Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own

timothy posted about a year ago | from the soooory-eh dept.

Security 183

mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."

cancel ×

183 comments

Windows 8 (4, Funny)

Anonymous Coward | about a year ago | (#43104037)

Installing Windows 8 doesn't count as hacking it...

Hack DRM (-1)

Anonymous Coward | about a year ago | (#43104067)

Hack all the latest DRM crap into oblivion and I'm happy!!!

What? Not Mac? It must be impervious to hacks (1, Funny)

Anonymous Coward | about a year ago | (#43104069)

Right?

Re:What? Not Mac? It must be impervious to hacks (3, Funny)

Anonymous Coward | about a year ago | (#43104109)

They weren't hacking toys.

Re:What? Not Mac? It must be impervious to hacks (1)

marklark (39287) | about a year ago | (#43105781)

Yep, must be... ;^) So far, at least, since the article (but who (else) reads those?) makes no mention of it being compromised this time.

$65,000 if you can through, though.

Fundamentally Flawed (1)

Anonymous Coward | about a year ago | (#43104077)

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that while shopping / releasing credit card data / etc. is fun and may be necessary, but it is in the best interest to pay a little more for a (less advanced) system that does not and can not be exploited?

Re:Fundamentally Flawed (-1)

Anonymous Coward | about a year ago | (#43104105)

ChromeOS was designed to be secure out of the box.

Re:Fundamentally Flawed (5, Informative)

robmv (855035) | about a year ago | (#43104199)

ChromeOS was designed to be tamper resistant, so it can detect changes on the installed code. but the UI is a freaking browser and because of that any vulnerability on the browser that doesn't need changes on the installed code is possible, like reading your stored passwords, accessing your web sites sessions, etc.

Re:Fundamentally Flawed (2)

TheLink (130905) | about a year ago | (#43105419)

I just use different browsers that are run using different restricted users. That way if my Slashdot browser gets pwned it doesn't affect my banking browsers. Nor does it affect my main user account.

Yes these pwn2own guys probably have zero day privilege escalation exploits, but as the joke goes, I don't have to outrun the bear, I just have to outrun Joe Average. And Joe Average will never do something like this. Especially since the browser won't have enough privileges to update itself normally - I have to use another account for updating the browser. It's not that inconvenient or difficult for me. Just launch the update browser and do the updating. But you can't expect Joe Average to do that regularly (probably have to automate it for them).

If a skilled hacker specifically target me I'd be pwned but why would they bother?

Re:Fundamentally Flawed (2, Insightful)

smash (1351) | about a year ago | (#43104673)

ChromeOS was designed to make google money out of the box. Secure out of the box is/was primary marketing slogan.

Re:Fundamentally Flawed (5, Interesting)

Shados (741919) | about a year ago | (#43104127)

Humans have been building infrastructure, houses, buildings, for thousands of years, and they still make mistakes (honest or out of greed by cutting corners) and these life critical infrastructure still fail left and right.

Software is often more complex, require more people to build, and often have stricter constraints for people who don't understand it, even though we haven't been writing software all that long.

In a few thousand years, if software doesn't have the same failure rate as building bridges does today, wake me up.

Re:Fundamentally Flawed (3, Interesting)

bdcrazy (817679) | about a year ago | (#43104217)

People will not pay extraordinary amounts for slightly better hardware and software. (no apple doesn't count, they are good value for money, though you can't get good enough for low money from them.) Take for instance houses. People still make wood stick frame houses, even though they are quite lousy for insulation and longevity. A much better masonry or adobe house costs roughly 5-10% more, but they are very few and far between. Now take what most people are willing to pay for hardware ($0, free with subscription!) and software ($0). Now how does that figure into building them?

Re:Fundamentally Flawed (1)

fredprado (2569351) | about a year ago | (#43104349)

Even if they do pay a lot for it, they will still end with a system that can and will be eventually exploited. The amount of effort it will take will be greater, most likely, but it does not grow as fast as the money you have to pour into the system.

Re:Fundamentally Flawed (1)

hobarrera (2008506) | about a year ago | (#43105315)

I'm not sure how well your analogy was chosen.
Latin american countries, for example, tend to use cement and bricks for house-building, not wood. I've never seem a wooden-framed (like the ones built in the US). I don't think those would cost less in most of the world either, since wood tends to be more expensive.

