Forgot your password?
typodupeerror
Security Firefox Internet Explorer Iphone The Internet Apple

IE8, Safari, iPhone All Fall At Pwn2Own Contest 223

Posted by timothy
from the sucks-to-be-everyone dept.
SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it." Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."
This discussion has been archived. No new comments can be posted.

IE8, Safari, iPhone All Fall At Pwn2Own Contest

Comments Filter:
  • Title misleading? (Score:5, Insightful)

    by Anonymous Coward on Thursday March 25, 2010 @06:31PM (#31618734)

    Title misleading maybe... just a bit? Firefox got owned as well.

    • by Anonymous Coward on Thursday March 25, 2010 @06:34PM (#31618778)

      Mod parent up. We all love firefox and all, but seriously, it deserves as much shame as all the other failed browsers. Submitter biased much?

      • Re: (Score:3, Insightful)

        by dogmatixpsych (786818)
        Actually I don't love Firefox. I use it as my main browser at home but I prefer Safari or Chrome. Firefox crashes frequently - at least a couple times a week - but I've never had problems with Safari or Chrome.
        • Re: (Score:2, Insightful)

          by pete_norm (150498)

          If you have that much trouble with Firefox, why do you keep using it?

          • That was going to be my question. Pretty much I use Chrome for most of my browsing. If a page doesn't work, just IE tab it. Not even game to use Firefox these days due to sluggish performance and continual crashes.

            I was, at one stage, a HUGE fan of Firefox. Before Mozilla fucked it up like they did with the original Mozilla/Netscape browsers.

            • by pnewhook (788591)

              Same here. Got tired of IE slowness and switched to Firefox. But incompatibilities, slowness and the plugin nonsense got me to try Chrome and I love it. So much faster. Never looked back.

          • I use it because of the Add-ons. I've found replacements for most of my add-ons (most of them are stand-alone programs) but there are a few I still use. Also, I have a bunch of saved logins and passwords in Firefox that I haven't completely transferred to Safari. I'm transitioning away form Firefox but haven't made the leap yet (the newest update to Firefox has been considerably more stable though).
        • I use it as my main browser at home but I prefer Safari or Chrome

          This sentence is strange.

        • by Red Flayer (890720) on Thursday March 25, 2010 @07:27PM (#31619370) Journal

          Firefox crashes frequently - at least a couple times a week - but I've never had problems with Safari or Chrome.

          Wimp. Firefox is open source. Why didn't you fork the project, fix the crashing problem, and then offer the patch code upstream while distributing Firefox under your own branding?

          That's how open source is supposed to work, you ninny. Why don't you actually participate in it once in a while, instead of just being an end user?

        • by poetmatt (793785) on Thursday March 25, 2010 @10:29PM (#31621158) Journal

          What are you doing exactly that firefox crashes? Other than jinitiator problems, there's almost nothing that can do so.

          Your lack of information makes me skeptical of vying for firefox instability. In fact, it sounds downright misleading. This is like saying "My car stalls sometimes". The answer is, sure, it does, but what are you doing to cause it? Firefox doesn't just "Crash on it's own" and neither does any browser.

          Likewise, the same basically applies to safari, IE8, etc. As much as all browsers have security risks, their instabilities mostly don't exist.

          • Re: (Score:3, Informative)

            by Cederic (9623)

            Clearly you never visit sites that use Flash or other plugins.

            Firefox the browser may not crash often. Firefox the platform does. And when it does, it takes down all my open websites.

            I still use it anyway of course - no switching until AdblockPlus (or equivalent) is available for a worthy competitor.

          • Re: (Score:3, Informative)

            by Xest (935314)

            I too have experienced crashes with Firefox since 3.6, and awful slow downs, in fact, I left it running overnight and locked my computer then came down the next morning to find my computer running slow. I checked task manager and found that Firefox was sat using 1.8gb of RAM, so certainly there seemed to be something screwy with memory management there.

            I _think_ the problem is down to handling of some Javascript, when it's crashed it's been loading certain pages, but I can't say for sure. I've always had qu

  • Google Chrome (Score:3, Interesting)

    by drcosquared (1720540) on Thursday March 25, 2010 @06:32PM (#31618750)
    Apparently none of them wanted to take on Google Chrome..I believe no one was able to crack it last year.
  • Well ... (Score:5, Insightful)

    by WrongSizeGlass (838941) on Thursday March 25, 2010 @06:33PM (#31618760)
    ... these guys (and gals?) all know what they are going to try before they ever get to this contest. It's not like they discover all these vulnerabilities during some epiphany once they arrive.

