Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own

mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."

Windows 8

[Anonymous Coward]

Installing Windows 8 doesn't count as hacking it...

What? Not Mac? It must be impervious to hacks

[Anonymous Coward]

Right?

Re:

[Anonymous Coward]

They weren't hacking toys.

Re:

[marklark]

Yep, must be... ;^) So far, at least, since the article (but who (else) reads those?) makes no mention of it being compromised this time.

$65,000 if you can through, though.

Re:

[LynnwoodRooster]

Given that it was always the first platform hacked at these events, I guess the competitors decided to step up to a real challenge and move to other platforms...

Fundamentally Flawed

[Anonymous Coward]

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that whi

Re:Fundamentally Flawed

[Shados]

Humans have been building infrastructure, houses, buildings, for thousands of years, and they still make mistakes (honest or out of greed by cutting corners) and these life critical infrastructure still fail left and right.

Software is often more complex, require more people to build, and often have stricter constraints for people who don't understand it, even though we haven't been writing software all that long.

In a few thousand years, if software doesn't have the same failure rate as building bridges does today, wake me up.

Re:Fundamentally Flawed

[bdcrazy]

People will not pay extraordinary amounts for slightly better hardware and software. (no apple doesn't count, they are good value for money, though you can't get good enough for low money from them.) Take for instance houses. People still make wood stick frame houses, even though they are quite lousy for insulation and longevity. A much better masonry or adobe house costs roughly 5-10% more, but they are very few and far between. Now take what most people are willing to pay for hardware ($0, free with subscription!) and software ($0). Now how does that figure into building them?

Re:

[fredprado]

Even if they do pay a lot for it, they will still end with a system that can and will be eventually exploited. The amount of effort it will take will be greater, most likely, but it does not grow as fast as the money you have to pour into the system.

Re:

[hobarrera]

I'm not sure how well your analogy was chosen.
Latin american countries, for example, tend to use cement and bricks for house-building, not wood. I've never seem a wooden-framed (like the ones built in the US). I don't think those would cost less in most of the world either, since wood tends to be more expensive.

Re:

[Shados]

I'm no specialist by any mean, but I always thought houses built in wood in the US were not because of the cost of the material, but because of the labor cost. You can build up a wood frame house very, very, VERY quickly. Cement/brick need time to set in. Labor cost being significantly higher is generally the problem.

I'm in the market in Cambridge/Boston right now, and the difference in price between a place made out of wood and one that isn't in the same are with similar metrics/features is extreme (wood h

Re:

[jhol13]

From the other side: houses are still being build lousily because the builders don't give a damn. Sam applies for software. I have never seen a single piece of code that has been well written. Well, perhaps one or two exceptions in the millions of software packages there are.

A decent architecture, whether SW or a building, can make a huge difference. Now code is written so that in practice every line in the whole browser or Java or any other runtime is potential security hole. It shouldn't be that way. Ther

Re:

[sjames]

It's more extreme than that. How many houses, bridges, etc are immune to deliberate attempts to make them fail? That is, how many bridges will just shrug off shaped charges attached to each and every support column by a determined attacker? How many bank vaults can be attacked night after night forever while never showing a single mark? How many are impervious to a clever mechanical dial turner guessing the combination?

Re:

[alen]

apple did something like this with the latest version of OS X and the ability to block the install of any software outside of their app store

but the slashtarts were up in arms about this and how it violates their rights and whatever

Re:

[Anonymous Coward]

Fool, the setting is customizable.

Allow Applications downloaded from:
â Mac App Store
â Mac App Store and Identified Developers
â Anywhere

Choose either of these 3 options for your preferred level of control vs. safety. Change the setting any time you like.

Yes, the power is is in the hands of the administrator.

Now, don't you feel stupid?

Re:

[Zyrill]

You mean it is still customizable. It's not like you can install any software you want legally on your iOS appliance. But that is besides the point: even using Safari browsers, one is still susceptible to MITM, fishing, scamming ... attacks. So it isn't really a question of which browser/OS etc. you use. It is a question of infrastructure and the weakest link will always be the target.