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43105407)

Agreed but the trend in software is shifting away from robustness. We build infrastructure once, get the bugs out, then use it for decades while carrying periodic maintenance only. Software and computer hardware used to be like that, but the rate of innovation accelerated and it's come to the point where companies like to add new features every month, and stop supporting older versions after a handful of years. This just doesn't allow time to get all the bugs out and every new feature introduces more bugs.

Re:Fundamentally Flawed (1, Insightful)

alen (225700) | about a year ago | (#43104183)

apple did something like this with the latest version of OS X and the ability to block the install of any software outside of their app store

but the slashtarts were up in arms about this and how it violates their rights and whatever

Re:Fundamentally Flawed (0, Troll)

fredprado (2569351) | about a year ago | (#43104403)

And Safari is still exploitable as is OS X and iOS. You basically forfeited your control over your system and gave a third party the power to choose for you for an illusion of safety. Congratulations.

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43104515)

Nobody forfeited anything. You can still easily install unsigned apps. It's just another safety precaution and it's perfectly reasonable.

Re:Fundamentally Flawed (-1)

Anonymous Coward | about a year ago | (#43104883)

Since when can you install a unsigned app on iOS without a paid developer account and a Mac computer?

Re:Fundamentally Flawed (2, Informative)

Anonymous Coward | about a year ago | (#43104677)

Fool, the setting is customizable.

Allow Applications downloaded from:
â Mac App Store
â Mac App Store and Identified Developers
â Anywhere

Choose either of these 3 options for your preferred level of control vs. safety. Change the setting any time you like.

Yes, the power is is in the hands of the administrator.

Now, don't you feel stupid?

Re:Fundamentally Flawed (2)

Zyrill (700263) | about a year ago | (#43104999)

You mean it is still customizable. It's not like you can install any software you want legally on your iOS appliance. But that is besides the point: even using Safari browsers, one is still susceptible to MITM, fishing, scamming ... attacks. So it isn't really a question of which browser/OS etc. you use. It is a question of infrastructure and the weakest link will always be the target.

Re:Fundamentally Flawed (1)

krakelohm (830589) | about a year ago | (#43105579)

Legally you can jailbreak your iOS appliance and install anything you want.

Re:Fundamentally Flawed (1)

Zyrill (700263) | about a year ago | (#43105721)

IMHO, that depends very much where you live. The US just banned even SIM-unlocking phones. And since jailbreaking iOS may be considered a circumvention of DRM, you also would be in violation of the DMCA and quite possibly similar laws in other countries. Or am I missing something?

Re:Fundamentally Flawed (1)

fredprado (2569351) | about a year ago | (#43105783)

Legally you can jailbreak iPhones (at least for now) as it was made an exception for it, but there is no exception for iPads, for example, and jailbreaking it is and always illegal, because of DCMA.

Re:Fundamentally Flawed (1, Insightful)

fredprado (2569351) | about a year ago | (#43105815)

For OS X it still is customizable. It won't be for long, though. For iOS it is not and never was.

How it feels to be stupid, sheeple?

Re:Fundamentally Flawed (-1)

smash (1351) | about a year ago | (#43104697)

And Safari is still exploitable as is OS X and iOS.

So why wasn't it in the headlines as having been hacked, on slashdot of all sites. If it WAS hacked, /. would be ALL OVER IT, like they have been every previous year.

Re:Fundamentally Flawed (2)

cbhacking (979169) | about a year ago | (#43105751)

OS X was listed in TFA, but not in the headline of it. That headline was pretty directly re-used for Slashdot.

What, bias in the tech community?? No way...

Re:Fundamentally Flawed (1)

smash (1351) | about a year ago | (#43105825)

MENTIONED in TFA. Not confirmed as hacked. It didn't fall (yet).

Re:Fundamentally Flawed (2)

fredprado (2569351) | about a year ago | (#43105839)

Slashdot and all other tech sites are full of Safari exploit cases, my friend, including those that are used to jailbreak iOS devices.

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43104567)

I guess people could take issue with placing that authority in some ELSE's hands....in this case Apple.

Re:Fundamentally Flawed (3, Interesting)

rtfa-troll (1340807) | about a year ago | (#43104249)

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information? (I was going to write data or information which can cause monetary loss or expense, but really...)

This insight is as old as the hills. Or at least the '80s. It is the fundamental driver behind the "full disclosure" movement which has, in a sense, been and gone.

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure? And consumer buys into the nature that while shopping / releasing credit card data / etc. is fun and may be necessary, but it is in the best interest to pay a little more for a (less advanced) system that does not and can not be exploited?

