Hackers Crack Every Browser Except Google Chrome

Friday, March 20, 2009
in

James Robertson

At a hacking contest at an applied computer security conference in Vancouver, only Google's Chrome browser survived the first day of the competition, according to an article in Ars Technica

The contest, awesomely called Pwn2Own, challenged the contestants to exploit security vulnerabilities in fully patched  browsers and mobile devices.  The browsers included Apple's Safari, Microsoft's Internet Explorer 8, Firefox, and Google's Chrome.  The mobile devices included a Blackberry, a phone running Google's Android, Apple's iPhone, a Nokia/Symbian device, and a Windows Mobile device.

Two contestants were succesful with the browsers.  The first one went only for a security flaw in Safari, while the second contestant took down Safari, Internet Explorer 8, and Firefox.  None of the mobile devices were hacked.  For their trouble, the winners got the laptop they hacked, along with $5,000 per browser vulnerability they found (that means the guy who found three vulnerabilities got $15,000 and a new laptop).

In the first day of the contest, the targets didn't have any plug-ins that traditionally open up additional security vulnerablilties, such as Adobe Flash Player, Java, QuickTime, and the Microsoft .NET framework.  The second day (which was yesterday) allowed these plugins, and today contestants can add Adobe's Acrobat Reader plugin. 

Looking at the sponsoring organization's blog, it doesn't look like yesterday was very productive, and again no one found a security vulnerability in a mobile device.  They don't say anything about the browser contest.

So what does this tell us?  While most people realize that security vulnerabilities pop up in Internet Explorer more often, for different reasons, Apple and Firefox are traditionally seen as the more secure options because either they are more carefully developed or are used by fewer people than Internet Explorer, making them smaller targets for people looking for the vulnerabilities.  Maybe this will make people think more carefully about browser security, and make them realize that even if they are using a "safe" browser, there are still those that can find a hole in the armor to make their lives miserable.  

There is good news, though.  Luckily, these hackers were the "good guys."  The vulnerabilities they exposed were sent to the companies whose browser they compromised, and they had to sign a non-disclosure agreement saying that was the only way they could use the exploit.

Even more good news is the fact that none of the mobile devices were compromised.  That means no one will be stealing your calls or text messages, or putting viruses on your phone--yet.  This alleviates some of the fears I previously wrote about in regards to Obama's Blackberry.  For now, a regular old Blackberry is fairly secure, not to mention one the NSA has gotten a hold of to add encryption and other secure goodies.   

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Facebook
  • Technorati

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <span> <br>
  • Lines and paragraphs break automatically.
  • Twitter-style @usersnames are linked to their Twitter account pages.
  • Twitter-style #hashtags are linked to search.twitter.com.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters (without spaces) shown in the image.