Re:

[krakelohm]

Legally you can jailbreak your iOS appliance and install anything you want.

Re:

[fredprado]

Legally you can jailbreak iPhones (at least for now) as it was made an exception for it, but there is no exception for iPads, for example, and jailbreaking it is and always illegal, because of DCMA.

Re:

[fredprado]

For OS X it still is customizable. It won't be for long, though. For iOS it is not and never was.

How it feels to be stupid, sheeple?

Re:

[BasilBrush]

For OS X it still is customizable. It won't be for long, though.

How many years have you been claiming that now? Longer than "The Year of Linux"?

Re:

[fredprado]

Nah. Maybe since iOS came in 2007, if you really want to stretch it, and since then Apple has been pushing slowly but steadily in this direction with OS X.

And although Linux desktop is still not a worry for MS, Linux has reached the end user market very well through Android mobile devices, and dominated the server market.

Re:

[BasilBrush]

and since then Apple has been pushing slowly but steadily in this direction with OS X.

But they haven't

Re:

[fredprado]

Yet...

Re:

[BasilBrush]

No, I mean they haven't "been pushing slowly but steadily in this direction with OS X."

Arbitrary third party software is just as installable on OSX as it always was.

Your prediction is just as wrong as it's always been. It's just stupid.

Re:

[fredprado]

They have been pushing slowly in the same way they always do. First by giving you a choice of opting for their control, as it is now, then making it mandatory.

OS X isn't just like iOS yet for a single motive: Apple does not have a strong hold over the desktop market. If this happens we will see the same policies they have applied to iOS applied to OS X, that if they don't decide to merge both platforms.

Re:

[BasilBrush]

OS X isn't just like iOS yet for a single motive: Apple does not have a strong hold over the desktop market.

Right. So you think OSX is going to get a strong hold over the desktop market (what? 80%). And that's when your long standing and long failing prediction of lock-down will happen.

that if they don't decide to merge both platforms.

Yeah right. After all Microsoft has been so successful with trying to unify the UIs on it's mobiles and desktops. (Metro) How could Apple possibly resist making such a fuck up.

What;s happening her is you don't like Apple so you predict they will do stupid things, that will bring about their demise. Your problem is that Apple's sma

Re:

[fredprado]

They are already locking their platforms, as I explained. The fact that you choose to refuse to see it it is your problem, not mine. Ignorance is an opt in, my friend. Suit yourself.

Re:

[BasilBrush]

Given that I am the one that knows OSX from daily usage, and you don't, the ignorance is all yours.

You seem to think there's some restriction on OSX, that is not there.

Re:

[fredprado]

Sure there is you just need to enable it. Which is only an option. For now...

Re:

[cbhacking]

OS X was listed in TFA, but not in the headline of it. That headline was pretty directly re-used for Slashdot.

What, bias in the tech community?? No way...

Re:

[smash]

MENTIONED in TFA. Not confirmed as hacked. It didn't fall (yet).

Re:

[tibman]

I don't think a team would show up to crack OS X if they couldn't already do it at home. But a confirmation would be good!

Re:

[fredprado]

Slashdot and all other tech sites are full of Safari exploit cases, my friend, including those that are used to jailbreak iOS devices.

Re:

[smash]

For previous versions, which isn't what they were testing here.

Re:

[fredprado]

Just for your education. This is the last Safari release known vulnerabilities list:

http://www.cvedetails.com/version/130707/Apple-Safari-5.1.7.html [cvedetails.com]

Re:

[fredprado]

Oh and if you refer to the OS X only Safari 6 that had a prize in this event, nobody even tried to hack it in this convention...

http://nakedsecurity.sophos.com/2013/03/07/pwn2own-results-java-chrome-ie-10-and-firefox-owned-on-day-one/ [sophos.com]

Re:

[rtfa-troll]

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)

This insight is as old as the hills. Or at least the '80s. It is the fundamental driver behind the "full disclosure" movement which has, in a sense, been and gone.

