Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Bug Canada Chrome Google Internet Explorer Java Mozilla Oracle Windows

Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own 183

Posted by timothy
from the soooory-eh dept.
mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."
This discussion has been archived. No new comments can be posted.

Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own

Comments Filter:
  • Windows 8 (Score:4, Funny)

    by Anonymous Coward on Thursday March 07, 2013 @09:31AM (#43104037)

    Installing Windows 8 doesn't count as hacking it...

  • by Anonymous Coward

    Right?

    • Re: (Score:3, Funny)

      by Anonymous Coward

      They weren't hacking toys.

    • by marklark (39287)

      Yep, must be... ;^) So far, at least, since the article (but who (else) reads those?) makes no mention of it being compromised this time.

      $65,000 if you can through, though.

    • Given that it was always the first platform hacked at these events, I guess the competitors decided to step up to a real challenge and move to other platforms...
  • by Anonymous Coward

    So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)

    Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that whi

    • by Shados (741919) on Thursday March 07, 2013 @09:40AM (#43104127)

      Humans have been building infrastructure, houses, buildings, for thousands of years, and they still make mistakes (honest or out of greed by cutting corners) and these life critical infrastructure still fail left and right.

      Software is often more complex, require more people to build, and often have stricter constraints for people who don't understand it, even though we haven't been writing software all that long.

      In a few thousand years, if software doesn't have the same failure rate as building bridges does today, wake me up.

      • by bdcrazy (817679) <bdc_tggr-forums@yahoo.com> on Thursday March 07, 2013 @09:49AM (#43104217) Homepage

        People will not pay extraordinary amounts for slightly better hardware and software. (no apple doesn't count, they are good value for money, though you can't get good enough for low money from them.) Take for instance houses. People still make wood stick frame houses, even though they are quite lousy for insulation and longevity. A much better masonry or adobe house costs roughly 5-10% more, but they are very few and far between. Now take what most people are willing to pay for hardware ($0, free with subscription!) and software ($0). Now how does that figure into building them?

        • Even if they do pay a lot for it, they will still end with a system that can and will be eventually exploited. The amount of effort it will take will be greater, most likely, but it does not grow as fast as the money you have to pour into the system.
        • I'm not sure how well your analogy was chosen.
          Latin american countries, for example, tend to use cement and bricks for house-building, not wood. I've never seem a wooden-framed (like the ones built in the US). I don't think those would cost less in most of the world either, since wood tends to be more expensive.

          • by Shados (741919)

            I'm no specialist by any mean, but I always thought houses built in wood in the US were not because of the cost of the material, but because of the labor cost. You can build up a wood frame house very, very, VERY quickly. Cement/brick need time to set in. Labor cost being significantly higher is generally the problem.

            I'm in the market in Cambridge/Boston right now, and the difference in price between a place made out of wood and one that isn't in the same are with similar metrics/features is extreme (wood h

        • by jhol13 (1087781)

          From the other side: houses are still being build lousily because the builders don't give a damn. Sam applies for software. I have never seen a single piece of code that has been well written. Well, perhaps one or two exceptions in the millions of software packages there are.

          A decent architecture, whether SW or a building, can make a huge difference. Now code is written so that in practice every line in the whole browser or Java or any other runtime is potential security hole. It shouldn't be that way. Ther

      • by sjames (1099)

        It's more extreme than that. How many houses, bridges, etc are immune to deliberate attempts to make them fail? That is, how many bridges will just shrug off shaped charges attached to each and every support column by a determined attacker? How many bank vaults can be attacked night after night forever while never showing a single mark? How many are impervious to a clever mechanical dial turner guessing the combination?

    • Re: (Score:1, Insightful)

      by alen (225700)

      apple did something like this with the latest version of OS X and the ability to block the install of any software outside of their app store

      but the slashtarts were up in arms about this and how it violates their rights and whatever

    • Re: (Score:3, Interesting)

      by rtfa-troll (1340807)

      So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)

      This insight is as old as the hills. Or at least the '80s. It is the fundamental driver behind the "full disclosure" movement which has, in a sense, been and gone.

      Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that while shopping / releasing credit card data / etc. is fun and may be necessary, but it is in the best interest to pay a little more for a (less advanced) system that does not and can not be exploited?

      Start by defining "trusted". Should my local system block me from putting my Visa card number into a web site because the web site isn't safe?

      If you mean "locally trusted"; top level, secure operating systems running on very secure hardware have been build. Even in military applications they have become a commercial failure because it takes

    • Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure

      Sorry, but that is simply impossible. Nothing is perfectly secure and nothing will ever be.

      • Local attackers might be fundamentally unsolvable, I'll leave that one to the physicists; but attackers who don't get to modify the hardware face the limits of the fact that software is ultimately math, and math about which certain things can be proven.

        It is true that it is arduous and/or impossible to prove many of the properties we are interested in in software complex enough to actually have any customers; but it isn't impossible in the general sense.

    • by ledow (319597) on Thursday March 07, 2013 @10:04AM (#43104381) Homepage

      When pigs fly.

      Seriously, this is like saying "why doesn't someone just make a car that can't crash, or a plane that will never stop flying?".

      We can make computers that you can bet your life on. They still fail, but the failure rate is so low that we can bet people's lives on them every day (I'm not talking traffic lights - whose total failure isn't really that big of a deal in the long run, but things like life-support machines, nuclear reactors, etc.). It's EXTRAORDINARILY expensive, and relies on there being an absolute minimum of human input at runtime.

      Even spacecraft and aircraft send two or three of the same computers up so they can just swap them out or take the majority vote. You can design systems all you like to be infallible, the fact is that they aren't - even in terms of hardware, and certainly not in terms of software. And the more you want to do with them, the more the work needed to eliminate problems increases - usually exponentially.

      Have you seen how much it costs to formally prove code? Hell, just putting the requirements to begin the process can be something more expensive than an entire development cycle of conventional programming, and still contain human errors that the computer will happily prove to be correct (because they are) even if that's not what the humans involved intended (and thus you have a classic software bug again).

      By comparison, your web browser is more complex, has more to do, updates more often (new specs and features, etc.) and is business-class programming, not critical. It would take decades or even centuries of man-hours to formally prove even a tiny section of it and every time it changes you need to do it again.

      You can't design a secure language to express these things in. You can't design a machine that will cope with anything. You can't design a process involving humans that will be infallible.

      Hell, we can't even design a piece of software that will find these bugs by itself (or else we wouldn't need bug-testing) - and yet MILLIONS is spent every year on products that help do just that (static code analysers, fuzz-testers, standard-compliance suites, etc.).

      You will never have a "secure" computer, as long as its users and designers are human. When machines start to replicate themselves and write their own operating systems, then maybe it's possible (but how to get there without relying on the output of a human to do that job in the first place?).

      Until then, honestly, what do you suggest? A "secure" programming language? There's been hundreds of attempts and ironically Java was one of them (it's all contained within a virtual machine, don't you know?, and thus can't damage the computer it's installed on.... least that's how it was sold for over TWO DECADES).

      Summary: It ain't gonna happen in your lifetime. You can deal with it, or prove everyone in CS wrong.

      • by jhol13 (1087781)

        I disagree with you whemently.

        Two or three, or seven, computers do not help if there is a SW bug. And don't give me "separate teams making different SW" bullshit, it has been proven that they all make the same mistakes.

        Formal proving? It is neither necessary and the assumptions the proof takes are usually far too lenient.

        The web browser, while complex, should not be designed so that every line of code is potential security breach - so big a hole that just looking at a textual input will give attacker whole

    • by msauve (701917)
      "at what point does someone wake up and develop a system that can be trusted out of the box to be secure?"

      Today. Just don't connect to a network or use writable, removable media.

      It's all a matter of trust vs. risk. How much do you trust that some software officially signed through Microsoft is really OK? Or that SSL keys signed by a CA [eweek.com] provide any security?