    On the other hand, these security holes are real and need to be addressed by anyone and everyone that was shamed (this means MS, Apple, Mozilla, everyone) pronto!
    • Re: (Score:3, Insightful)

      the very fact that these people know what to do beforehand is proof that app security is generally terrible.
      • Re:Well ... (Score:4, Insightful)

        by Bill_the_Engineer (772575) on Thursday March 25, 2010 @07:00PM (#31619062)

        the very fact that these people know what to do beforehand is proof that app security is generally terrible

        App security may be generally terrible, but I believe that the fact really proves that the contestants can keep a secret until the contest.

      • by Tetsujin (103070) on Thursday March 25, 2010 @07:02PM (#31619088) Homepage Journal

        the very fact that these people know what to do beforehand is proof that app security is generally terrible.

        Well, I think you have a very good point there - but on the other hand, the developers do have to prioritize the work they do. Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort. In principle "security through obscurity" isn't a good policy but in practice it's often good enough. If the software has a serious flaw but nobody knows about it, that's good enough, at least temporarily.

        • "the developers do have to prioritize the work they do."

          Of course they have to, since they are a scarce resource.

          "Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort."

          You are rigth... provided that was the case which, for the most part, it isn't.

          We are no more on the glory days of Ada Lovelace or Alan Turing. We know (as a collective) what must be done. The case is that, for the most part, all those bugs are not "seri

    • I didn't see Opera get mentioned...
  • by dingen (958134) on Thursday March 25, 2010 @06:42PM (#31618876)
    It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.
    • So ASLR and DEP are both red herrings and don't fix the real problems with PC security!?

      GASP! Where's my fainting couch?

    • by aristotle-dude (626586) on Thursday March 25, 2010 @07:14PM (#31619210)

      It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.

      You can corrupt memory on 64-bit windows by just running MSFT's own development tools like VS.NET with resharper plug-in. VS.NET begins to corrupt the address space rather quickly. To run VS.NET with any amount of stability on 64bit windows, you have to run it through a third party wrapper application which patches VS in memory to make it large address space aware and stop the memory fragmentation.

      • by gparent (1242548)
        VS has never done this for me. Which version of Visual Studio are you talking about? Really VS.NET? Because that's 7 years old AFAIK.
        • by Sir_Lewk (967686)

          That any program can do that is the real issue...

          • GP was talking about the process' own address memory. Of course any process can "corrupt" its address memory (that is, heap structures and stack frames), and that is true on any modern OS. OS only guaranteed that one process won't be able to corrupt (or, generally, access) the address space of another.

        • by aristotle-dude (626586) on Thursday March 25, 2010 @10:35PM (#31621208)

          VS has never done this for me. Which version of Visual Studio are you talking about? Really VS.NET? Because that's 7 years old AFAIK.

          VS 2008 is a 32bit application and it is not even large address space aware so when it is running inside of WOW (windows on windows) in 64bit Server 2008 R2, you will get memory fragmentation fairly quickly because of memory allocation bugs within the Wow subsystem of the 64bit version of any MSFT OS. As Sir_Lewk points out, any 32bit application can cause this problem. The less memory you have, they faster you will notice it.

          See this page for information on the problem:

          http://stevenharman.net/blog/archive/2008/04/29/hacking-visual-studio-to-use-more-than-2gigabytes-of-memory.aspx [stevenharman.net]

          Here is a fix for the problem:

          http://confluence.jetbrains.net/display/ReSharper/OutOfMemoryException+Fix [jetbrains.net]

          Other OSes like OS X and linux do not seem to have these sort of problems. I am able to run 64bit apps in Snow Leopard while running in 32bit kernel mode for driver compatibility. Not only does windows not run 32bit apps properly in 64bit mode but it cannot run 64bit apps in 32bit mode and the 64bit version is a completely separate build of the OS.

          • by aristotle-dude (626586) on Thursday March 25, 2010 @11:43PM (#31621720)
            Whoever modded me a troll obviously did not read the links that I posted. It is a real issue and affected my development environment at work. My 32bit workstation is quite stable but a project that I am working on requires access to copies of production data so we have to do our development on VMs in a separate dev domain and the VM I was given is 64bit to match our target servers. I have useable stability on my VM several hours at a time as long as I run VS 2008 only through that wrapper program and don't kick off the full build script. Eventually, memory corruption problems will bring down either SQL 2008 management studio (has 32bit components) or my wrapped VS 2008 instance. Once the memory is corrupt, I have to reboot the VM.
      • by geekboy642 (799087) on Thursday March 25, 2010 @07:42PM (#31619568) Journal

        Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!

