Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE8, Safari, iPhone All Fall At Pwn2Own Contest

timothy posted more than 3 years ago | from the sucks-to-be-everyone dept.

Security 223

SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it." Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."

cancel ×

223 comments

Title misleading? (5, Insightful)

Anonymous Coward | more than 3 years ago | (#31618734)

Title misleading maybe... just a bit? Firefox got owned as well.

Re:Title misleading? (4, Insightful)

Anonymous Coward | more than 3 years ago | (#31618778)

Mod parent up. We all love firefox and all, but seriously, it deserves as much shame as all the other failed browsers. Submitter biased much?

Re:Title misleading? (2, Insightful)

dogmatixpsych (786818) | more than 3 years ago | (#31618984)

Actually I don't love Firefox. I use it as my main browser at home but I prefer Safari or Chrome. Firefox crashes frequently - at least a couple times a week - but I've never had problems with Safari or Chrome.

Re:Title misleading? (2, Insightful)

pete_norm (150498) | more than 3 years ago | (#31619100)

If you have that much trouble with Firefox, why do you keep using it?

Re:Title misleading? (1)

sortius_nod (1080919) | more than 3 years ago | (#31619182)

That was going to be my question. Pretty much I use Chrome for most of my browsing. If a page doesn't work, just IE tab it. Not even game to use Firefox these days due to sluggish performance and continual crashes.

I was, at one stage, a HUGE fan of Firefox. Before Mozilla fucked it up like they did with the original Mozilla/Netscape browsers.

Re:Title misleading? (1)

pnewhook (788591) | more than 3 years ago | (#31619724)

Same here. Got tired of IE slowness and switched to Firefox. But incompatibilities, slowness and the plugin nonsense got me to try Chrome and I love it. So much faster. Never looked back.

Re:Title misleading? (1)

dogmatixpsych (786818) | more than 3 years ago | (#31619548)

I use it because of the Add-ons. I've found replacements for most of my add-ons (most of them are stand-alone programs) but there are a few I still use. Also, I have a bunch of saved logins and passwords in Firefox that I haven't completely transferred to Safari. I'm transitioning away form Firefox but haven't made the leap yet (the newest update to Firefox has been considerably more stable though).

Re:Title misleading? (1)

CannonballHead (842625) | more than 3 years ago | (#31619278)

I use it as my main browser at home but I prefer Safari or Chrome

This sentence is strange.

Re:Title misleading? (1)

dogmatixpsych (786818) | more than 3 years ago | (#31619432)

I accidentally left off "at work". That's what I get for not really thinking through what I write.

Re:Title misleading? (5, Funny)

Red Flayer (890720) | more than 3 years ago | (#31619370)

Firefox crashes frequently - at least a couple times a week - but I've never had problems with Safari or Chrome.

Wimp. Firefox is open source. Why didn't you fork the project, fix the crashing problem, and then offer the patch code upstream while distributing Firefox under your own branding?

That's how open source is supposed to work, you ninny. Why don't you actually participate in it once in a while, instead of just being an end user?

Re:Title misleading? (0)

Anonymous Coward | more than 4 years ago | (#31619798)

This attitude doesn't help much. If a GP complains, and you ask him to patch, you better at least ask yourself a few questions before forcing him to fork:

Is firefox written in a language that is simple to know?

Does firefox assume knowledge of a framework that is beyond that language? (think XUL and how likely it is that even a learned /. user is automatically competent in it by just using the program)
Is the problem obvious? It likely will involve plenty of debugging.

That last one debunks the "fork it" myth.
1- There are bugs that are open for years on ubuntu boards, firefox boards, IE bug lists, and aren't solved by the large group
2- "Forking" involves a team of likeminded smart and determined users not affected by the issues I presented above. It also means that they are expected to maintain the project beyond just the main reason to fork. That is just how it rolls, in practice.
3 - You are actually suggesting he does PATCHING.

Patching involves a lone-wolf approach to fix ONE problem and upload to the main codebase, which is what your comment is asking him to do. Lone-wolfing is hard because of the points I have already stated.

Re:Title misleading? (3, Insightful)

quadelirus (694946) | more than 4 years ago | (#31620372)

The parent, my friends, is an example of the literal.net. The grandparent to this post was clearly being sarcastic, but that was lost of the anonymous coward above.