Start by defining "trusted". Should my local system block me from putting my Visa card number into a web site because the web site isn't safe?

If you mean "locally trusted"; top level, secure operating systems running on very secure hardware have been build. Even in military applications they have become a commercial failure because it takes too long to build a feature on such a system so they mostly don't do the things that people need of them.

So; in the end; the answer to this is that things will only get better when people are willing to sacrifice some feature development for more secure development. Ask yourself; how many of us today are posting from OpenBSD? How many of us are posting from inside an SELinux sandbox? Both of those already have all of the features needed to do so. If you aren't willing to make the small sacrifices needed to run OpenBSD or web browse from inside a proper sandbox, how can you complain about the fact that the rest of the world which is even less interested in technology won't do anything about it?

Just start giving companies selling (N.B. not programmers writing; it has to be commercial system distributors) computer systems some liability for security failures (e.g. up to a max. of 10 times the price of the product they sold) and this will become much much better. As long as nobody's willing to do that nothing will happen.

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43105711)

Ask yourself; how many of us today are posting from OpenBSD? How many of us are posting from inside an SELinux sandbox?

After dealing with SELinux, I have decided to take my chances with the boogieman of the wild Internet. Seriously, SELinux sucks so bad that nobody I know uses it. Not in production at work. Not even for playing around.

Re:Fundamentally Flawed (1)

fredprado (2569351) | about a year ago | (#43104321)

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure

Sorry, but that is simply impossible. Nothing is perfectly secure and nothing will ever be.

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43104517)

Nothing is perfectly secure and nothing will ever be.

Earth's core... the Sun... the surface of Jupiter... the massive black hole at the center of the galaxy... I'd like to see any scenario where these are hacked.

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43105003)

Yeah. I mean, who can hack God! Let's just use God OS and be done with it. /sigh

Re:Fundamentally Flawed (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43104545)

Local attackers might be fundamentally unsolvable, I'll leave that one to the physicists; but attackers who don't get to modify the hardware face the limits of the fact that software is ultimately math, and math about which certain things can be proven.

It is true that it is arduous and/or impossible to prove many of the properties we are interested in in software complex enough to actually have any customers; but it isn't impossible in the general sense.

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43104801)

but attackers who don't get to modify the hardware face the limits of the fact that software is ultimately math, and math about which certain things can be proven.

Yes, like Gödel's incompleteness theorems, for instance, which pretty much state that any software can get hacked. [wikipedia.org]

There's a reason that Intel bought McAfee, because changing the problem domain from pure software to software+hardware sidesteps the conclusions of the incompleteness theorems.

Re:Fundamentally Flawed (5, Interesting)

ledow (319597) | about a year ago | (#43104381)

When pigs fly.

Seriously, this is like saying "why doesn't someone just make a car that can't crash, or a plane that will never stop flying?".

We can make computers that you can bet your life on. They still fail, but the failure rate is so low that we can bet people's lives on them every day (I'm not talking traffic lights - whose total failure isn't really that big of a deal in the long run, but things like life-support machines, nuclear reactors, etc.). It's EXTRAORDINARILY expensive, and relies on there being an absolute minimum of human input at runtime.

Even spacecraft and aircraft send two or three of the same computers up so they can just swap them out or take the majority vote. You can design systems all you like to be infallible, the fact is that they aren't - even in terms of hardware, and certainly not in terms of software. And the more you want to do with them, the more the work needed to eliminate problems increases - usually exponentially.

Have you seen how much it costs to formally prove code? Hell, just putting the requirements to begin the process can be something more expensive than an entire development cycle of conventional programming, and still contain human errors that the computer will happily prove to be correct (because they are) even if that's not what the humans involved intended (and thus you have a classic software bug again).

By comparison, your web browser is more complex, has more to do, updates more often (new specs and features, etc.) and is business-class programming, not critical. It would take decades or even centuries of man-hours to formally prove even a tiny section of it and every time it changes you need to do it again.

You can't design a secure language to express these things in. You can't design a machine that will cope with anything. You can't design a process involving humans that will be infallible.

Hell, we can't even design a piece of software that will find these bugs by itself (or else we wouldn't need bug-testing) - and yet MILLIONS is spent every year on products that help do just that (static code analysers, fuzz-testers, standard-compliance suites, etc.).