      It's easy to complain - you're saying it's "fundamentally flawed," but not offering any examples of what isn't. People have broken into bank vaults, t
    • Browser, like anything in our life, cannot be 100% safe. You don't have any security system (at houses, banks, computers) 100% failsafe. Best you can do is make the "thief" life a little bit harder.
    • When software stops being made for end users.

    • by Anonymous Brave Guy (457657) on Thursday March 07, 2013 @10:31AM (#43104695)

      So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?

      That's hardly a secret. It's a cost/benefit question, and there is enough benefit around right now that most people are willing to pay the cost/accept a modest risk rather than going without.

      Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure?

      You'll never have perfect security, because many useful things are inherently insecure on some level. But yes, we could certainly do a lot better than we do right now.

      I personally suspect that any qualitative shift in the industry first needs the development of an industrial-scale application programming language (and a comprehensive supporting ecosystem in terms of tools and libraries) that manages to combine reasonably high performance and flexible low-level access with much stronger architectural support features than any mainstream language offers today.

      We know a lot about how to build such a programming language already, and many useful techniques are already tried and tested in more academic/obscure/innovative languages. Unfortunately, this is a chicken and egg kind of problem: you need to get enough developers using your language that the ecosystem develops enough for mainstream industrial use, but attracting the non-enthusiast developers needs some sort of ecosystem to be there already. And as long as most customers are willing to pay significant money for software that doesn't have lots of bugs/vulnerabilities, accepting these things are somehow inevitable in the way that most non-geeks today probably do, there isn't sufficient commercial incentive for the few organisations that could actually do it to throw megabucks into developing the language and a bootstrappable ecosystem from scratch right now.

    • by sjames (1099)

      Probably at the point that people are ready to pay for it.

      At what point will we build houses that cannot be burned, blown to bits, crushed by a tree, or broken in to? Unlike a web browser, human lives hang in the balance with the houses we build.

  • by Sponge Bath (413667) on Thursday March 07, 2013 @09:35AM (#43104079)

    $100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.

    $65K was not enough to bang up Safari?

    • Safari who? [wikipedia.org]
      • Re: (Score:3, Informative)

        by smash (1351)

        You know. The browser that probably accounts for more traffic than the built in android browser. That has previously been hacked pretty much first thing every year so far.

        Gatekeeper, sandboxing the web worker process and ARC in the development kit maybe paying off.

        • by Shados (741919) on Thursday March 07, 2013 @10:48AM (#43104869)

          The browser that probably accounts for more traffic than the built in android browser

          Built in android browser? Let see... ::pulls out his nexus phone...::

          You mean Chrome?

          Oh wait, you mean the OLD android browser, from the version of android that barely worked on the internet at all, even though it still has more marketshare.

          Yeah, no surprise that that shitty browser isn't on the radar either.

    • Theyll get there tomorrow-- they havent failed to breach OSX yet. The shocker this year is that OSX / Safari didnt fall on day one-- the question is whether thats due to actual security, perceived difficulty, or lower prize money.

      • by tlhIngan (30335)

        Theyll get there tomorrow-- they havent failed to breach OSX yet. The shocker this year is that OSX / Safari didnt fall on day one-- the question is whether thats due to actual security, perceived difficulty, or lower prize money.

        That is an interesting shocker. Because usually pwn2own, the Mac goes first (because beating it got you a nice MacBook Pro), followed by Windows (normally some nice Sony laptop), and then Linux (some generic Dell). The lower prize money typically reflects that - everyone normally a

        • by JonJ (907502)

          That is an interesting shocker. Because usually pwn2own, the Mac goes first (because beating it got you a nice MacBook Pro), followed by Windows (normally some nice Sony laptop), and then Linux (some generic Dell).

          Linux has never been hacked in pwn2own.

        • Erm, no.

