and porn sites clicking on pop-ups.

      And then they ask you to set up online banking and their accounts system on the relevant PC.

This topic is closed for new posts.