You will never have a "secure" computer, as long as its users and designers are human. When machines start to replicate themselves and write their own operating systems, then maybe it's possible (but how to get there without relying on the output of a human to do that job in the first place?).

Until then, honestly, what do you suggest? A "secure" programming language? There's been hundreds of attempts and ironically Java was one of them (it's all contained within a virtual machine, don't you know?, and thus can't damage the computer it's installed on.... least that's how it was sold for over TWO DECADES).

Summary: It ain't gonna happen in your lifetime. You can deal with it, or prove everyone in CS wrong.

Re:Fundamentally Flawed (1)

msauve (701917) | about a year ago | (#43104425)

"at what point does someone wake up and develop a system that can be trusted out of the box to be secure?"

Today. Just don't connect to a network or use writable, removable media.

It's all a matter of trust vs. risk. How much do you trust that some software officially signed through Microsoft is really OK? Or that SSL keys signed by a CA [eweek.com] provide any security?

It's easy to complain - you're saying it's "fundamentally flawed," but not offering any examples of what isn't. People have broken into bank vaults, too.

Re:Fundamentally Flawed (2)

roman_mir (125474) | about a year ago | (#43104479)

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?

- at no point, because it's not true.

There is nothing flawed about our hardware and software models, nothing more flawed than for example our own replication machinery built into each one of us, and it is complex and it sometimes produces unfortunate results [cnn.com] .

It is all a cost benefit analysis and basically if we were to scrap our current models and to throw away the hardware and the software and to start from scratch (or whatever you are talking about), the results would be similar to us giving up all of our technology and going back to the caveman ages because we don't have the perfect technology and perfect outcomes and perfect solutions.

Cost benefit tells us that we put as much energy as we can to build up these systems and we are getting a very good use of them and that if we tried to spend every waking moment of every day just trying to build the most perfect solutions, the benefit would be very marginal and not actually worth the effot (not that we would succeed, by the way, that's not a guarantee at all).

Re:Fundamentally Flawed (0)

Anonymous Coward | about a year ago | (#43104535)

NASA is the most serious organization out there about that sort of thing and even they have bugs. You are asking for a unicorn. Theoretically, we could probably bio-engineer a unicorn, and the expense and inventions necessary for that would be less than for making all software bug-free. So actually, you are asking for something that is harder to get than a unicorn is. Could happen sometime, not soon, probably nuclear fusion will be a viable way of making power well before we have bug-free software.

In the real world... (1)

Parker Lewis (999165) | about a year ago | (#43104557)

Browser, like anything in our life, cannot be 100% safe. You don't have any security system (at houses, banks, computers) 100% failsafe. Best you can do is make the "thief" life a little bit harder.

Re:Fundamentally Flawed (1)

PerfectionLost (1004287) | about a year ago | (#43104613)

When software stops being made for end users.

Not fundamentally, but economically? (4, Informative)

Anonymous Brave Guy (457657) | about a year ago | (#43104695)

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?

That's hardly a secret. It's a cost/benefit question, and there is enough benefit around right now that most people are willing to pay the cost/accept a modest risk rather than going without.

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure?

You'll never have perfect security, because many useful things are inherently insecure on some level. But yes, we could certainly do a lot better than we do right now.

I personally suspect that any qualitative shift in the industry first needs the development of an industrial-scale application programming language (and a comprehensive supporting ecosystem in terms of tools and libraries) that manages to combine reasonably high performance and flexible low-level access with much stronger architectural support features than any mainstream language offers today.

We know a lot about how to build such a programming language already, and many useful techniques are already tried and tested in more academic/obscure/innovative languages. Unfortunately, this is a chicken and egg kind of problem: you need to get enough developers using your language that the ecosystem develops enough for mainstream industrial use, but attracting the non-enthusiast developers needs some sort of ecosystem to be there already. And as long as most customers are willing to pay significant money for software that doesn't have lots of bugs/vulnerabilities, accepting these things are somehow inevitable in the way that most non-geeks today probably do, there isn't sufficient commercial incentive for the few organisations that could actually do it to throw megabucks into developing the language and a bootstrappable ecosystem from scratch right now.

No love for Safari? (4, Insightful)

Sponge Bath (413667) | about a year ago | (#43104079)

$100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.

$65K was not enough to bang up Safari?

Re:No love for Safari? (1)

MatrixCubed (583402) | about a year ago | (#43104389)

Safari who? [wikipedia.org]

Re:No love for Safari? (0, Informative)

Anonymous Coward | about a year ago | (#43104541)

Safari who? [wikipedia.org]

The browser that is largely responsible for WebKit being the most popular rendering engine, and whose mobile version is #1.

