One browser left standing after hacking contest
April 6, 2010 by Sam NarisiPosted in: In this week's e-newsletter, Security
A recent contest that paid researchers to uncover security flaws shed some light on an important question: What’s the most secure Web browser?
Security researchers Peter Vreugdenhil, of the Netherlands, and a German who identified himself only as Nils won a $10,000 prize at the “Pwn2Own” hacking contest by finding ways around IE8’s security features.
The hackers, running a fully patched version of Windows 7, found a way to disable the OS’s data execution prevention (DEP) and address space layout randomization (ASLR), two of the most highly praised security features of Windows 7.
The hack took a total of two minutes to complete. Vreugdenhil said it took him “six or seven days” to figure out how to make the attack work. He explains what he and Nils did here.
Microsoft responded a few days later, saying the security features are an effective way to prevent exploits but can’t possibly “prevent every attack forever.”
Though Microsoft was the big loser at the contest, it certainly wasn’t the only company to see its browser get hacked. Researchers also exploited flaws in Firefox and Safari, ComputerWorld reports.
The only browser researchers targeted that was still standing after the contest: Google’s Chrome. It was second year Chrome made it through the contest unexploited.
In the past, vendors have been quick to push out patches for the flaws uncovered at the contest, so those could be expected within the next few weeks.
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Tags: browsers, Chrome, Internet Explorer, Pwn2Own, Windows 7
March 31st, 2010 at 2:47 pm
“Though Microsoft was the big loser at the contest…”
You might want to do some research and read the full story here, before making silly comments:
http://www.pcworld.com/businesscenter/article/192419/security_lessons_learned_from_pwn2own_contest.html
Apple was the big loser this year – the iPhone was hacked in seconds using a Safari exploit, Mac OS also hacked through Safari, and today, they had to release 88 security patched to their “oh, so secure” operating system.
That right **88** security flaws. If Redmond releases a patch with 15 fixes, it’s the lead story on the national news!
March 31st, 2010 at 3:11 pm
Google Chrome? I’ll still stick with Firefox, by far the best.
April 15th, 2010 at 10:01 am
@James – if Redmond releases a patch with 15 fixes, that’s just about every Patch Tuesday. It doens’t make national news.
What makes M$ the big loser in this, regardless of Apple having problems with Safari, and Firefox also having exploitable flaws – it’s that it was with their latest-and-greatest, “most secure ever” OS, Windows 7, running their latest-and-greatest, “most secure ever” version of IE, IE8, both fully patched.
… and since they still do have the majority share of the browser “market” and Safari/Apple is a distant third or fourth place contender, it’s a big black eye for Redmond.
Safari/MacOS may be billed as more secure than Windows/IE, and it may well be true, but that doesn’t mean it’s perfect.
Another flaw in your logic: you say they released 88 patches, and equate that to 88 security flaws. MacOS is based on BSD, a *nix flavor. It’s a different paradigm than Windows. Those 88 patches may not have been to fix 88 security flaws, but rather to fix one or two – but 88 files had to be patched to fix them. When Microsoft releases a patch they don’t tell you how many files have to be patched to fix a particular flaw addressed by a KB. I’m not saying that there weren’t 88 security flaws, or that there were only two – this was only to illustrate the flaw in your logic.
May 7th, 2010 at 9:33 am
[...] browser rapidly gaining popularityOne browser left standing after hacking contestGoogle Cloud Printing: Smart idea or Cloud Cuckoo Land?Simplify the Complexity of your Data [...]