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that while shopping / releasing credit card data / etc. is fun and may be necessary, but it is in the best interest to pay a little more for a (less advanced) system that does not and can not be exploited?

Start by defining "trusted". Should my local system block me from putting my Visa card number into a web site because the web site isn't safe?

If you mean "locally trusted"; top level, secure operating systems running on very secure hardware have been build. Even in military applications they have become a commercial failure because it takes

Re:

[Bob the Super Hamste]

Then why am I investigating how to secure various systems using either SELinux or AppArmor for work?

Re:

[fredprado]

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure

Sorry, but that is simply impossible. Nothing is perfectly secure and nothing will ever be.

Re:

[fuzzyfuzzyfungus]

Local attackers might be fundamentally unsolvable, I'll leave that one to the physicists; but attackers who don't get to modify the hardware face the limits of the fact that software is ultimately math, and math about which certain things can be proven.

It is true that it is arduous and/or impossible to prove many of the properties we are interested in in software complex enough to actually have any customers; but it isn't impossible in the general sense.

Re:Fundamentally Flawed

[ledow]

When pigs fly.

Seriously, this is like saying "why doesn't someone just make a car that can't crash, or a plane that will never stop flying?".

We can make computers that you can bet your life on. They still fail, but the failure rate is so low that we can bet people's lives on them every day (I'm not talking traffic lights - whose total failure isn't really that big of a deal in the long run, but things like life-support machines, nuclear reactors, etc.). It's EXTRAORDINARILY expensive, and relies on there being an absolute minimum of human input at runtime.

Even spacecraft and aircraft send two or three of the same computers up so they can just swap them out or take the majority vote. You can design systems all you like to be infallible, the fact is that they aren't - even in terms of hardware, and certainly not in terms of software. And the more you want to do with them, the more the work needed to eliminate problems increases - usually exponentially.

Have you seen how much it costs to formally prove code? Hell, just putting the requirements to begin the process can be something more expensive than an entire development cycle of conventional programming, and still contain human errors that the computer will happily prove to be correct (because they are) even if that's not what the humans involved intended (and thus you have a classic software bug again).

By comparison, your web browser is more complex, has more to do, updates more often (new specs and features, etc.) and is business-class programming, not critical. It would take decades or even centuries of man-hours to formally prove even a tiny section of it and every time it changes you need to do it again.

You can't design a secure language to express these things in. You can't design a machine that will cope with anything. You can't design a process involving humans that will be infallible.

Hell, we can't even design a piece of software that will find these bugs by itself (or else we wouldn't need bug-testing) - and yet MILLIONS is spent every year on products that help do just that (static code analysers, fuzz-testers, standard-compliance suites, etc.).

You will never have a "secure" computer, as long as its users and designers are human. When machines start to replicate themselves and write their own operating systems, then maybe it's possible (but how to get there without relying on the output of a human to do that job in the first place?).

Until then, honestly, what do you suggest? A "secure" programming language? There's been hundreds of attempts and ironically Java was one of them (it's all contained within a virtual machine, don't you know?, and thus can't damage the computer it's installed on.... least that's how it was sold for over TWO DECADES).

Summary: It ain't gonna happen in your lifetime. You can deal with it, or prove everyone in CS wrong.

Re:

[jhol13]

I disagree with you whemently.

Two or three, or seven, computers do not help if there is a SW bug. And don't give me "separate teams making different SW" bullshit, it has been proven that they all make the same mistakes.

Formal proving? It is neither necessary and the assumptions the proof takes are usually far too lenient.

The web browser, while complex, should not be designed so that every line of code is potential security breach - so big a hole that just looking at a textual input will give attacker whole

Re:

[msauve]

"at what point does someone wake up and develop a system that can be trusted out of the box to be secure?"