Re:No love for Safari? (2, Informative)

smash (1351) | about a year ago | (#43104549)

You know. The browser that probably accounts for more traffic than the built in android browser. That has previously been hacked pretty much first thing every year so far.

Gatekeeper, sandboxing the web worker process and ARC in the development kit maybe paying off.

Re:No love for Safari? (3, Insightful)

Shados (741919) | about a year ago | (#43104869)

The browser that probably accounts for more traffic than the built in android browser

Built in android browser? Let see... ::pulls out his nexus phone...::

You mean Chrome?

Oh wait, you mean the OLD android browser, from the version of android that barely worked on the internet at all, even though it still has more marketshare.

Yeah, no surprise that that shitty browser isn't on the radar either.

Re:No love for Safari? (0)

Anonymous Coward | about a year ago | (#43105023)

I'm not trying to continue a flame war here, but since ios accounts for more than 50% of mobile browsing the statement is accurate.

Re:No love for Safari? (0)

Anonymous Coward | about a year ago | (#43105373)

Safari who? [wikipedia.org]

Safari the browser they offered $65,000 to hack, that's who.

Re:No love for Safari? (1)

LordLimecat (1103839) | about a year ago | (#43105759)

Theyll get there tomorrow-- they havent failed to breach OSX yet. The shocker this year is that OSX / Safari didnt fall on day one-- the question is whether thats due to actual security, perceived difficulty, or lower prize money.

Re:No love for Safari? (2, Informative)

Anonymous Coward | about a year ago | (#43105845)

Safari for Windows was abandoned [wikipedia.org] (no version 6) and this year Pwn2own is targeting Windows browsers only.

Candian (0)

Anonymous Coward | about a year ago | (#43104087)

Where is this country? I can't find it on a map. Mind you, as an American, I can't even find Kansas on a map. Go figure.

Re:Candian (1)

MatrixCubed (583402) | about a year ago | (#43104231)

Try looking for Kansias.

Re:Candian (0)

Anonymous Coward | about a year ago | (#43104419)

Mmmm, Candy Land. Maybe next year they can have it in the pizza province instead.

You mean crack fest? (-1)

Anonymous Coward | about a year ago | (#43104097)

This is more like cracking systems, right?

Candian? (0, Redundant)

Anonymous Coward | about a year ago | (#43104103)

Candian?

Where's Candia? (0)

Anonymous Coward | about a year ago | (#43104189)

Does that knowledge also remain in the hands of organisers only?

Researchers tore holes through browsers on Windows (3, Interesting)

dgharmon (2564621) | about a year ago | (#43104195)

Do any of these exploits work on Linux?

Re:Researchers tore holes through browsers on Wind (-1, Troll)

ubersoldat2k7 (1557119) | about a year ago | (#43104309)

Who cares? It's not like you're going to run a web browser on a server, right?

Re:Researchers tore holes through browsers on Wind (1)

dacaldar (614951) | about a year ago | (#43104357)

You care if you own a smartphone. The new BB10 browser from BlackBerry outperforms desktop browsers in HTML5, and runs on top of QNX, which is like a more stable, secure version of Linux. I'd like to see someone try to hack that, especially in comparison to Android and iPhone.

Re:Researchers tore holes through browsers on Wind (0)

Anonymous Coward | about a year ago | (#43104451)

QNX is a NetBSD

Re:Researchers tore holes through browsers on Wind (1)

Anonymous Coward | about a year ago | (#43104595)

-1, ignorant and factually incorrect. It uses the NetBSD TCP/IP stack, but that doesn't make it a NetBSD. Period.

captcha: amateurs. Indeed.

Re:Researchers tore holes through browsers on Wind (1)

smash (1351) | about a year ago | (#43104601)

runs on top of QNX, which is like a more stable, secure version of Linux.

The sky is blue and therefore I like rollercoasters.

Just..... no. It's like saying VMS is a more stable secure version of Windows, the two platforms have about as much in common. Probably more, given they're both the children of Dave Cutler.

Re:Researchers tore holes through browsers on Wind (0)

Anonymous Coward | about a year ago | (#43104363)

But...but.. this is going to be the year of the linux desktop, isn't it? Yet?

Re:Researchers tore holes through browsers on Wind (-1)

Anonymous Coward | about a year ago | (#43104385)

Uhhhh, I run Linux Mint from my laptop and I find your comment ignorant.