Re:Title misleading? (0, Troll)

Alphathon (1634555) | more than 4 years ago | (#31619810)

Lack of skill, knowledge and expertise perhaps? Just because someone is on slashdot does not mean that they are a programmer, or if they are a programmer are familiar enough with the code to do anything about it in a timely manner. I myself would love to be able to contribute to Firefox, but my meager knowledge of Java, Haskel and PHP don't really qualify me to, and I'm not about to learn C++ just to fix a crashing bug or bugs which will likely be fixed before I'm even passed learning the basics, and I highly doubt the parent is either. BTW, I fully intend to learn C++ at some point, but that point isn't now, that's all. Also, I don't seem to have any crashing problems with Firefox...maybe I'm just lucky.

Re:Title misleading? (1)

Truth is life (1184975) | more than 4 years ago | (#31620024)

I'm almost certain (grand)parent is supposed to be sarcastic--otherwise, it's extremely over the top in terms of the amount of abuse offered. He's probably making the point that people who seriously advocate that for various things are somewhat deranged.

As for Firefox, I've never really had a crashing problem. Chrome hasn't (in my experience) been all that much faster, as the main limit on my surfing speed has been the utterly crappy net in my dorm, which routinely throws 503s for no reason whatsoever, it's from Google so I don't trust it, and overall I'm more familiar and comfortable with Firefox. That doesn't mean I'm perfectly happy with it; to take one minor problem, the location of the "Preferences" dialog, which is obviously extremely important, is inconsistent between Windows and Linux versions. Considering the heterogeneity of Linux distributions, it cannot be that there are some HIGs proscribing putting it under Tools (with, by the way, all the other configuration dialogs), so it seems like a bizarre design choice to penalize those switching either way, especially if they do it often, and especially if they have to configure that a lot.

Re:Title misleading? (5, Funny)

LordArgon (1683588) | more than 4 years ago | (#31620146)

I propose a new moderator option:

-1 Woosh

They had no choice, Slashdot headlines are short. (0)

Anonymous Coward | more than 4 years ago | (#31620324)

Just FYI, you don't get that many characters to work with in Slashdot headlines. They actually couldn't have listed all of them, so they appear to have listed as many of the shorter names as they could in the headline.

Try submitting a story sometime and you'll see what I mean...

Re:They had no choice, Slashdot headlines are shor (4, Insightful)

quadelirus (694946) | more than 4 years ago | (#31620396)

How about:

IE8, Safari, FF, iPhone All Fall At Pwn2Own

It has fewer characters.

Or, focus on one area: IE8, Safari, Firefox all Fall At Pwn2Own

And they didn't bother to mention Firefox in the description either, which clearly had enough space to include the word "Firefox."

Poor browsers... (0)

Anonymous Coward | more than 3 years ago | (#31618738)

all were forced to run exploit code.

I wonder if they can sue for rape or at least some form of sexual harrassment.

Google Chrome (4, Interesting)

drcosquared (1720540) | more than 3 years ago | (#31618750)

Apparently none of them wanted to take on Google Chrome..I believe no one was able to crack it last year.

Well ... (5, Insightful)

WrongSizeGlass (838941) | more than 3 years ago | (#31618760)

... these guys (and gals?) all know what they are going to try before they ever get to this contest. It's not like they discover all these vulnerabilities during some epiphany once they arrive.

On the other hand, these security holes are real and need to be addressed by anyone and everyone that was shamed (this means MS, Apple, Mozilla, everyone) pronto!

Re:Well ... (3, Insightful)

andrea.sartori (1603543) | more than 3 years ago | (#31618888)

the very fact that these people know what to do beforehand is proof that app security is generally terrible.

Re:Well ... (3, Insightful)

Bill_the_Engineer (772575) | more than 3 years ago | (#31619062)

the very fact that these people know what to do beforehand is proof that app security is generally terrible

App security may be generally terrible, but I believe that the fact really proves that the contestants can keep a secret until the contest.

On the other hand... (4, Insightful)

Tetsujin (103070) | more than 3 years ago | (#31619088)

the very fact that these people know what to do beforehand is proof that app security is generally terrible.

Well, I think you have a very good point there - but on the other hand, the developers do have to prioritize the work they do. Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort. In principle "security through obscurity" isn't a good policy but in practice it's often good enough. If the software has a serious flaw but nobody knows about it, that's good enough, at least temporarily.

Re:On the other hand... (-1, Flamebait)

sortius_nod (1080919) | more than 3 years ago | (#31619254)

Nice, you've just contradicted every security researcher over the last however many years. Congratulations on coming across as a fool.

No matter the security flaw, it needs to be fixed. ANY security flaw, no matter how obscure, will be exploited when it's known by the public at large. There is no such thing as "security through obscurity", it's a myth created by lazy programmers.