        • by turbidostato (878842) on Thursday March 25, 2010 @09:17PM (#31620558)

          "Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!"

          You don't get it, do you?

          That the application were unstable would be no news. That your 8 year old amateurish application can corrupt the memory space of a modern 64-bit OS *is* Armaggedon for the OS architect... or it should be, at the very least.

          • That the application were unstable would be no news. That your 8 year old amateurish application can corrupt the memory space of a modern 64-bit OS *is* Armaggedon for the OS architect...

            It cannot. An NT process cannot "corrupt" (whatever that means in this context) the memory space of another process. If it is really what the original post meant, it's both outlandish and false. But I think that you rather read it wrong, and the actual claim is memory corruption within VS process, which is obviously possible by malicious or badly written code.

        • Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!

          No, I am running VS 2008 and as I pointed out in another post, OS X can run 64bit apps in 32bit mode or visa versa no problem.

          Here is a link to the more on the problems I was having and someone in the responses posted a link to a wrapper in memory patch to the fragmentation problem.

          http://stevenharman.net/blog/archive/2008/04/29/hacking-visual-studio-to-use-more-than-2gigabytes-of-memory.aspx [stevenharman.net]

      • by jpmorgan (517966)

        ???

        I don't see memory fragmentation being a problem with 64-bit address spaces for a very, very long time. Unless a contiguous range of 2^40 addresses is just not enough.

        • ???

          I don't see memory fragmentation being a problem with 64-bit address spaces for a very, very long time. Unless a contiguous range of 2^40 addresses is just not enough.

          My development VM only has 2GB allocated to it. The instability is exacerbated if I do a full build of the entire tree via command line as the build will call a bunch of 32bit commands. Most of our developers are still on 32bit machines which are quite stable but I was developing software to target a 64bit server farm so someone thought it a good idea for me to develop on a 64bit VM.

          Opening up SQL Server 2008 management studio at the same time as even a patched VS 2008 instance can be problematic. Allocat

  • by carlhaagen (1021273) on Thursday March 25, 2010 @06:51PM (#31618956)
    The exploits were of course not found in the 5, 10 or 15 minutes advertised. They were all worked on for weeks, and even months, and were well-tested and prepared before being executed at the contest like a rehearsed stage play. Also worth to note is that the reason behind "Chrome only browser that withstood security breach" was that NO ONE TESTED CHROME AT ALL. I give this particular "Pwn2Own" show no credibility what so ever because of these details.
    • by Elwood P Dowd (16933) <judgmentalist@gmail.com> on Thursday March 25, 2010 @07:13PM (#31619194) Journal

      Isn't your point about Chrome invalidated by your point about the time taken?

      Did no one attack Chrome because none of these researchers had an exploit that would work against it?

      • by tyrione (134248)

        Isn't your point about Chrome invalidated by your point about the time taken?

        Did no one attack Chrome because none of these researchers had an exploit that would work against it?

        VANCOUVER, BC -- For the third year in a row, Charlie Miller has hacked into a MacBook by exploiting a critical Safari browser vulnerability. At the CanSecWest Pwn2Own hacker contest here, Miller performed a clean drive-by download against Safari to get a full command shell on the MacBook. In the attack, Miller set up a special Web page with the exploit. Using Safari, a conference organizer surfed to the Web page and watched and Miller took control of the machine.

        I'd like to see whether the exploit was

    • by Bill_the_Engineer (772575) on Thursday March 25, 2010 @07:18PM (#31619264)

      I give this particular "Pwn2Own" show no credibility what so ever because of these details.

      I believe what you really meant to say was that we shouldn't fall into the trap of believing that Chrome is actually safer due to the fact that no one really targeted it in this contest.

      I've done my share of "Digital Combat Exercises" and you are correct that we should only view the contest as a verification that flaws exist, and not as a certification that a particular platform is safe.

      For my first competition, my team concentrated on all the windows machine on the network because we had a list of known exploits and figured that we could exploit them the quickest and therefore accumulate the highest score possible within the time limits. All teams used the same strategy, and the Linux machines weren't even targeted. This wasn't because Linux was safer, it was because we all knew Windows was a softer target. This made for a some very close final scores.

      For the following year's contest (which I couldn't participate due to a schedule conflict), my old team paid attention to the known exploits for Linux and started targeting them to guarantee a larger lead going into the final minutes of the contest.