Re:Researchers tore holes through browsers on Wind (0)

Anonymous Coward | about a year ago | (#43104405)

It's not like you're going to type most of your Internet passwords and your credit card details in a web browser, right?

Re:Researchers tore holes through browsers on Wind (0)

Anonymous Coward | about a year ago | (#43104421)

Those of us that don't run a server.

Re:Researchers tore holes through browsers on Wind (0)

Anonymous Coward | about a year ago | (#43104509)

I guess not. I just installed lynx on my server to prove you wrong, but it looks like the reply button on slashdot uses javascript. I could compile links2 with javascript enabled, but I have work to do.

Re:Researchers tore holes through browsers on Wind (1)

Anonymous Coward | about a year ago | (#43104365)

Not the IE ones :) maybe the Java one

Probably the Firefox one

The chrome one partially, they used a kernel exploit to break out of the chrome sandbox

Re:Researchers tore holes through browsers on Wind (0)

Anonymous Coward | about a year ago | (#43104441)

From what I read, all the affected systems were Windows based.

Re:Researchers tore holes through browsers on Wind (5, Informative)

Anonymous Coward | about a year ago | (#43104489)

http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html

Pwn2Own will target IE, Firefox, Safari and Chrome all running on Windows 7. Windows XP isn't on the target list and neither is Linux, for different reasons.

I spoke with Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint the other day and asked him why Linux wasn't being included. Apparently the question is among the most common questions he is ever asked about Pwn2Own.
"Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share. If we were to include Linux, we'd have even more controversy and we just don't want to deal it."

Interesting /. bias (3, Interesting)

roman_mir (125474) | about a year ago | (#43104227)

Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable).

- at this point I have to wonder what are the underlying reasons for the obvious bias present on /. against Java, because clearly there is something at work here, so where does the money trail lead? Is Dice holding a short position against Oracle or something? Is there something else going on? Is it a pro-Apple product and anti-Android stand?

Personally I dislike Oracle as a company because of their insidious penetration of all facets of medium to large businesses (everything must be Oracle), but not Java as a language or as a VM. Obviously the sandboxed JVM browser plugin has various issues, but the slander against the entire Java platform is getting repetitive.

While a Java browser plugin may have security problems, I fail to see how this relates to server side Java usage (as an example).

OTOH even /. comments are so confused, mixing terms, mixing notions such as Java and Javascript and browser plugin, etc., permanently labelling JVM (or Java, I don't know which anymore) as a 'slow language' or 'slow platform' (again, there are too many of these too keep track) and whenever somebody says something to this effect without upfront stating exactly what they are talking about, it leads to page long threads that can't even agree on teh terms they are using.

This is destructive, not constructive.

FRONT PAGE NEWS!!! (1)

Sterculius (2856655) | about a year ago | (#43104289)

Wow, you mean really large complex systems can be hacked by smart people with a lot of time and sophisticated tools? Knock me over with a feather.

what's a Candian? (-1)

Anonymous Coward | about a year ago | (#43104305)

this is becoming pathetic.

Safari (1)

smash (1351) | about a year ago | (#43104469)

Not hacked? First time ever! :D

Safari wins! (2, Interesting)

goombah99 (560566) | about a year ago | (#43104663)

"Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. "

Perhaps it's also telling that the prizes for winning are Mac Laptops.

Re:Safari wins! (1)

smash (1351) | about a year ago | (#43104741)

It's been hacked every year previously, mostly by the same guy. I suspect that the sandboxing of the web process in the current version, gatekeeper in Mountain Lion, and ARC support in the current development tools (to make memory management easier and less prone to error) is paying off.

Re:Safari wins! (0)

Anonymous Coward | about a year ago | (#43105033)

For what it's worth, almost every competitor was already using a Mac laptop and OS X.

Once again, no Opera (5, Interesting)

TheKeyboardSlayer (729293) | about a year ago | (#43104503)

Once again, pwn2own ignores the Opera web browser. This makes me sad...I recently switched exclusively to Opera after toying around with it for almost 10 years now. I've been completely happy since. I will say this, Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:

Browsers that do not have protection against blocked revocation lists will need to rapidly issue an update to fix any new certificate abuse. In Opera, users are protected automatically when the certificate is revoked. If the CA has a general problem, or a CA is no longer being used, we can remove it from our list of trusted CAs behind the scenes, and the user will also be secure, without needing to change anything in her browser.