Re:On the other hand... (4, Insightful)

Tetsujin (103070) | more than 3 years ago | (#31619470)

Nice, you've just contradicted every security researcher over the last however many years. Congratulations on coming across as a fool.

Dude, we disagree. It happens. You don't need to be a douche about it.

Software Engineering is an engineering discipline. That means the principles according to which the product should work are always tempered by the reality of how the work must be conducted. What good is it, for instance, if you have the most secure browser of them all, if nobody uses it? That's an extreme case, of course, in which security concerns are so heavily emphasized that they would compromise some other essential concern (for instance, it could fuck up the release schedule, interfere with work being done to make the software run quickly, or take development resources away from the challenge of trying to make the browser more appealing to its audience...) Obviously there are other intermediate outcomes possible. But generally speaking one can't aim for perfection. If you set out to make something perfect, it never gets done, because it's never perfect. Obviously the bugs should be fixed... But finding and fixing a security flaw before an exploit has made its way into the wild is not necessarily the best use of development resources. It depends on the situation, really.

Re:On the other hand... (3, Insightful)

dougisfunny (1200171) | more than 4 years ago | (#31619796)

I usually aim for perfection, though I don't wait until then to release. Aiming for perfection is fine. Waiting for it is not, as attaining perfection isn't possible.

Re:On the other hand... (1, Insightful)

ClosedSource (238333) | more than 3 years ago | (#31619578)

"There is no such thing as "security through obscurity", it's a myth created by lazy programmers."

Right, that's why I give out my passwords to everyone I can.

Re:On the other hand... (0)

Anonymous Coward | more than 3 years ago | (#31619652)

GG on the stupid analogy.

Waiting until after a flaw is being used to infect people's computers before fixing it is the best form of security, and no security researcher should ever try to help get a flaw fixed beforehand, because the alternative is the EXACT SAME as giving our passwords to everyone we can.

Re:On the other hand... (0)

Anonymous Coward | more than 4 years ago | (#31619842)

my password on my bank site is 1234!ab.
my bank account pin is 2389.
my mother's maiden name is O'Conner.
I have $37,890.12 in savings, and about $2,200 in checking (it varies)

I'm also a gun owner in a castle doctrine state.

Security through obscurity is a myth?
COME GET SOME.

Re:On the other hand... (1)

RyuuzakiTetsuya (195424) | more than 4 years ago | (#31620076)

Yes, now that I know you have a gun, I'm going to pack Kevlar.

Re:On the other hand... (0)

Anonymous Coward | more than 4 years ago | (#31620176)

Teflon coated AP rounds > kevlar.

next?

Re:Well ... (1)

AmberBlackCat (829689) | more than 3 years ago | (#31619304)

I didn't see Opera get mentioned...

Re:Well ... (2, Insightful)

Lunix Nutcase (1092239) | more than 3 years ago | (#31619336)

Because it wasn't part of the contest due to its extremely small market share.

firefox on osx? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#31618792)

is the firefox exploit windows x64 only? or is it an exploit in the common firefox code?
 
why does cracking the iphone add insult to injury? seems like you're throwing about cliches for the hell of it
 
capture: wetness... it's what slashdot makes me feel in my pants

As I said elsewhere on the net: (-1, Troll)

Khyber (864651) | more than 3 years ago | (#31618818)

Some of these exploits only took two weeks from conception to exploitation. TWO WEEKS. New product comes out, and POSSIBLY in 14 days you're fucked?

It seriously sounds like these idiots need to drop all high-level programming and go straight back to learning the BASICS first. Assembler and tight fucking code and source control.

Re:As I said elsewhere on the net: (0)

Anonymous Coward | more than 3 years ago | (#31618996)

How about you go rewrite WebKit/Gecko with HTML5 support and see how easy it is.

Re:As I said elsewhere on the net: (2, Funny)

Nerdfest (867930) | more than 3 years ago | (#31619046)

Yeah, especially in BASIC.

Re:As I said elsewhere on the net: (1)

garaged (579941) | more than 3 years ago | (#31619118)

back to what? 10 and 20 years ago was way more easy to exploit computers, we are better, not good enough but better

Re:As I said elsewhere on the net: (1)

Khyber (864651) | more than 3 years ago | (#31619686)

Assembler, by a rule, is just harder. Most 'programmers' couldn't understand the machine's native language if their life depended upon it. They are relying upon someone else's code to translate down to that, and if those methods are flawed they're screwed.

All security begins with the basics, and for computing devices, that basic is their native machine language. If you ignore the basics, you're going to be fucked later on.

