The Pwn2Own contest at the CanSecWest security conference aims to unearth browser flaws. This year, “white-hat” hackers at Pwn2Own took down Safari on Mac OS X, IE8 and Firefox. Only Google’s Chrome remained impervious to hacks. Google wants to improve Chrome’s performance further via user feedback to its latest Chrome beta.
 White-hat security experts attending the CanSecWest security conference in Vancouver this week have succeeded in exploiting previously unknown vulnerabilities in fully patched versions of Firefox, Internet Explorer 8 and Safari. According to Tipping Point, which sponsored the contest at CanSecWest, only Chrome remained impervious to assaults on Wednesday and Thursday.The primary goal of the annual Pwn2Own contest is to responsibly unearth new vulnerabilities within computing systems so that the affected vendors can address them, noted TippingPoint, which manages the Zero Day Initiative (ZDI) program team responsible for awarding prizes to this year’s winning contestants.”All winners are asked to sign and agree to the general ZDI nondisclosure agreement, and the bugs will be turned over directly to the affected vendors,” said Terri Forslof, TippingPoint’s manager of security response.Rock-Star Performance The contest’s first winner was Charlie Miller, who took down Safari on Mac OS X within two minutes — winning free computing gear and a $5,000 cash prize in the process. Contestant Julien Tinnes also successfully exploited both Firefox and Safari, but “unfortunately his efforts fell outside the contest criteria and therefore could not be rewarded,” Forslof observed.However, the most impressive performance of the day came from the contestant known simply as Nils — “You know, like ‘Prince’ or ‘Madonna,’” said Forslof. Nils “ran a sleek exploit against IE8, defying Microsoft’s latest built-in protection technologies — DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization).” He won $5,000 for his efforts.Even better, Nils’ successful IE8 exploit was just the warm-up exercise for what turned into a trifecta. He picked up another $5,000 by quickly taking down Apple’s Safari browser, then ended the day with a flourish by cracking Firefox, which boosted his total cash winnings to $15,000.The Microsoft Security Response Center notified Forslof on Thursday morning that it had already reproduced and validated the IE8 exploit that Nils had uncovered. “I was shocked to get the news of verification in less than 12 hours,” Forslof said. An Unrivaled Position Despite Chrome’s solid performance in this year’s Pwn2Own contest, Internet Explorer is in no danger of seeing its well-established corporate-sector strength dissipating any time soon. Gartner Research Director Ray Valdes notes that the browser is only one aspect of the security mix in an enterprise setting.”There are many other tools and defenses, such as firewalls, intrusion detection, antivirus and malware,” Valdes explained. “A key enterprise requirement for browsers is the ability to configure and manage them centrally: to lock down or disable certain features, and to control when they get updated. At the moment, IE has an unrivaled position with regard to these requirements.”Still, Google is looking to improve Chrome’s performance even further by way of user feedback to its latest beta release, which is not yet entirely free of bugs. “You can think of running Google Chrome on the Beta channel as similar to running any other software in Beta — it should work fine for most general browsing, but it’s not as fully tested as the Stable version so there may still be some bugs,” Google explained.Those users who have opted in to automatically send usage statistics and crash reports to Google will be providing feedback whenever something goes wrong with the browser, Google noted. “We also have a page that lists a few ways users can get in touch with us about Google Chrome.” |