This was the default setting in opera.

In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see.

Re:Once again, no Opera (0)

Anonymous Coward | about a year ago | (#43104605)

Opera just announced that they were basically abandoning their engine in less than a year. At that point, only Chromium will matter anyway, so while I would have agreed with you in past P2O events, this time I couldn't care less.

Re:Once again, no Opera (1)

TheKeyboardSlayer (729293) | about a year ago | (#43104691)

They're switching to a modified version of webkit for rendering and using the V8 javascript engine. A browser is much more than just a tool for rendering and a javascript engine and this is the only thing they're sucking in from Chrome.

Just the same, the current version uses Presto...and that's the one that pwn2own could check out right now...and they haven't every tried Opera in the history of pwn2own. It'd be great if they gave it a parting shot.

110% agreement w/ you & others... apk (0)

Anonymous Coward | about a year ago | (#43105673)

http://developers.slashdot.org/comments.pl?sid=3525253&cid=43105565 [slashdot.org]

* :)

APK

P.S.=>

"Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:

Browsers that do not have protection against blocked revocation lists will need to rapidly issue an update to fix any new certificate abuse. In Opera, users are protected automatically when the certificate is revoked. If the CA has a general problem, or a CA is no longer being used, we can remove it from our list of trusted CAs behind the scenes, and the user will also be secure, without needing to change anything in her browser.

This was the default setting in opera.

  In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see." - by TheKeyboardSlayer (729293) on Thursday March 07, @10:16AM (#43104503) Homepage

Well said, & with BACKING evidence to reinforce your statement too (doesn't GET any better, than that)... again, agreed, 110% per my subject-line above!

Their lead dev, afaik, Mr. Hakom Lie (sp?) is really, Really, REALLY "on top of his game" here & always is (he's on the standards for the web committee)... which also makes me wonder WHY he's willing to drop his engine (excellent in latest/greatest 12.14 builds, especially in 64-bit, which is what I use personally) for WebKit.

However - it also shows me he IS concerned with solidifying the web... even to the point of taking a "personal beating" & giving up HIS motor/engine, to make the web more "unified" via WebKit.

It's the "why" of WHY I use it (as well as years of dominating speed/performance online on ALL fronts, even javascript (which I feel needs some SERIOUS shoring up in its faulty exploitable DOM model) - speeding javascript up is like speeding up being tossed in front of a speeding car, as it stands currently))...

... apk

Re:Once again, no Opera (0)

Anonymous Coward | about a year ago | (#43105873)

Chrome has a silent autoupdate function. Revoking certificates is no big deal for Chrome.

(Being the default setting, it is also the way the browser functions for over 99% of the users who haven't specifically disabled the setting. It is dishonest to claim that Opera is any more automatic in this regard than Chrome.)

What about Opera? (1, Interesting)

Anonymous Coward | about a year ago | (#43104505)

Invulnerable or did nobody try?

Re:What about Opera? (2)

TheKeyboardSlayer (729293) | about a year ago | (#43104765)

They don't try because they say the userbase is too small. But it just hit 300million users. It's also one of the most popular mobile browsers out there...it was tops in May of 2011 iirc.

Sidenote: The organizer of pwn2own, Aaron Portnoy, supposedly uses the Opera Browser. Go figure.

I think you "hit the nail on the head" (0)

Anonymous Coward | about a year ago | (#43105565)

Apparently it is. Any other 'excuse' is merely a "cop out", nothing more, nothing less.

* :)

(That's what it tells ME @ least... opinions may vary!).

So, does Opera possibly have "holes" in it too? Possibly. Only thing is, I'm not being shown CONCRETE SOLID UNDENIABLE & VERIFIABLE evidence thereof is all, so I have to assume what you have is all.

Like MOST /.'ers? I am a "show me" person... & I'm NOT being shown any differently, thus, I am free to make statements like yours also!

(These contests, much like I feel hacker/cracker types do (the ONLY "good" thing they do), expose weakness, & in a better manner than outright online criminals do, in that they DETAIL how it was done... when you know that, you can DO something about it!).

APK

P.S.=> So, sure/yes - Exclusing Opera also makes me wonder as well on WHY it's excluded from these tests, other than the fact they make it rather OBVIOUS there are no "holes" in it by such omissions, unfairly, imo @ least...