      I think you'll see this pattern in all "hacker" contests. Each year more platforms will fall as each team strategize on what will give them the edge during the time alloted. You'll probably see Chrome fall next year. Look at Safari in Pwn2Own, it wasn't until 2 years ago before people started to seriously attack it for the points.

      • by Anonymous Coward on Thursday March 25, 2010 @07:57PM (#31619744)

        This wasn't because Linux was safer, it was because we all knew Windows was a softer target.

        Whoa, whoa, WHOA. Just stop right there, Bill. I'm going to have to teach you a thing or to about what you're allowed to write here on Slashdot. Now give me a second to get on my high-horse.

        Reasoning is not welcome here.

        That's right Bill. We don't need your reasoning here. We know we are right. This is Slashdot! We are the tech community. We know our OSes. We know our software. Just because of some contest with some rules and some teams that want to win the contest by the rules doesn't automatically invalidate our knowledge and wisdom as Slashdot.

        Linux is more secure because it is open source and licensed under the GPL. It doesn't matter if it is still unsafe by your standards.

        You see, Bill, we on Slashdot do not need to review the source code of Linux because we have declared it safe. Why is it safe? Because it is GPL. And everyone knows the GPL is safe. Therefore Linux is safe, Bill.

        IE8 is mentioned first because it is owned by Microsoft, and Microsoft is evil due to historical technology atrocities against other for-profit software corporations. Therefore IE8 is the worst piece of software ever to exist.

        So the reason why IE8 falls faster is not because you and your team thought the Microsoft product was "softer". It was because it was the spawn of the devil! Even wackos know the spawn of the devil should be hacked first. Don't you agree?

        Firefox is not listed in the title because we need to get a head start on bashing proprietary software rather than reading the summary.

        As a real Slashdotter, I pride myself in not reading the article let alone the summary. The title effectively summarizes the direction of all comments in the thread. And that direction is to bash proprietary software, starting with Microsoft first.

        Here's a tip, Bill. The headline on Slashdot should give you a hint at what kind of comment you should post on Slashdot. If you are not capable of discerning that from the title, only then may you read the summary. Reading the article is only reserved for picking out additional points to backup your original claim, not to invalidate Slashdot's wisdom. And that would never happen because Slashdot's wisdom is never wrong in the first place.

        Apple and Google are bad... but did you know that OSX is really UNIX and Webkit and Chrome are open source?

        See, once again open source products are good for you. You should use open source products!

        I hope that clears things up, Bill. Please refrain from posting useless comments in the future.

        Thanks,

        /.

    • Why would you ever imagine something called "Pwn2Own" might ever have credibility in the first place?

  • Article is so poor in detail :(

    • Re: (Score:3, Informative)

      by dingen (958134)
      Opera was not one of the targeted browsers. Check out this page [tippingpoint.com] for info and updates on pwn2own.
  • Holy Shit (Score:3, Funny)

    by Onymous Coward (97719) on Thursday March 25, 2010 @07:02PM (#31619086) Homepage

    Instead Charlie Miller will show the vendors how to find the bugs themselves.

    Well, there's an idea. Is it something that really can be taught?

    • by Kitkoan (1719118)

      Instead Charlie Miller will show the vendors how to find the bugs themselves.

      Well, there's an idea. Is it something that really can be taught?

      The bugs he found can be taught on how to fix, but will it help them find different bugs is more the question.

    • Re: (Score:3, Interesting)

      by Onymous Coward (97719)

      No, really, guys, is it something that can be taught? Or is it more like having the knack for programming in the first place? Like having the cleverness to come up with certain algorithms? If you can describe it well enough that you end up with something ... that ... can ... I bet ... you end up with a program? Um, Purify? Valgrind? I'm not a programmer, but I think those only go so far, right? So we don't have the knowledge in question codified, I bet, so I suppose there may also be some challenge

  • Sandboxing news! (Score:2, Informative)

    by Anonymous Coward

    "However, neither the Firefox nor the IE 8 exploit could overcome the sandboxing features in Windows 7 Protected Mode."

    big, good, relevant, no, yes?

    • by El Lobo (994537)
      Good and relevant, but definitely not on slashdot. We prefer to ignore those bits of information.
  • As secure and hardened as they can make them, 100% standards compliant. And then cry and whine like little bitches as everybody sneers and calls them pathetic lamer noobs because their browsers totally suck at delivering content.
    • Actually, I bet their browsers are gonna suck at security too. It's much easier to find one exploit from 1 million lines of code than to make sure your 1 million lines of code have absolutely no security holes.

FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background.

Working...