Insecure Candidates: Chrome Wins Hacking Contest
At the CanSecWest Vancouver 2009 conference's PWN2OWN hacker's competition the Safari, Internet Explorer 8 and Firefox browsers were successfully hacked to run code on their systems. The Chrome browser was recognized as being the least impacted by the hackers.
The two-day PWN2OWN competition had but one goal: hacking an application as fast as possible to run code in it. The hacker contest is a feature of the annual CanSecWest conference, this year in Vancouver March 16-20, where standard PCs and Macs are subjected to vulnerabilities using the current version of the targeted software containing all the newest security updates. This year the hackers were to hack four fully patched browsers and five mobile devices. While the mobile devices remained "unscathed," almost all browsers failed the test in one way or another.
In less than 10 seconds Charlie Miller could open his MacBook with Safari and promptly won the $5,000 Zero Day Initiative prize. After jury members clicked a specially prepared link, Miller could control the system through an undocumented security hole.
Internet Explorer 8 was the next victim (ironically almost parallel to its official start in Las Vegas) to follow the MacBook pattern. A hacker named simply Nils used an undocumented vulnerability to control the Windows 7 subsystem and won another $5,00 prize from ZDI. He also exploited the first known security hole of IE8. Just earlier Microsoft's Dean Hachamovitch in his talk had praised the high security standards of IE8 with its Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection technologies.
Twice again Nils pulled off victories. First was a Safari exploit that won him another $5,000. Secondly, the Firefox competition didn't escape his schadenfreude and he won another prize through a zero day exploit: altogether $15,000 for Nils.
Uncontested winner of the day was Google's Chrome browser, even though Charlie Miller did find a vulnerability that he later admitted his sandbox prevented him from carrying out. Details of the vulnerabilities unfortunately weren't given out: the TippingPoint DVLabs host of the conference pretty much buys the discretion of the hackers through its prize money, but will pass things on to the browser manufacturers.
Comments
comments powered by Disqus
Tag Cloud
News
-
Google and NASA Partner in Quantum Computing Project
Vendor D-Wave scores big with a sale to NASA's Quantum Intelligence Lab.
-
Mageia Project Announces Mageia 3 Linux
Many package updates and Steam integration highlight the latest from the Mandriva-based community Linux.
-
FSF Outs the World Wide Web Consortium over DRM Proposal
Richard Stallman calls for the W3C to remain independent of vendor interests.
-
Debian 7.0 Debuts
The new release supports nine architectures, 73 human languages, and zero non-Free components.
-
Alpha Version of Fedora 19 Released
Fedora developers release the first alpha version of Fedora 19, known as Schrödinger’s Cat, for general testing. The final release is expected in July 2013.
-
ack 2.0 Released
ack is a grep-like, command-line tool that has been optimized for programmers to search large trees of source code.
-
SUSE Studio 1.3 Released
New features in SUSE Studio 1.3 include enhanced cloud integration, VM platform support, and lifecycle management.
-
Xen To Become Linux Foundation Collaborative Project
The Linux Foundation recently announced that the Xen Project is becoming a Linux Foundation Collaborative Project.
-
RunRev Releases Open Source Version of LiveCode
Open source version of LiveCode is now available for developing apps, games, and utilities for all major platforms.
-
OpenDaylight Project Formed
OpenDaylight is an open source software-defined networking project committed to furthering adoption of SDN and accelerating innovation in a vendor-neutral and open environment.
Opera