Today. Just don't connect to a network or use writable, removable media.

It's all a matter of trust vs. risk. How much do you trust that some software officially signed through Microsoft is really OK? Or that SSL keys signed by a CA [eweek.com] provide any security?

It's easy to complain - you're saying it's "fundamentally flawed," but not offering any examples of what isn't. People have broken into bank vaults, t

In the real world...

[Parker Lewis]

Browser, like anything in our life, cannot be 100% safe. You don't have any security system (at houses, banks, computers) 100% failsafe. Best you can do is make the "thief" life a little bit harder.

Re:

[PerfectionLost]

When software stops being made for end users.

Not fundamentally, but economically?

[Anonymous Brave Guy]

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?

That's hardly a secret. It's a cost/benefit question, and there is enough benefit around right now that most people are willing to pay the cost/accept a modest risk rather than going without.

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure?

You'll never have perfect security, because many useful things are inherently insecure on some level. But yes, we could certainly do a lot better than we do right now.

I personally suspect that any qualitative shift in the industry first needs the development of an industrial-scale application programming language (and a comprehensive supporting ecosystem in terms of tools and libraries) that manages to combine reasonably high performance and flexible low-level access with much stronger architectural support features than any mainstream language offers today.

We know a lot about how to build such a programming language already, and many useful techniques are already tried and tested in more academic/obscure/innovative languages. Unfortunately, this is a chicken and egg kind of problem: you need to get enough developers using your language that the ecosystem develops enough for mainstream industrial use, but attracting the non-enthusiast developers needs some sort of ecosystem to be there already. And as long as most customers are willing to pay significant money for software that doesn't have lots of bugs/vulnerabilities, accepting these things are somehow inevitable in the way that most non-geeks today probably do, there isn't sufficient commercial incentive for the few organisations that could actually do it to throw megabucks into developing the language and a bootstrappable ecosystem from scratch right now.

Re:

[sjames]

Probably at the point that people are ready to pay for it.

At what point will we build houses that cannot be burned, blown to bits, crushed by a tree, or broken in to? Unlike a web browser, human lives hang in the balance with the houses we build.

Re:Fundamentally Flawed

[robmv]

ChromeOS was designed to be tamper resistant, so it can detect changes on the installed code. but the UI is a freaking browser and because of that any vulnerability on the browser that doesn't need changes on the installed code is possible, like reading your stored passwords, accessing your web sites sessions, etc.

Re:

[TheLink]

I just use different browsers that are run using different restricted users. That way if my Slashdot browser gets pwned it doesn't affect my banking browsers. Nor does it affect my main user account.

Yes these pwn2own guys probably have zero day privilege escalation exploits, but as the joke goes, I don't have to outrun the bear, I just have to outrun Joe Average. And Joe Average will never do something like this. Especially since the browser won't have enough privileges to update itself normally - I have to

Re:

[butalearner]

If a skilled hacker specifically target me I'd be pwned but why would they bother?

This is the important bit. At this point, the only people this type of thing matters to is government and corporate users that handle sensitive information. And even then, social engineering is far easier and more effective.

Re:

[helix2301]

ChromeOS and Chrome browser both been hit really hard this year.

Re:

[smash]

ChromeOS was designed to make google money out of the box. Secure out of the box is/was primary marketing slogan.

Re:

[Fastolfe]

How does Google make "money out of the box" from ChromeOS?

Re:

[Ol Olsoc]

Wait! Did someone get a box with Chrome?

Re:Fundamentally Flawed

[smash]

You do understand Google's entire business model, yes? Essentially "you give us your data, we mine it and target ads at you".

No love for Safari?

[Sponge Bath]

$100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.

$65K was not enough to bang up Safari?

Re:

[MatrixCubed]

Safari who? [wikipedia.org]

Re:

[smash]

You know. The browser that probably accounts for more traffic than the built in android browser. That has previously been hacked pretty much first thing every year so far.

