thewayne: (Cyranose)
The Wayne ([personal profile] thewayne) wrote2013-03-14 03:28 pm
  • Add Memory
  • Share This Entry
Entry tags:

Pwn2Own: ALL browsers were defeated

There's an annual contest held as part of a Canadian computer security conference called CanSecWest. They will publish a list of browsers and operating systems, and people will try to create exploits that will let them bypass the browser's security and get malware on to the host system. The browser is the latest version and the computer operating systems are fully-patched, so they are as secure as you and I can easily make our personal systems.

Every browser failed. Internet Explorer 9 and 10 on Windows 7 and 8, Safari on OS-X, Chrome, Adobe Reader and Flash, Oracle Java, etc.

If you successfully break one, you get the computer and a cash reward. Which is a cool prize.

You also have to disclose the exact process that you used to break the browser to the software companies, you'll always see a flood of patches a couple of weeks after the conference ends.


While this does demonstrate vulnerabilities in your system, these are carefully-controlled zero-day hacks that may not be in general circulation. And they will be patched. The problem is that whenever a hole is patched, another hole will be found. Guaranteed. It's a never-ending game of whack-a-mole.


http://www.h-online.com/security/news/item/All-major-browsers-and-Java-fall-at-Pwn2Own-1818268.html

http://www.scmagazine.com.au/News/335750,chrome-firefox-ie-10-java-win-8-fall-at-pwn2own-hackfest.aspx

http://dvlabs.tippingpoint.com/blog/2013/01/17/pwn2own-2013
Flat | Top-Level Comments Only
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)

[personal profile] silveradept 2013-03-15 06:27 am (UTC)(link)
As technology advances, the technology to fool it advances as well. I suppose we should be happy that these ones will result in swift patches, instead of the ones that have to be found in the wild.

[identity profile] thewayne.livejournal.com 2013-03-15 01:07 pm (UTC)(link)
The problem is the professional criminal cabals that have an underground network trafficking in these exploits. These holes are fixed, but what other exploits have not yet been found by good-guy/white-hat security researchers?

No system can be absolutely secure, unless it's unplugged, not connected to the internet, and in a secure room. And then it kinda loses some of its purpose and functionality.
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)

[personal profile] silveradept 2013-03-15 01:59 pm (UTC)(link)
Always nice to know that everything you do carries risk, I suppose, and that the likely reason you haven't been targeted is because your number hasn't come up to them yet.

[identity profile] thewayne.livejournal.com 2013-03-15 02:16 pm (UTC)(link)
That's about it. If you're not important, or working for a company with foreign competitors or that makes a lot of money, you're just not terribly worth bothering with.

Of course, if they happen to sniff your banking credentials, you're still fair game.
Flat | Top-Level Comments Only