          The Pwn2Own contest offers cash prizes, they have done this since 2011. In fact they haven't given away a laptop since 2010. This year it's US$60,000 for first place, US$30,000 for second and US$15,000 for third. Laptop type has nothing to do with it, in fact they're targeting browsers exclusively which are running on a fully patched Win7 or latest OSX version. Points are awarded for each exploit, 0day's are worth the most, known exploits (2 have been left deliberately unpatched and will be annou
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Safari for Windows was abandoned [wikipedia.org] (no version 6) and this year Pwn2own is targeting Windows browsers only.

  • by dgharmon (2564621) on Thursday March 07, 2013 @09:47AM (#43104195) Homepage
    Do any of these exploits work on Linux?
    • by Anonymous Coward

      Not the IE ones :) maybe the Java one

      Probably the Firefox one

      The chrome one partially, they used a kernel exploit to break out of the chrome sandbox

    • by Anonymous Coward on Thursday March 07, 2013 @10:14AM (#43104489)

      http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html

      Pwn2Own will target IE, Firefox, Safari and Chrome all running on Windows 7. Windows XP isn't on the target list and neither is Linux, for different reasons.

      I spoke with Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint the other day and asked him why Linux wasn't being included. Apparently the question is among the most common questions he is ever asked about Pwn2Own.
      "Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share. If we were to include Linux, we'd have even more controversy and we just don't want to deal it."

      • by devent (1627873)

        Year right. That is why Linux is very much deployed on Desktop Computers. Like in Governments and in companies.
        Here is a list: http://en.wikipedia.org/wiki/List_of_Linux_adopters [wikipedia.org]
        The only reason is that Linux was not busted in the last 5 (or something like that) pown2own contests. It looks really bad if your system (ehem Microsoft) is busted in 5 minutes and a Linux system like Ubuntu will not get busted at all.

    • by ais523 (1172701)

      Most likely, I'd guess that some of them would be hitting cross-platform parts of the browser, and so the exploit would work in order to break out of the browser sandbox. Because Windows code doesn't run directly on Linux, the rest of the exploit would have to be changed to work correctly on Linux, but that would be a reasonably routine porting job.

      If the exploit hits a platform-specific part of the browser, it wouldn't work on any other OS, because the part it was trying to attack wouldn't exist.

  • Interesting /. bias (Score:1, Interesting)

    by roman_mir (125474)

    Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable).

    - at this point I have to wonder what are the underlying reasons for the obvious bias present on /. against Java, because clearly there is something at work here, so where does the money trail lead? Is Dice holding a short position against Oracle or something? Is there something else going on? Is it a pro-Apple product and anti-Android stand?

    Personally I dislike Oracle as a company because of their insidious penetration of all facets of medium to large businesses (everything must be Oracle), but not Java

    • by smash (1351)
      The bias is against java at the moment largely because it is owned by Oracle who is evil, but also because lately, its security record has just shown it to be complete and utter CRAP.
    • Obviously the sandboxed JVM browser plugin has various issues, but the slander against the entire Java platform is getting repetitive.

      As far as I see it, there are 2 major problems. One is that the name "Java" refers to too many things. Vulnerabilities get found in the Java browser plugins, and get reported as "Java vulnerabilities". Even my boss (who is no longer a programmer, and has no experience with Java, even though he runs a tech company) heard about Twitter, Facebook, Apple, et. al. getting attacked because of "Java" (specifically, the browser plugin components), and that caused him to recommend to one of our customers that the

  • Wow, you mean really large complex systems can be hacked by smart people with a lot of time and sophisticated tools? Knock me over with a feather.
  • by smash (1351)
    Not hacked? First time ever! :D
    • Safari wins! (Score:3, Interesting)

      by goombah99 (560566)

      "Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. "

      Perhaps it's also telling that the prizes for winning are Mac Laptops.

