The results are in. Only one major browser remained standing at the end of the Pwn2Own 2010 contest at this year's CanSecWest security conference in Vancouver, the rest fell with relative ease. On the operating table were the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari - but which one lived to tell the tale?
For the fourth time, the Zero Day Initiative sent out invites to security specialists around the globe to head to Vancouver towards the end of March and go head to head with the market-leading web browsers that dare to call themselves secure. The object of the contest is simple enough, exploit security holes and break in. The winners walk away with the hardware on which the exploit was successful, hence the competition title, and a share of US$100,000 prize money. For the losers, the walk of shame.
A MacBook Pro and US$10,000 went to Charlie Miller of Independent Security Evaluators for successfully delivering a full command shell payload to Safari without even having physical access to the machine. Taking home a HP Envy Beats and a further US$10,000 was independent security researcher Peter Vreugdenhil for making short work of the security features of Internet Explorer 8 on Windows 7 64-bit edition. A Sony Vaio and yet another US$10,000 went to a researcher from MWR InfoSecurity for launching a calc.exe payload by exploiting Firefox on Windows 7.
So what happened on day two? Yes indeed, all of those successes were enjoyed on day one of the three day contest. No doubt you'll have noticed one browser missing from the roll of (dis)honor, Google's Chrome. For the second year running, Chrome walked away unscathed, although this is not necessarily due to the browser being unhackable but just that, according to ZDI, "no one decided to take it down", adding that "there are many researchers sitting on Chrome vulnerabilities".
Google's Android mobile operating system on HTC's Nexus One also escaped unharmed in the mobile phone part of the competition. Apple's iPhone fell in just 20 seconds though with Vincenzo Iozzo and Ralf Philipp Weinmann breaking in and reading text messages stored on the device. Nokia's Symbian platform also fell to an anonymous contestant.
All vulnerabilities discovered in the contest have been reported to the various vendors to give them the chance to patch things up.
Does come with some devices. I\'m a Web designer and Opera serves me well over the years, I love it people are always bemused how quick and simple it works and is pretty high ranking when it comes to security, especially a worry to me as I can retrieve all stored passwords from other browsers with a local program on windows (not saying, but the ease of achieving this is a worry once played a prank on a friend with it but in the wrong hands :S ), I mean thats seriously not good!! I only Trust Opera: so would be interested if its still tops. so bad on Opera that blatant unbacked up lies by the others put the best browser out there in the dark one that all the others are also copying lots of their so call unique features off too!
Security is one thing, while being an attribute of reliability - and more than security specialists, the users can better judge from their own experience. Is there an application or a browser that never, ever crashed? Or can someone assure that it would never?
Google\' Android - will have to check it out.
Dayspring Research
Still love how easy it is to hack a mac. My Iphone has been hacked at least once at our local library. I had to change all the passwords on all the sites I use. now I never got to important sights on my Iphone.
In fact, as federal employees we are locked out from even installing other browsers like Google Chrome, which is not fool-proof, but probably a 1000x safer than IE6, with Chrome\'s \"sandbox\" feature. Another terrorist \"win\" is that we can\'t even use thumb drives in any federal government computer... we\'re still making CD coasters to transfer files. Yup, running scared, instead of installing virus/trojan scanners, and disabling \"autorun\" in Windows for USB devices.
Yes, government efficiency, pro-active stance and forward-thinking technology in action!
Sheesh, $10,000 to have someone else find your weaknesses? Dirt cheap IT labor.