Gatekeeper, sandboxing the web worker process and ARC in the development kit maybe paying off.

Re:No love for Safari?

[Shados]

The browser that probably accounts for more traffic than the built in android browser

Built in android browser? Let see... ::pulls out his nexus phone...::

You mean Chrome?

Oh wait, you mean the OLD android browser, from the version of android that barely worked on the internet at all, even though it still has more marketshare.

Yeah, no surprise that that shitty browser isn't on the radar either.

Re:

[LordLimecat]

Theyll get there tomorrow-- they havent failed to breach OSX yet. The shocker this year is that OSX / Safari didnt fall on day one-- the question is whether thats due to actual security, perceived difficulty, or lower prize money.

Re:

[tlhIngan]

Theyll get there tomorrow-- they havent failed to breach OSX yet. The shocker this year is that OSX / Safari didnt fall on day one-- the question is whether thats due to actual security, perceived difficulty, or lower prize money.

That is an interesting shocker. Because usually pwn2own, the Mac goes first (because beating it got you a nice MacBook Pro), followed by Windows (normally some nice Sony laptop), and then Linux (some generic Dell). The lower prize money typically reflects that - everyone normally a

Re:

[JonJ]

That is an interesting shocker. Because usually pwn2own, the Mac goes first (because beating it got you a nice MacBook Pro), followed by Windows (normally some nice Sony laptop), and then Linux (some generic Dell).

Linux has never been hacked in pwn2own.

Not desireability of the HW.

[mjwx]

Erm, no.

The Pwn2Own contest offers cash prizes, they have done this since 2011. In fact they haven't given away a laptop since 2010. This year it's US$60,000 for first place, US$30,000 for second and US$15,000 for third. Laptop type has nothing to do with it, in fact they're targeting browsers exclusively which are running on a fully patched Win7 or latest OSX version. Points are awarded for each exploit, 0day's are worth the most, known exploits (2 have been left deliberately unpatched and will be annou

Re:

[Anonymous Coward]

Safari for Windows was abandoned [wikipedia.org] (no version 6) and this year Pwn2own is targeting Windows browsers only.

Researchers tore holes through browsers on Windows

[dgharmon]

Do any of these exploits work on Linux?

Re:

[Anonymous Coward]

Not the IE ones :) maybe the Java one

Probably the Firefox one

The chrome one partially, they used a kernel exploit to break out of the chrome sandbox

Re:Researchers tore holes through browsers on Wind

[Anonymous Coward]

http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html

Pwn2Own will target IE, Firefox, Safari and Chrome all running on Windows 7. Windows XP isn't on the target list and neither is Linux, for different reasons.

I spoke with Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint the other day and asked him why Linux wasn't being included. Apparently the question is among the most common questions he is ever asked about Pwn2Own.
"Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share. If we were to include Linux, we'd have even more controversy and we just don't want to deal it."

Re:

[devent]

Year right. That is why Linux is very much deployed on Desktop Computers. Like in Governments and in companies.
Here is a list: http://en.wikipedia.org/wiki/List_of_Linux_adopters [wikipedia.org]
The only reason is that Linux was not busted in the last 5 (or something like that) pown2own contests. It looks really bad if your system (ehem Microsoft) is busted in 5 minutes and a Linux system like Ubuntu will not get busted at all.

Re:

[ais523]

Most likely, I'd guess that some of them would be hitting cross-platform parts of the browser, and so the exploit would work in order to break out of the browser sandbox. Because Windows code doesn't run directly on Linux, the rest of the exploit would have to be changed to work correctly on Linux, but that would be a reasonably routine porting job.

If the exploit hits a platform-specific part of the browser, it wouldn't work on any other OS, because the part it was trying to attack wouldn't exist.

Re:

[dacaldar]

You care if you own a smartphone. The new BB10 browser from BlackBerry outperforms desktop browsers in HTML5, and runs on top of QNX, which is like a more stable, secure version of Linux. I'd like to see someone try to hack that, especially in comparison to Android and iPhone.