... apk

Why the bashing of Java? (0)

devent (1627873) | about a year ago | (#43104647)

I don't understand why the bashing of Java?
First, the vulnerabilities of Java are only for the Java Applets. And seconds, Java it not really a system critical component. Is more like Flash or Silverlight, or .Net. All of them have way more vulnerabilities then Java but you don't see them to be bashed all the time.

So, sure you should call out vulnerabilities so the company is going to fix them as soon as possible, but it's not that critical anyway. It's not like you just connect to the Internet and get a virus without to open any browsers first (Windows XP without SP). Any software have vulnerabilities but Java Applets are not so bad like Flash for example.

Re:Why the bashing of Java? (1)

smash (1351) | about a year ago | (#43104767)

For the people who need Java, it often IS a mission critical component (and yes, often for applets). And it is a FUCKING JOKE lately. AGAIN this morning another update.

Re:Why the bashing of Java? (1)

devent (1627873) | about a year ago | (#43105423)

Did you get a virus or trojan because of a Java Applet?
It is so bothersome to update Java? Normally it's just a popup in Windows where you can click and update.
Your browser have probably way more security holes and I'm not see people scream "fucking joke" if they need to update Firefox again. (On my Fedora Linux I need to update Firefox every week, you don't see me scream "fucking joke").

Re:Why the bashing of Java? (2)

smash (1351) | about a year ago | (#43105461)

The whole point of java was to run cross platform code in a secure manner. The fact that it is the most insecure software on a typical machine these days is the joke. And no, my browser, and yours is not less secure than Java, which has had way more than 65 vulnerabilities patched in the last month alone.

Attack code ownership (3, Funny)

craigminah (1885846) | about a year ago | (#43104707)

TFA says, "Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only." Who wants to bet the organisers are China?

I assume that the Firefox bug is in JS? (1)

John Hasler (414242) | about a year ago | (#43104807)

n/t

Re:I assume that the Firefox bug is in JS? (0)

Anonymous Coward | about a year ago | (#43104913)

Actually, no. Though I guess you'll have to wait for the 19.0.2 release later today for proof of that (unless you're smart enough to figure out which public repo to look at to see the fix that was already checked in).

Linux (1)

Lord Lode (1290856) | about a year ago | (#43104927)

For operating system, why do they only try Windows there? I, for one, would love them to try Linux as well, to help find exploits, which I'm pretty sure they'd find just as well.

Of course they were hacked, duh?! (0)

Anonymous Coward | about a year ago | (#43105013)

"Listen, we got a higher purpose here, alright? A wake up call for the Nintendo Generation. We demand free access to data, well, it comes with some responsibility." - Cereal Killer, Hackers. Like it or not security in either the software or the physical world comes with some freedom violations. You cannot have your cake and eat it too. You either want the developers to tie you down and spoon feed you only what they will allow or you want to operate the system the way you want. They are mutually exclusive until we invent Skynet. Needs of the user are a constantly moving target. Anytime we lock down something for security reasons a new paradigm comes along and causes us to have to violate our own security measures. On top of all that, the hacker world does not sit still and stop trying to exploit vulnerabilities. If you want to be safe you can't go running around the internet willy-nilly doing whatever the hell you want without proper security safeguards. If you're going to go to Pirate Bay and download some torrent or other, then you better damn well have kick ass security tools to verify that all you got was the illegal movie and not some virus or other. Risky behavior is RISKY, stupid. Stop complaining about it to me and get proactive. Your security and safety is YOUR responsibility.

No, their phone and Facebook don't count. (1)

Impy the Impiuos Imp (442658) | about a year ago | (#43105025)

"Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too"

Hey! How goes the effort to gain access to Jennifer's pants? Debbie's? Becky's?

"I stand on the shoreline, having hacked a few shells, while the great undiscovered ocean of life remains before me."

"Windows All Hacked At Pwn2Own"? (1)

hobarrera (2008506) | about a year ago | (#43105595)

There's no mention of any vulnerabilities on any other OS. Does this mean they're only windows-specific issues?

Must Say (2)

Zamphatta (1760346) | about a year ago | (#43105691)

The article points out that the hacks were done on Windows & Mac's. So simply saying "oh, these browsers are all flawed", is suggesting something that is either not true or something unknown. After all, it's entirely possible that the flaws do not exist in Linux or non-Mac-BSD versions of the browsers. I've seen articles go on like this before... about how all the browsers are hackable, but they only really know (or mean) that all the browsers are hackable on a certain platform. I'm tired of that FUD.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...