Canadian TV, Computing and Home Theatre Forums banner

1 - 10 of 10 Posts

·
Super Moderator
Joined
·
3,996 Posts
Discussion Starter #1
At this year’s Pwn2Own conference, security firms and enthusiasts are doing their very best to discover and deploy exploits to some of the world’s most popular browsers. Chrome, Firefox, Internet Explorer, and Safari, they’re all on the menu for conference attendees and some have definitely faired better than others. Google issued a challenge, promising $20,000 to any person or team that could crack Chrome on the conferences opening day, but the two teams scheduled to take a swing backed down. Firefox is, for the time being, still standing, and, per usual, Microsoft’s Internet Explorer was taken down without much fuss. But which browser faired the worst? That would be Apple’s Safari. A French security research firm named Vulpen managed to break into Safari running on a MacBook Air in a cool five seconds. The company noted that the Safari update issued by Apple yesterday — version 5.0.4 — fixes some of the vulnerabilities, but not all.
Source

It should be noted that teams look for exploits beforehand so they were ready to crack it when they came in. They didn't actually find the exploit in 5 seconds. Still, you know things are bad when your browser is cracked faster than IE.
 

·
Registered
Joined
·
626 Posts
The amount of time it takes for the exploit code to execute is really a meaningless number as all the exploits execute in seconds.

The really telling number is the amount of time it takes to discover the exploits and write the exploit code. In the case of Safari it took a group of three researchers about two weeks to come up with the exploit. In the case of Internet Explorer it took a single researcher about six weeks to come up with the exploit.
 

·
Registered
Joined
·
3,368 Posts
Chrome seemed to come out the best in this contest (just like last year). I imagine Chrome gets just as much attention as Safari since it has substantially more market share than Apple's browser. Whether you're a Mac or PC user, Chrome seems to be the browser of choice for people who want to maximize their safety online.
 

·
Registered
Joined
·
1,009 Posts
Dances, do you use Chrome? I indecisive in switching from Firefox personally.
 

·
Registered
Joined
·
7,131 Posts
Chrome seemed to come out the best in this contest
Firefox was not cracked either. So it's basically a choice between Chrome and Firefox.
 

·
Super Moderator
Joined
·
56,506 Posts
A more detailed link:

http://www.computerworld.com/s/article/9214118/Researcher_chains_three_exploits_to_take_down_IE8_at_Pwn2Own

I haven't seen the results of "Today"s tests (March 10th?)

Today's Pwn2Own schedule will pit researchers against Mozilla's Firefox -- that browser's turn was postponed to today after Wednesday's round started late
Edit: Went to Wiki and found:

Firefox, Android and Windows Phone 7 were scheduled to be tested during day 2, but the security researchers that had been chosen for these platforms did not attempt any exploits. Sam Thomas had been selected to test Firefox, but he withdrew stating that his exploit was not stable.
 

·
Super Moderator
Joined
·
3,996 Posts
Discussion Starter #9
I had heard (via twitter so take it with a grain of salt) that Firefox was cracked, just not within the time limit.

iOS 4.2.1 and BBOS6 (one of the early versions) were also cracked via the browsers. Nobody attempted Android 2.3 or WP7.
 

·
Registered
Joined
·
3,368 Posts
Shaw Champ said:
Dances, do you use Chrome? I indecisive in switching from Firefox personally.
I switched from Firefox to Chrome last year. Now I only load Firefox to run Firebug since there is no comparable tool on Chrome. From a security standpoint Chrome is a lot better than the alternatives.

ScaryBob, yes, Firefox wasn't cracked this year either, but in previous years Firefox was cracked and Chrome was not. I think Chrome has a superior track record in this department. I'd also point out that Chrome has two features that help reduce the surface area of attack for your computer: it integrates Flash and a PDF reader. This means that the Flash plugin is sandboxed to a greater degree than other browsers, and (with the integrated PDF reader) you don't need to install Adobe Reader on your machine anymore. I remember seeing a couple years ago that Adobe Reader was the most exploited attack vector to get malware on PCs by using malformed PDF files.

As a side bonus if you do this you don't need to have that annoying Adobe Updater tool on your typical machine (that doesn't have Adobe CS installed).

I was about to talk about all the other (non-security) reasons why I prefer Chrome to all the other browsers available, but that would be a bit OT so I'll leave it for another time.
 
1 - 10 of 10 Posts
Top