Re:

[smash]

runs on top of QNX, which is like a more stable, secure version of Linux.

The sky is blue and therefore I like rollercoasters.

Just..... no. It's like saying VMS is a more stable secure version of Windows, the two platforms have about as much in common. Probably more, given they're both the children of Dave Cutler.

Interesting /. bias

[roman_mir]

Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable).

- at this point I have to wonder what are the underlying reasons for the obvious bias present on /. against Java, because clearly there is something at work here, so where does the money trail lead? Is Dice holding a short position against Oracle or something? Is there something else going on? Is it a pro-Apple product and anti-Android stand?

Personally I dislike Oracle as a company because of their insidious penetration of all facets of medium to large businesses (everything must be Oracle), but not Java

Re:

[smash]

The bias is against java at the moment largely because it is owned by Oracle who is evil, but also because lately, its security record has just shown it to be complete and utter CRAP.

Re:

[amicusNYCL]

Obviously the sandboxed JVM browser plugin has various issues, but the slander against the entire Java platform is getting repetitive.

As far as I see it, there are 2 major problems. One is that the name "Java" refers to too many things. Vulnerabilities get found in the Java browser plugins, and get reported as "Java vulnerabilities". Even my boss (who is no longer a programmer, and has no experience with Java, even though he runs a tech company) heard about Twitter, Facebook, Apple, et. al. getting attacked because of "Java" (specifically, the browser plugin components), and that caused him to recommend to one of our customers that the

FRONT PAGE NEWS!!!

[Sterculius]

Wow, you mean really large complex systems can be hacked by smart people with a lot of time and sophisticated tools? Knock me over with a feather.

Safari

[smash]

Not hacked? First time ever! :D

Safari wins!

[goombah99]

"Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. "

Perhaps it's also telling that the prizes for winning are Mac Laptops.

Re:

[smash]

It's been hacked every year previously, mostly by the same guy. I suspect that the sandboxing of the web process in the current version, gatekeeper in Mountain Lion, and ARC support in the current development tools (to make memory management easier and less prone to error) is paying off.

Once again, no Opera

[TheKeyboardSlayer]

Once again, pwn2own ignores the Opera web browser. This makes me sad...I recently switched exclusively to Opera after toying around with it for almost 10 years now. I've been completely happy since. I will say this, Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:

Browsers that do not have protection against blocked revocation lists will need to rapidly issue an update to fix any new certificate abuse. In Opera, users are protected automatically when the certificate is revoked. If the CA has a general problem, or a CA is no longer being used, we can remove it from our list of trusted CAs behind the scenes, and the user will also be secure, without needing to change anything in her browser.

This was the default setting in opera.

In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see.

Re:

[amicusNYCL]

While I would like to see Opera get the recognition it deserves as a good browser, I'm actually OK with it being "obscure". To me that means virtually no chance that there will be attacks targeted at the browser itself. I have plugins on click-to-play, don't have Java plugins or Acrobat even installed, and I feel just fine using Opera on any site.

What about Opera?

[Anonymous Coward]

Invulnerable or did nobody try?

Re:

[TheKeyboardSlayer]

They don't try because they say the userbase is too small. But it just hit 300million users. It's also one of the most popular mobile browsers out there...it was tops in May of 2011 iirc.

Sidenote: The organizer of pwn2own, Aaron Portnoy, supposedly uses the Opera Browser. Go figure.

Re:

[smash]

Mobile opera, at least on iOS is just a wrapper around the iOS webkit library. All the heavy lifting is done by webkit, so as far as iOS opera goes, any vulnerability that affects Safari probably affects Opera on iOS too. And vice versa.

Re:

[amicusNYCL]

Opera Mini is a wrapper. Opera Mobile is a full-fledged browser, I even have it send a desktop user agent string and it will render pages meant for a desktop just fine, with the speed that Opera users come to expect.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[MobyDisk]

the proof of concept attack code will remain in the hands of organisers only

I find it ironic that after telling us that nearly every major operating system was hacked, they conclude by assuring us that the exploit code is kept secure.

