Pwn2Own: ALL browsers were defeated

Mar. 14th, 2013 03:28 pm
thewayne: (Cyranose)
[personal profile] thewayne
There's an annual contest held as part of a Canadian computer security conference called CanSecWest. They will publish a list of browsers and operating systems, and people will try to create exploits that will let them bypass the browser's security and get malware on to the host system. The browser is the latest version and the computer operating systems are fully-patched, so they are as secure as you and I can easily make our personal systems.

Every browser failed. Internet Explorer 9 and 10 on Windows 7 and 8, Safari on OS-X, Chrome, Adobe Reader and Flash, Oracle Java, etc.

If you successfully break one, you get the computer and a cash reward. Which is a cool prize.

You also have to disclose the exact process that you used to break the browser to the software companies, you'll always see a flood of patches a couple of weeks after the conference ends.


While this does demonstrate vulnerabilities in your system, these are carefully-controlled zero-day hacks that may not be in general circulation. And they will be patched. The problem is that whenever a hole is patched, another hole will be found. Guaranteed. It's a never-ending game of whack-a-mole.


http://www.h-online.com/security/news/item/All-major-browsers-and-Java-fall-at-Pwn2Own-1818268.html

http://www.scmagazine.com.au/News/335750,chrome-firefox-ie-10-java-win-8-fall-at-pwn2own-hackfest.aspx

http://dvlabs.tippingpoint.com/blog/2013/01/17/pwn2own-2013
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2013-03-15 06:27 am (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
As technology advances, the technology to fool it advances as well. I suppose we should be happy that these ones will result in swift patches, instead of the ones that have to be found in the wild.

Date: 2013-03-15 01:07 pm (UTC)
From: [identity profile] thewayne.livejournal.com
The problem is the professional criminal cabals that have an underground network trafficking in these exploits. These holes are fixed, but what other exploits have not yet been found by good-guy/white-hat security researchers?

No system can be absolutely secure, unless it's unplugged, not connected to the internet, and in a secure room. And then it kinda loses some of its purpose and functionality.

Date: 2013-03-15 01:59 pm (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
Always nice to know that everything you do carries risk, I suppose, and that the likely reason you haven't been targeted is because your number hasn't come up to them yet.

Date: 2013-03-15 02:16 pm (UTC)
From: [identity profile] thewayne.livejournal.com
That's about it. If you're not important, or working for a company with foreign competitors or that makes a lot of money, you're just not terribly worth bothering with.

Of course, if they happen to sniff your banking credentials, you're still fair game.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

thewayne: (Default)
The Wayne
Spare Brains Games

June 2025

S M T W T F S
123456 7
8910 11121314
15 1617 18 192021
22232425262728
2930     

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 19th, 2025 10:53 pm
Powered by Dreamwidth Studios