Re:As I said elsewhere on the net: (1)

russotto (537200) | more than 4 years ago | (#31620080)

Most 'programmers' couldn't understand the machine's native language if their life depended upon it.

It's not that I can't understand it, it's that I can't read it. Alas, I simply cannot tell the difference between 2.8V and 0V.

Re:As I said elsewhere on the net: (2, Insightful)

Anonymous Coward | more than 3 years ago | (#31619162)

So if you're such a badass programmer please link to your assembly-coded web browser that contains zero exploits. Oh, you don't have one and you're just a posturing tard? Yeah, that's what I thought.

Re:As I said elsewhere on the net: (0, Troll)

Khyber (864651) | more than 3 years ago | (#31619700)

I work silicon, not software. I don't get exploited, nimrod, because I leave nothing for anyone to exploit.

Re:As I said elsewhere on the net: (0)

Anonymous Coward | more than 4 years ago | (#31619786)

Are you just trying to further prove my statement that you're a posturing tard? Because you aren't doing anything to invalidate that. Until you can pump out a browser that can support all web standards and all the plugins that these browsers in all the assembly languages that these browsers support you're just a blowhard.

Security is dead (3, Insightful)

Alwin Henseler (640539) | more than 3 years ago | (#31619188)

While I'm all for tight code where every byte is important, one could just as well argue that languages used aren't high-level enough.

Operating systems and apps are often coded in languages like C or C++, that allow a lot of things, which turn into vulnerabilities down the road. Assembly is king of this: it allows a progammer to do anything, including things that aren't safe, smart or correct. No matter how good the code you produce or how comprehensive your testing procedures are, the sheer size of software systems guarantees a number of bugs to be lurking.

Personally I think that security is dead as long as these languages are the tools, testing code is the norm (vs. some sort of formal verification), and coders are looking for bugs rather than proving they're not there. Fixing this will take a combination of new methods for building software, new design principles to manage system complexity, and safe(r) languages to write the code in. There's a lot of research around (see seL4 microkernel or Coyotos for example), but results rarely finds its way into mainstream products. There's a long way to go still... or users just don't care enough.

Re:Security is dead (1)

Lunix Nutcase (1092239) | more than 3 years ago | (#31619250)

There's a lot of research around (see seL4 microkernel or Coyotos for example), but results rarely finds its way into mainstream products.

Because it takes 10 times as long to write code that is totally formally verified?

Re:Security is dead (1)

Alwin Henseler (640539) | more than 3 years ago | (#31619682)

Because it takes 10 times as long to write code that is totally formally verified?

Good point. Except:

  • This may be important for proof-of-concept apps, where some party can profit from a first-mover advantage. For most everyday apps: not so much. For OS code: irrelevant. For most users, an OS should just work (and IMHO, be boring).
  • Much of the work is maintaining software after release. If you can slash the need for updates significantly, spending more time on the initial code may just be worth it. Fewer bugs also means: lower support costs.
  • Regardless of how big an effort, getting code right the 1st time is a one-time effort. Updating code after release OTOH, is an effort that is multiplied by the number of users (even if individual updates are easy & painless).

Re:Security is dead (3, Insightful)

Fareq (688769) | more than 4 years ago | (#31620410)

Vista, the pile of problems that it is, took thousands of people about 6 years to create.

It would have been simply infeasible to increase the work by 10x (since 10x as many people couldn't do 10x the work -- overhead and all -- we're talking probably at least 15x - 20x increase in cost to develop, and probably more elapsed time regardless of the number of engineers).

Even if it costs a trillion dollars, spread over 10 years, to fix things that could have been prevented with the 10x effort up front, it simply wouldn't have been possible.

Ultimately, we would all have to settle for slower innovation and simpler products.

So far, the market has decided that a somewhat-buggy, vulnerable, but cheap, advanced, and rapidly developed product is more valuable than an expensive, simple, but bulletproof application for most people's needs.

For some things, it is probably worthwhile to scale back expectations of complexity and innovation to increase invulnerability and guarantee correctness. Software running on the space shuttle or a nuclear sub strikes me as belonging to this category.

But, for right now... I wouldn't pay $2500-$5000 per seat for an operating system that was as advanced and capable as Windows 7, but which had zero crash bugs and zero security vulnerabilities. (and similar outsized pricing on other software that I use)

Nor would I be willing to pay today's prices for secure versions of 10+-years-ago software when the same prices could get me modern software.

Until we can find a way to decrease the comparative cost of building provably-secure systems (versus what is available with rapid development and "best efforts"), it isn't going to happen for most software.