I assume that the Firefox bug is in JS?

[John Hasler]

n/t

Linux

[Lord Lode]

For operating system, why do they only try Windows there? I, for one, would love them to try Linux as well, to help find exploits, which I'm pretty sure they'd find just as well.

"Windows All Hacked At Pwn2Own"?

[hobarrera]

There's no mention of any vulnerabilities on any other OS. Does this mean they're only windows-specific issues?

Must Say

[Zamphatta]

The article points out that the hacks were done on Windows & Mac's. So simply saying "oh, these browsers are all flawed", is suggesting something that is either not true or something unknown. After all, it's entirely possible that the flaws do not exist in Linux or non-Mac-BSD versions of the browsers. I've seen articles go on like this before... about how all the browsers are hackable, but they only really know (or mean) that all the browsers are hackable on a certain platform. I'm tired of that FUD.

Re:

[smash]

The hacks work on the desktop platforms that matter if you're chasing maximum number of botnet hosts. Linux as far as desktop usage goes is barely a blip on the radar, and trying to target the myriad of different variants contained within that 1 percent of desktop users is just not worth the effort. You'd be spending say 10x the effort to hack the Windows and OS X to target the many different linux variants for a maybe 1% increase in terms of number of machines owned.

And if they did test at pwn2own - w

There is silver lining here

[MobyDisk]

Despite the fact that zero-day vulnerabilities still exist, we should note that software has gotten harder to exploit over the years. For example:

Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) in Windows, Vupen said...Windows 8 also fell to the security consultancy which cracked Microsoft's Surface Pro using two Internet Explorer zero day vulnerabilities and a sandbox bypass.

So in each case they had to chain 3 vulnerabilities together to make this work. That means that we are at least improving security, albeit not enough. Fixing any 1 of those vulnerabilities makes the exploit no longer work.

Re:

[gstrickler]

ASLR is not a security feature, it's an obfuscation feature.

Re:

[MatrixCubed]

Try looking for Kansias.

Re:

[smash]

For the people who need Java, it often IS a mission critical component (and yes, often for applets). And it is a FUCKING JOKE lately. AGAIN this morning another update.

Re:

[devent]

Did you get a virus or trojan because of a Java Applet?
It is so bothersome to update Java? Normally it's just a popup in Windows where you can click and update.
Your browser have probably way more security holes and I'm not see people scream "fucking joke" if they need to update Firefox again. (On my Fedora Linux I need to update Firefox every week, you don't see me scream "fucking joke").

Re:

[smash]

The whole point of java was to run cross platform code in a secure manner. The fact that it is the most insecure software on a typical machine these days is the joke. And no, my browser, and yours is not less secure than Java, which has had way more than 65 vulnerabilities patched in the last month alone.

Re:

[devent]

You are going to based your "security meter" on how many vulnerabilities were _patched_?
All it means is that 65 vulnerabilities were patched, nothing more.
It's like Microsoft that try to convince people that their IIS server is more secure, because Apache had more vulnerabilities patched than IIS.

In the Pwn2Own contest IE, Safari and Firefox were always busted, based on some sort of 0-day vulnerability. Just look at the past Pwn2Own contests. You really don't need Java at all to bust the web browsers.

Just l

Re:

[smash]

Sure, it's the metric by which Windows is judged when people point out how insecure it is.

But... OK lets go by how many zero days were exploited in the wild in the last 30 days.

It's still more than IE, Safari, Chrome and Firefox in the same time frame.

Re:

[YurB]

I agree. By (consciously) using the word "hacking" instead of "cracking" when refering to activity related to circumventing computer security we show our disrespect of those who contributed [wikipedia.org] to the development of computing as we know it and who once asked us to differentiate the costructive "hacking" from the destructive "cracking". This is an example of constructive "cracking" though which is a special case.