Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own 183
mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."
Re:Fundamentally Flawed (Score:5, Informative)
ChromeOS was designed to be tamper resistant, so it can detect changes on the installed code. but the UI is a freaking browser and because of that any vulnerability on the browser that doesn't need changes on the installed code is possible, like reading your stored passwords, accessing your web sites sessions, etc.
Re:Researchers tore holes through browsers on Wind (Score:5, Informative)
http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html
Pwn2Own will target IE, Firefox, Safari and Chrome all running on Windows 7. Windows XP isn't on the target list and neither is Linux, for different reasons.
I spoke with Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint the other day and asked him why Linux wasn't being included. Apparently the question is among the most common questions he is ever asked about Pwn2Own.
"Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share. If we were to include Linux, we'd have even more controversy and we just don't want to deal it."
Re:No love for Safari? (Score:0, Informative)
Safari who? [wikipedia.org]
The browser that is largely responsible for WebKit being the most popular rendering engine, and whose mobile version is #1.
Re:No love for Safari? (Score:3, Informative)
You know. The browser that probably accounts for more traffic than the built in android browser. That has previously been hacked pretty much first thing every year so far.
Gatekeeper, sandboxing the web worker process and ARC in the development kit maybe paying off.
Re:Fundamentally Flawed (Score:2, Informative)
Fool, the setting is customizable.
Allow Applications downloaded from:
â Mac App Store
â Mac App Store and Identified Developers
â Anywhere
Choose either of these 3 options for your preferred level of control vs. safety. Change the setting any time you like.
Yes, the power is is in the hands of the administrator.
Now, don't you feel stupid?
Not fundamentally, but economically? (Score:5, Informative)
So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?
That's hardly a secret. It's a cost/benefit question, and there is enough benefit around right now that most people are willing to pay the cost/accept a modest risk rather than going without.
Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure?
You'll never have perfect security, because many useful things are inherently insecure on some level. But yes, we could certainly do a lot better than we do right now.
I personally suspect that any qualitative shift in the industry first needs the development of an industrial-scale application programming language (and a comprehensive supporting ecosystem in terms of tools and libraries) that manages to combine reasonably high performance and flexible low-level access with much stronger architectural support features than any mainstream language offers today.
We know a lot about how to build such a programming language already, and many useful techniques are already tried and tested in more academic/obscure/innovative languages. Unfortunately, this is a chicken and egg kind of problem: you need to get enough developers using your language that the ecosystem develops enough for mainstream industrial use, but attracting the non-enthusiast developers needs some sort of ecosystem to be there already. And as long as most customers are willing to pay significant money for software that doesn't have lots of bugs/vulnerabilities, accepting these things are somehow inevitable in the way that most non-geeks today probably do, there isn't sufficient commercial incentive for the few organisations that could actually do it to throw megabucks into developing the language and a bootstrappable ecosystem from scratch right now.
Re:No love for Safari? (Score:2, Informative)
Safari for Windows was abandoned [wikipedia.org] (no version 6) and this year Pwn2own is targeting Windows browsers only.
Re:Fundamentally Flawed (Score:4, Informative)