      • by smash (1351)
        It's been hacked every year previously, mostly by the same guy. I suspect that the sandboxing of the web process in the current version, gatekeeper in Mountain Lion, and ARC support in the current development tools (to make memory management easier and less prone to error) is paying off.
  • Once again, no Opera (Score:5, Interesting)

    by TheKeyboardSlayer (729293) on Thursday March 07, 2013 @10:16AM (#43104503) Homepage

    Once again, pwn2own ignores the Opera web browser. This makes me sad...I recently switched exclusively to Opera after toying around with it for almost 10 years now. I've been completely happy since. I will say this, Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:

    Browsers that do not have protection against blocked revocation lists will need to rapidly issue an update to fix any new certificate abuse. In Opera, users are protected automatically when the certificate is revoked. If the CA has a general problem, or a CA is no longer being used, we can remove it from our list of trusted CAs behind the scenes, and the user will also be secure, without needing to change anything in her browser.

    This was the default setting in opera.

    In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see.

  • What about Opera? (Score:1, Interesting)

    by Anonymous Coward

    Invulnerable or did nobody try?

    • They don't try because they say the userbase is too small. But it just hit 300million users. It's also one of the most popular mobile browsers out there...it was tops in May of 2011 iirc.

      Sidenote: The organizer of pwn2own, Aaron Portnoy, supposedly uses the Opera Browser. Go figure.

      • by smash (1351)
        Mobile opera, at least on iOS is just a wrapper around the iOS webkit library. All the heavy lifting is done by webkit, so as far as iOS opera goes, any vulnerability that affects Safari probably affects Opera on iOS too. And vice versa.
        • Opera Mini is a wrapper. Opera Mobile is a full-fledged browser, I even have it send a desktop user agent string and it will render pages meant for a desktop just fine, with the speed that Opera users come to expect.

  • by craigminah (1885846) on Thursday March 07, 2013 @10:32AM (#43104707)
    TFA says, "Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only." Who wants to bet the organisers are China?
    • by MobyDisk (75490)

      the proof of concept attack code will remain in the hands of organisers only

      I find it ironic that after telling us that nearly every major operating system was hacked, they conclude by assuring us that the exploit code is kept secure.

  • For operating system, why do they only try Windows there? I, for one, would love them to try Linux as well, to help find exploits, which I'm pretty sure they'd find just as well.

  • There's no mention of any vulnerabilities on any other OS. Does this mean they're only windows-specific issues?

  • by Zamphatta (1760346) on Thursday March 07, 2013 @11:54AM (#43105691) Homepage
    The article points out that the hacks were done on Windows & Mac's. So simply saying "oh, these browsers are all flawed", is suggesting something that is either not true or something unknown. After all, it's entirely possible that the flaws do not exist in Linux or non-Mac-BSD versions of the browsers. I've seen articles go on like this before... about how all the browsers are hackable, but they only really know (or mean) that all the browsers are hackable on a certain platform. I'm tired of that FUD.
    • by smash (1351)

      The hacks work on the desktop platforms that matter if you're chasing maximum number of botnet hosts. Linux as far as desktop usage goes is barely a blip on the radar, and trying to target the myriad of different variants contained within that 1 percent of desktop users is just not worth the effort. You'd be spending say 10x the effort to hack the Windows and OS X to target the many different linux variants for a maybe 1% increase in terms of number of machines owned.

      And if they did test at pwn2own - w

  • by MobyDisk (75490) on Thursday March 07, 2013 @01:21PM (#43106859) Homepage

    Despite the fact that zero-day vulnerabilities still exist, we should note that software has gotten harder to exploit over the years. For example:

    Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) in Windows, Vupen said...Windows 8 also fell to the security consultancy which cracked Microsoft's Surface Pro using two Internet Explorer zero day vulnerabilities and a sandbox bypass.

    So in each case they had to chain 3 vulnerabilities together to make this work. That means that we are at least improving security, albeit not enough. Fixing any 1 of those vulnerabilities makes the exploit no longer work.

Riches: A gift from Heaven signifying, "This is my beloved son, in whom I am well pleased." -- John D. Rockefeller, (slander by Ambrose Bierce)

Working...