Re:Security is dead (1)

icebraining (1313345) | more than 4 years ago | (#31619832)

You talk like they're doing it wrong.

Security is always a tradeoff. Yes, you can have a verified browser - and maybe you can reach Lynx features in six years. And remember, you'll also need a verified subsystem (L4 is a microkernel, it doesn't include much of the stuff you get from e.g. Linux), libraries, etc.

It's no different than physical security. Why don't we all have a bodyguard and bullet-proof cars? It's simply not cost-effective.

Publishing methods. (1, Interesting)

Anonymous Coward | more than 3 years ago | (#31618842)

I find it interesting that the IE exploit was published for the world to see, but the Mac and Firefox hacks have been held back.

Re:Publishing methods. (0)

Anonymous Coward | more than 3 years ago | (#31619752)

The exploit isn't, he says he's not allowed to disclose the exploit itself, but he kinda half explains the technical part.

I don't know enough to say that the exploit couldn't be reroduced by someone with the skills easily from his release, but it looked like he was describing how to get around DEP and ASLR in a really generic, non-IE specific way and posted nothing about IE itself, except strongly implying it was a bug in the javascript engine allowing him to buffer overflow.

So many exploits, so few hydrogen bombs (-1, Troll)

Anonymous Coward | more than 3 years ago | (#31618856)

You mean to say we had all those people trying out their exploits in one place and no one bothered to drop a bomb on the joint?
Sure it may not stop exploits from getting into the wild or script kiddies from using them, but if you have a roomful of cockroaches, doesn't it make sense to break out a can of RAID?

Re:So many exploits, so few hydrogen bombs (0)

Anonymous Coward | more than 3 years ago | (#31618992)

You're trolling, but...
Pwn2Own's crowd of whitehats is a drop in the bucket. Trying to eliminate all attackers by killing a single roomful of the good guys would be a pretty useless move.

Re:So many exploits, so few hydrogen bombs (1)

Bill_the_Engineer (772575) | more than 3 years ago | (#31619082)

There's an old saying about not killing the messenger...

Re:So many exploits, so few hydrogen bombs (1)

halowolf (692775) | more than 3 years ago | (#31619106)

Unfortunately for the messenger, sometimes they are the only ones at hand for some violence.

Re:So many exploits, so few hydrogen bombs (1)

Red Flayer (890720) | more than 3 years ago | (#31619474)

There's an old saying about not killing the messenger...

You make it seem like there's more to the saying that we're supposed to recall. Like, we lean back and think for a second, and then our eyes light up as we have an epiphany about how that multi-part proverb that relates to not killing the messenger is the perfect metaphor for the OP's lack of analytical thought.

When, in reality, the entire proverb is:

Don't kill the messenger .

So I vote we come up with some new clauses to add to that proverb. Like:

Don't kill the messenger, lest he rise from the dead with a hunger for brains.

Or:

Don't kill the messenger, because he might not have given you the whole message yet, in which case you have less information and so you might make an uninformed decision.

Re:So many exploits, so few hydrogen bombs (3, Insightful)

Locke2005 (849178) | more than 3 years ago | (#31619324)

That's analogous to suggesting that getting rid of all the drug-sniffing dogs will cut down on drug smuggling. What kind of world do you live in where the argument "If I don't know about it, then it must not exist!" is considered logical?

Re:So many exploits, so few hydrogen bombs (1)

xero314 (722674) | more than 4 years ago | (#31619820)

"If I don't know about it, then it must not exist!"

I gather that is a paraphrasing of "what you can not see can not hurt you", which is more accurately "what you can not perceive can not effect you" which oddly enough is an actual fact.

Now I'm not saying this is how we should handle security, just say it is actually a valid statement.

It's also not what the GP was saying. They were saying that if we kill all the people that are smart enough to exploit the security holes then we would need not be concerned with anyone exploiting those security holes. Which also happens to be a fact, but seems like a lot of wasted intelligence.

Re:So many exploits, so few hydrogen bombs (0)

Anonymous Coward | more than 4 years ago | (#31620276)

I can't perceive hydrogen sulfide gas, but it can sure as hell affect me.

Cue the Fanbois in three...two...one (0, Troll)

sxedog (824351) | more than 3 years ago | (#31618860)

I feel for the Apple Fanboi's who won't be getting any sleep tonight...coming up with a defense for why their flagship product got pwned. Newsflash: nothing is secure.

Re:Cue the Fanbois in three...two...one (0)

Anonymous Coward | more than 3 years ago | (#31619656)

It took more than 15 minutes [slashdot.org] .

