Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own 183
mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."
Re:Fundamentally Flawed (Score:5, Interesting)
Humans have been building infrastructure, houses, buildings, for thousands of years, and they still make mistakes (honest or out of greed by cutting corners) and these life critical infrastructure still fail left and right.
Software is often more complex, require more people to build, and often have stricter constraints for people who don't understand it, even though we haven't been writing software all that long.
In a few thousand years, if software doesn't have the same failure rate as building bridges does today, wake me up.
Researchers tore holes through browsers on Windows (Score:4, Interesting)
Re:Fundamentally Flawed (Score:4, Interesting)
People will not pay extraordinary amounts for slightly better hardware and software. (no apple doesn't count, they are good value for money, though you can't get good enough for low money from them.) Take for instance houses. People still make wood stick frame houses, even though they are quite lousy for insulation and longevity. A much better masonry or adobe house costs roughly 5-10% more, but they are very few and far between. Now take what most people are willing to pay for hardware ($0, free with subscription!) and software ($0). Now how does that figure into building them?
Interesting /. bias (Score:1, Interesting)
Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable).
- at this point I have to wonder what are the underlying reasons for the obvious bias present on /. against Java, because clearly there is something at work here, so where does the money trail lead? Is Dice holding a short position against Oracle or something? Is there something else going on? Is it a pro-Apple product and anti-Android stand?
Personally I dislike Oracle as a company because of their insidious penetration of all facets of medium to large businesses (everything must be Oracle), but not Java as a language or as a VM. Obviously the sandboxed JVM browser plugin has various issues, but the slander against the entire Java platform is getting repetitive.
While a Java browser plugin may have security problems, I fail to see how this relates to server side Java usage (as an example).
OTOH even /. comments are so confused, mixing terms, mixing notions such as Java and Javascript and browser plugin, etc., permanently labelling JVM (or Java, I don't know which anymore) as a 'slow language' or 'slow platform' (again, there are too many of these too keep track) and whenever somebody says something to this effect without upfront stating exactly what they are talking about, it leads to page long threads that can't even agree on teh terms they are using.
This is destructive, not constructive.
Re:Fundamentally Flawed (Score:3, Interesting)
So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)
This insight is as old as the hills. Or at least the '80s. It is the fundamental driver behind the "full disclosure" movement which has, in a sense, been and gone.
Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that while shopping / releasing credit card data / etc. is fun and may be necessary, but it is in the best interest to pay a little more for a (less advanced) system that does not and can not be exploited?
Start by defining "trusted". Should my local system block me from putting my Visa card number into a web site because the web site isn't safe?
If you mean "locally trusted"; top level, secure operating systems running on very secure hardware have been build. Even in military applications they have become a commercial failure because it takes too long to build a feature on such a system so they mostly don't do the things that people need of them.
So; in the end; the answer to this is that things will only get better when people are willing to sacrifice some feature development for more secure development. Ask yourself; how many of us today are posting from OpenBSD? How many of us are posting from inside an SELinux sandbox? Both of those already have all of the features needed to do so. If you aren't willing to make the small sacrifices needed to run OpenBSD or web browse from inside a proper sandbox, how can you complain about the fact that the rest of the world which is even less interested in technology won't do anything about it?
Just start giving companies selling (N.B. not programmers writing; it has to be commercial system distributors) computer systems some liability for security failures (e.g. up to a max. of 10 times the price of the product they sold) and this will become much much better. As long as nobody's willing to do that nothing will happen.
Re:Fundamentally Flawed (Score:5, Interesting)
When pigs fly.
Seriously, this is like saying "why doesn't someone just make a car that can't crash, or a plane that will never stop flying?".
We can make computers that you can bet your life on. They still fail, but the failure rate is so low that we can bet people's lives on them every day (I'm not talking traffic lights - whose total failure isn't really that big of a deal in the long run, but things like life-support machines, nuclear reactors, etc.). It's EXTRAORDINARILY expensive, and relies on there being an absolute minimum of human input at runtime.
Even spacecraft and aircraft send two or three of the same computers up so they can just swap them out or take the majority vote. You can design systems all you like to be infallible, the fact is that they aren't - even in terms of hardware, and certainly not in terms of software. And the more you want to do with them, the more the work needed to eliminate problems increases - usually exponentially.
Have you seen how much it costs to formally prove code? Hell, just putting the requirements to begin the process can be something more expensive than an entire development cycle of conventional programming, and still contain human errors that the computer will happily prove to be correct (because they are) even if that's not what the humans involved intended (and thus you have a classic software bug again).
By comparison, your web browser is more complex, has more to do, updates more often (new specs and features, etc.) and is business-class programming, not critical. It would take decades or even centuries of man-hours to formally prove even a tiny section of it and every time it changes you need to do it again.
You can't design a secure language to express these things in. You can't design a machine that will cope with anything. You can't design a process involving humans that will be infallible.
Hell, we can't even design a piece of software that will find these bugs by itself (or else we wouldn't need bug-testing) - and yet MILLIONS is spent every year on products that help do just that (static code analysers, fuzz-testers, standard-compliance suites, etc.).
You will never have a "secure" computer, as long as its users and designers are human. When machines start to replicate themselves and write their own operating systems, then maybe it's possible (but how to get there without relying on the output of a human to do that job in the first place?).
Until then, honestly, what do you suggest? A "secure" programming language? There's been hundreds of attempts and ironically Java was one of them (it's all contained within a virtual machine, don't you know?, and thus can't damage the computer it's installed on.... least that's how it was sold for over TWO DECADES).
Summary: It ain't gonna happen in your lifetime. You can deal with it, or prove everyone in CS wrong.
Once again, no Opera (Score:5, Interesting)
Once again, pwn2own ignores the Opera web browser. This makes me sad...I recently switched exclusively to Opera after toying around with it for almost 10 years now. I've been completely happy since. I will say this, Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:
This was the default setting in opera.
In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see.
What about Opera? (Score:1, Interesting)
Invulnerable or did nobody try?
Safari wins! (Score:3, Interesting)
"Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. "
Perhaps it's also telling that the prizes for winning are Mac Laptops.
There is silver lining here (Score:5, Interesting)
Despite the fact that zero-day vulnerabilities still exist, we should note that software has gotten harder to exploit over the years. For example:
Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) in Windows, Vupen said...Windows 8 also fell to the security consultancy which cracked Microsoft's Surface Pro using two Internet Explorer zero day vulnerabilities and a sandbox bypass.
So in each case they had to chain 3 vulnerabilities together to make this work. That means that we are at least improving security, albeit not enough. Fixing any 1 of those vulnerabilities makes the exploit no longer work.