The security myth exposed (again): Major browsers and iPhone fall at Pwn2Own 2010

The security myth exposed (again): Major browsers and iPhone fall at Pwn2Own 2010
One browser survived this year's Pwn2Own contest, but not necessarily because it's more secure than the rest
One browser survived this year's Pwn2Own contest, but not necessarily because it's more secure than the rest
View 2 Images
One browser survived this year's Pwn2Own contest, but not necessarily because it's more secure than the rest
One browser survived this year's Pwn2Own contest, but not necessarily because it's more secure than the rest

The results are in. Only one major browser remained standing at the end of the Pwn2Own 2010 contest at this year's CanSecWest security conference in Vancouver, the rest fell with relative ease. On the operating table were the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari - but which one lived to tell the tale?

For the fourth time, the Zero Day Initiative sent out invites to security specialists around the globe to head to Vancouver towards the end of March and go head to head with the market-leading web browsers that dare to call themselves secure. The object of the contest is simple enough, exploit security holes and break in. The winners walk away with the hardware on which the exploit was successful, hence the competition title, and a share of US$100,000 prize money. For the losers, the walk of shame.

A MacBook Pro and US$10,000 went to Charlie Miller of Independent Security Evaluators for successfully delivering a full command shell payload to Safari without even having physical access to the machine. Taking home a HP Envy Beats and a further US$10,000 was independent security researcher Peter Vreugdenhil for making short work of the security features of Internet Explorer 8 on Windows 7 64-bit edition. A Sony Vaio and yet another US$10,000 went to a researcher from MWR InfoSecurity for launching a calc.exe payload by exploiting Firefox on Windows 7.

So what happened on day two? Yes indeed, all of those successes were enjoyed on day one of the three day contest. No doubt you'll have noticed one browser missing from the roll of (dis)honor, Google's Chrome. For the second year running, Chrome walked away unscathed, although this is not necessarily due to the browser being unhackable but just that, according to ZDI, "no one decided to take it down", adding that "there are many researchers sitting on Chrome vulnerabilities".

Google's Android mobile operating system on HTC's Nexus One also escaped unharmed in the mobile phone part of the competition. Apple's iPhone fell in just 20 seconds though with Vincenzo Iozzo and Ralf Philipp Weinmann breaking in and reading text messages stored on the device. Nokia's Symbian platform also fell to an anonymous contestant.

All vulnerabilities discovered in the contest have been reported to the various vendors to give them the chance to patch things up.

Vaughan Walker
how come no one covered Opera? because it\'s third party?
Does come with some devices. I\'m a Web designer and Opera serves me well over the years, I love it people are always bemused how quick and simple it works and is pretty high ranking when it comes to security, especially a worry to me as I can retrieve all stored passwords from other browsers with a local program on windows (not saying, but the ease of achieving this is a worry once played a prank on a friend with it but in the wrong hands :S ), I mean thats seriously not good!! I only Trust Opera: so would be interested if its still tops. so bad on Opera that blatant unbacked up lies by the others put the best browser out there in the dark one that all the others are also copying lots of their so call unique features off too!
Kris Lyttle
Anybody (especially businesses of all sizes) who still believe that they use top-quality software technology really need to read this.
They should have this contest every month. Maybe then things would get better..... These companies should pay for every major security weakness that is found on an ongoing basis. Once a year? Please.
@ Vaughan Walker - strangely enough, that very question came up during my research. Apparently the contest organizers chose the top four browsers according to market share at the time. I too would like to see Opera given a chance to prove itself but for that to happen, more people are going to have to use it!
Yes, as said, its not necessary that those who stood out are fully secure or have no vulnerabilities.
Security is one thing, while being an attribute of reliability - and more than security specialists, the users can better judge from their own experience. Is there an application or a browser that never, ever crashed? Or can someone assure that it would never?
Google\' Android - will have to check it out.
Dayspring Research
Michael Mantion
I break IE on every computer I own and many of my friends. I would share it with you but I am afraid Microsoft would fix it and i would be stuck finding a way to completely disable IE. For websites that need IE i uses the IE plugin for chrome in the DEV channel. If I had a major website I would disable IE access.
Still love how easy it is to hack a mac. My Iphone has been hacked at least once at our local library. I had to change all the passwords on all the sites I use. now I never got to important sights on my Iphone.
And guess what is the browser of choice for the US Government? Yup, Internet Explorer 6 (SIX!!!) That\'s like an open invitation to the Chinese and Iran....
In fact, as federal employees we are locked out from even installing other browsers like Google Chrome, which is not fool-proof, but probably a 1000x safer than IE6, with Chrome\'s \"sandbox\" feature. Another terrorist \"win\" is that we can\'t even use thumb drives in any federal government computer... we\'re still making CD coasters to transfer files. Yup, running scared, instead of installing virus/trojan scanners, and disabling \"autorun\" in Windows for USB devices.
Yes, government efficiency, pro-active stance and forward-thinking technology in action!

Do a quarterly contest, and up the money... this is CHEAP research for the companies involved.
Sheesh, $10,000 to have someone else find your weaknesses? Dirt cheap IT labor.