So 64-bit ASLR on Windows is flawed as well... (4, Insightful)

dingen (958134) | more than 3 years ago | (#31618876)

It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.

Re:So 64-bit ASLR on Windows is flawed as well... (1)

RyuuzakiTetsuya (195424) | more than 3 years ago | (#31619008)

So ASLR and DEP are both red herrings and don't fix the real problems with PC security!?

GASP! Where's my fainting couch?

Re:So 64-bit ASLR on Windows is flawed as well... (3, Informative)

aristotle-dude (626586) | more than 3 years ago | (#31619210)

It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.

You can corrupt memory on 64-bit windows by just running MSFT's own development tools like VS.NET with resharper plug-in. VS.NET begins to corrupt the address space rather quickly. To run VS.NET with any amount of stability on 64bit windows, you have to run it through a third party wrapper application which patches VS in memory to make it large address space aware and stop the memory fragmentation.

Re:So 64-bit ASLR on Windows is flawed as well... (1)

gparent (1242548) | more than 3 years ago | (#31619362)

VS has never done this for me. Which version of Visual Studio are you talking about? Really VS.NET? Because that's 7 years old AFAIK.

Re:So 64-bit ASLR on Windows is flawed as well... (1)

Sir_Lewk (967686) | more than 4 years ago | (#31620184)

That any program can do that is the real issue...

Re:So 64-bit ASLR on Windows is flawed as well... (3, Insightful)

geekboy642 (799087) | more than 3 years ago | (#31619568)

Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!

Re:So 64-bit ASLR on Windows is flawed as well... (1)

jpmorgan (517966) | more than 4 years ago | (#31620330)

???

I don't see memory fragmentation being a problem with 64-bit address spaces for a very, very long time. Unless a contiguous range of 2^40 addresses is just not enough.

Re:So 64-bit ASLR on Windows is flawed as well... (0)

Anonymous Coward | more than 3 years ago | (#31619312)

Were browsers used in the contest 32 or 64 bit versions? I wonder whether a 32 bit process can be given the same protections on Win 64 than a fully native 64 bit process may have.

Re:So 64-bit ASLR on Windows is flawed as well... (1)

Xenoflargactian (883930) | more than 3 years ago | (#31619726)

The attacker used a memory corruption bug to overwrite the null terminator of a string. He then read that string, which kept going until it hit another null terminator (two consecutive 0 bytes). He read memory he wasn't supposed to have access to, which included pointers to a C++ object's member functions (vftable). With these pointers in hand, he has defeated ASLR, because he has information about the address space that he's not supposed to have.

This MS's fault for a memory corruption bug, but their ASLR implementation isn't broken (at least not by this attack).

Details if you're curious: http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf [vreugdenhilresearch.nl]

Misleading; no credibility (5, Insightful)

carlhaagen (1021273) | more than 3 years ago | (#31618956)

The exploits were of course not found in the 5, 10 or 15 minutes advertised. They were all worked on for weeks, and even months, and were well-tested and prepared before being executed at the contest like a rehearsed stage play. Also worth to note is that the reason behind "Chrome only browser that withstood security breach" was that NO ONE TESTED CHROME AT ALL. I give this particular "Pwn2Own" show no credibility what so ever because of these details.

Re:Misleading; no credibility (4, Insightful)

Elwood P Dowd (16933) | more than 3 years ago | (#31619194)

Isn't your point about Chrome invalidated by your point about the time taken?

Did no one attack Chrome because none of these researchers had an exploit that would work against it?

Re:Misleading; no credibility (0)

Anonymous Coward | more than 3 years ago | (#31619196)

Chome is still a minority product. IE, FF and Safari are the main players these days. Where are you going to draw the line, Lynx? That fact is, the biggest browsers still have pathetic securit. Particularly Safari, which is beaten within seconds every year, and the usual winner stating there are tons of holes in it waiting for later competitions.

Re:Misleading; no credibility (0)

Anonymous Coward | more than 3 years ago | (#31619236)

Chrome is more used than Safari.

Re:Misleading; no credibility (1)

CannonballHead (842625) | more than 3 years ago | (#31619316)

Chrome is in the list of targeted browsers, but apparently nobody tried it...

Re:Misleading; no credibility (4, Insightful)

Bill_the_Engineer (772575) | more than 3 years ago | (#31619264)

I give this particular "Pwn2Own" show no credibility what so ever because of these details.

I believe what you really meant to say was that we shouldn't fall into the trap of believing that Chrome is actually safer due to the fact that no one really targeted it in this contest.

I've done my share of "Digital Combat Exercises" and you are correct that we should only view the contest as a verification that flaws exist, and not as a certification that a particular platform is safe.

For my first competition, my team concentrated on all the windows machine on the network because we had a list of known exploits and figured that we could exploit them the quickest and therefore accumulate the highest score possible within the time limits. All teams used the same strategy, and the Linux machines weren't even targeted. This wasn't because Linux was safer, it was because we all knew Windows was a softer target. This made for a some very close final scores.

For the following year's contest (which I couldn't participate due to a schedule conflict), my old team paid attention to the known exploits for Linux and started targeting them to guarantee a larger lead going into the final minutes of the contest.

I think you'll see this pattern in all "hacker" contests. Each year more platforms will fall as each team strategize on what will give them the edge during the time alloted. You'll probably see Chrome fall next year. Look at Safari in Pwn2Own, it wasn't until 2 years ago before people started to seriously attack it for the points.

Re:Misleading; no credibility (0)

Anonymous Coward | more than 3 years ago | (#31619720)

This wasn't because Linux was safer, it was because we all knew Windows was a softer target.

Uh?

Re:Misleading; no credibility (5, Funny)

Anonymous Coward | more than 3 years ago | (#31619744)

This wasn't because Linux was safer, it was because we all knew Windows was a softer target.

Whoa, whoa, WHOA. Just stop right there, Bill. I'm going to have to teach you a thing or to about what you're allowed to write here on Slashdot. Now give me a second to get on my high-horse.

Reasoning is not welcome here.

That's right Bill. We don't need your reasoning here. We know we are right. This is Slashdot! We are the tech community. We know our OSes. We know our software. Just because of some contest with some rules and some teams that want to win the contest by the rules doesn't automatically invalidate our knowledge and wisdom as Slashdot.

Linux is more secure because it is open source and licensed under the GPL. It doesn't matter if it is still unsafe by your standards.

You see, Bill, we on Slashdot do not need to review the source code of Linux because we have declared it safe. Why is it safe? Because it is GPL. And everyone knows the GPL is safe. Therefore Linux is safe, Bill.

IE8 is mentioned first because it is owned by Microsoft, and Microsoft is evil due to historical technology atrocities against other for-profit software corporations. Therefore IE8 is the worst piece of software ever to exist.

So the reason why IE8 falls faster is not because you and your team thought the Microsoft product was "softer". It was because it was the spawn of the devil! Even wackos know the spawn of the devil should be hacked first. Don't you agree?

Firefox is not listed in the title because we need to get a head start on bashing proprietary software rather than reading the summary.

As a real Slashdotter, I pride myself in not reading the article let alone the summary. The title effectively summarizes the direction of all comments in the thread. And that direction is to bash proprietary software, starting with Microsoft first.

Here's a tip, Bill. The headline on Slashdot should give you a hint at what kind of comment you should post on Slashdot. If you are not capable of discerning that from the title, only then may you read the summary. Reading the article is only reserved for picking out additional points to backup your original claim, not to invalidate Slashdot's wisdom. And that would never happen because Slashdot's wisdom is never wrong in the first place.

Apple and Google are bad... but did you know that OSX is really UNIX and Webkit and Chrome are open source?

See, once again open source products are good for you. You should use open source products!

I hope that clears things up, Bill. Please refrain from posting useless comments in the future.

Thanks,

/.

Re:Misleading; no credibility (1)

Bill_the_Engineer (772575) | more than 4 years ago | (#31619980)

LMFAO. If I could, I would mod you funny.

Huh? "Pwn2Own" Has No Credibility? (1)

RobotRunAmok (595286) | more than 3 years ago | (#31619398)

Why would you ever imagine something called "Pwn2Own" might ever have credibility in the first place?

Did they try to crack Opera? (1)

citizenr (871508) | more than 3 years ago | (#31618976)

Article is so poor in detail :(

Re:Did they try to crack Opera? (2, Informative)

dingen (958134) | more than 3 years ago | (#31619084)

Opera was not one of the targeted browsers. Check out this page [tippingpoint.com] for info and updates on pwn2own.

BS without details (0, Troll)

Princeofcups (150855) | more than 3 years ago | (#31619030)

Is this another benign Safari hack that has no real world application, or another one where you need physical access to the box, or another that is already patched in the newer releases? What does "were forced to run exploit code" mean? It says "hacked into a MacBook." Is this another vulnerability in a 3rd party wireless driver? I'm not saying that it's not legit, but "Safari on OS X" without versions and details doesn't tell me a whole lot. Sounds like BS to me.

Re:BS without details (1, Funny)

Anonymous Coward | more than 3 years ago | (#31619126)

Aww, another knee-jerk Apple fanboy.

*pats you on the head* There there, little man, Mr. Jobs will make it all shinier so you don't have to think about it.

Re:BS without details (1)

TimHunter (174406) | more than 3 years ago | (#31619388)

Aww, another knee-jerk Apple fanboi.

FTFY. If you're going to reflexively slam Mac users, get your in-jokes right.

Re:BS without details (2, Insightful)

jo_ham (604554) | more than 4 years ago | (#31620274)

This is not about just Safari and OS X - all the details about browser exploits, including for Firefox and Windows are just too scant in detail.

Re:BS without details (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#31619504)

I wonder what utter fag modded the above comment "interesting". Apple apologetics aren't "interesting", they are gay.

Re:BS without details (1, Offtopic)

TangoMargarine (1617195) | more than 4 years ago | (#31620118)

The post would make just as much sense if you substituted the terms "Linux" for "OS X" and "Firefox" for "Safari," so I'd say it's not really very apologetical. And to be fair, they're valid questions because this kind of article does seem to come up a lot around here, a la "OMG they found an exploit for Linux! Oh wait, you have to be logged in as root, manually set it to executable, and ignore the security warning when you run it."

Re:BS without details (3, Informative)

Anonymous Coward | more than 3 years ago | (#31619546)

All of these hacks are real-world drive-by attacks against fully patched machines with default OS mitigations in place (ASLR, DEP, sandboxing).

You get pwn3d if you go to a malicious page, go to a legit page with a malicious banner ad/embedded iframe, get redirected (via malicious WiFi AP) to a malicious page, etc.

This is the third year in a row that Miller did this. He has street cred, so think before you call BS.

Re:BS without details (0)

Anonymous Coward | more than 4 years ago | (#31620060)

Every OS and app in this test was fully patched with no publicly known security exploits.

Turns out Apple programmers aren't demi-gods.

Really got to ask yourself why you spend your time defending a company when they fuck up.

They're interested in nothing other than profit, why the fuck do you people seem to take things on a personal level.

Kudos to Peter Vreugdenhil (1)

vikingpower (768921) | more than 3 years ago | (#31619048)

for his paper written on the plane ( and for his exploit ). Gawd knows how hard it is to write anything decent while travelling on a fucking plane.

Re:Kudos to Peter Vreugdenhil (-1, Offtopic)

Lunix Nutcase (1092239) | more than 3 years ago | (#31619208)

I have had it with these motherfucking snakes on these motherfucking planes!

Re:Kudos to Peter Vreugdenhil (2, Funny)

nextekcarl (1402899) | more than 4 years ago | (#31619868)

I've had it with these motherfucking bugs on these motherfucking browsers!

Holy Shit (2, Funny)

Onymous Coward (97719) | more than 3 years ago | (#31619086)

Instead Charlie Miller will show the vendors how to find the bugs themselves.

Well, there's an idea. Is it something that really can be taught?

Sandboxing news! (2, Informative)

Anonymous Coward | more than 3 years ago | (#31619438)

"However, neither the Firefox nor the IE 8 exploit could overcome the sandboxing features in Windows 7 Protected Mode."

big, good, relevant, no, yes?

Re:Sandboxing news! (1)

El Lobo (994537) | more than 4 years ago | (#31620174)

Good and relevant, but definitely not on slashdot. We prefer to ignore those bits of information.

iPhone hacked using a malicious website (0)

Anonymous Coward | more than 3 years ago | (#31619486)

In a related story, AT&T spins a lack of network coverage as a security feature!

I'd like to see crackers write their own browsers (1)

Rogerborg (306625) | more than 3 years ago | (#31619602)

As secure and hardened as they can make them, 100% standards compliant. And then cry and whine like little bitches as everybody sneers and calls them pathetic lamer noobs because their browsers totally suck at delivering content.

The sheer nature of HTML/JavaScript (1)

Vamman (1156411) | more than 4 years ago | (#31619958)

Putting all the server/database exploits aside. The whole client process of pushing a value in and seeing if it breaks will never go away. Web browsers are one of the worst possible tools to secure. The nature of their job seems to predict failure. As soon as some creative web monkey pushes the envelope another exploit is found. The Gecko and Trident engines can be pushed to break over and over. Chrome and Safari are not any different. You can follow the standards as much as you like. At the end of day these tools are reading XML and Script and rendering/compiling. If you consider a browser for what it is, most of them have come a long way. I remember when a harsh sneeze would cause catastrophic failure and crashing =)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...