ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

IE8, Safari and Firefox fall at Pwn2Own 2010

By | March 25, 2010, 9:13am PDT

Internet Explorer 8, Safari and Firefox web browsers have all fallen victim to a PWNAGE at this years Pwn2Own 2010 security contest.

Peter Vreugdenhil defeated Internet Explorer 8 on the Windows 7 platform despite security features such as ASLR and DEP, while star of Pwn2Own 2009 “Nils” cracked Firefox, also on the Windows 7 platform.

Mac users shouldn’t be too smug either, since Charlie Miller managed to circumvent Apple’s best defenses to compromise the Safari web browser on the Mac OS X platform.

So far, the only browser to remain standing is Google’s Chrome, because none

Note: Details on all the exploits used at Pwn2Own will be shared by contest organiser TippingPoint with the relevant vendors, allowing patches to be developed.

of the hacking contestants chose to target that browser.

The moral of this is simple - if a determined attacker wants to compromise a system, enough bugs exist on both the Windows and Mac platforms (and iPhone) to make this possible.

Sobering thought …

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Security, Apple Macintosh, Mozilla Firefox, Apple Safari, Web Browser, Web Browsers, Microsoft Windows 7, Internet, Operating Systems, Microsoft Windows, Software, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
106
Comments
Add Your Opinion

Join the conversation!

Just In

That's not a time.
AzuMao 2nd Apr 2010
Just link to the post where I did, okay.
View in thread
0 Votes
+ -
"... none of the hacking contestants chose to target that browser" (chrome)
Great Kahuna Updated - 25th Mar 2010
We can only guess what might be holding them back.

Anyway, I think I could dare to throw an educated guess as to what it is.
0 Votes
+ -
no need to guess
rtk 25th Mar 2010
apathy and disinterest.
0 Votes
+ -
Wrong! It's fear of failure that stops them, even panic, I dare to say.
Great Kahuna Updated - 25th Mar 2010
Cause failure is most likely outcome for all their efforts against software produced by a company that has Open Source at its core, one that knows how to play the security card and leaves obscurity to the care of others, like M$ or Apple.
0 Votes
+ -
Woah! I was WAY off!
WarhavenSC 25th Mar 2010
I was going to pick "lack of Cheetos supply inhibits effective work on two exploits at once." It's a good thing you're telepathic and can read all of their thoughts before they've even discussed why they didn't bother with Chrome this time around.
0 Votes
+ -
One thing is obvious from your comment
Viva la crank dodo 25th Mar 2010
You are working from the inside. We were trying to suppress the Cheetos supply scandal and here you are advertising it to the world.

Thanks alot
0 Votes
+ -
Open source security holes...
Tom12Tom 25th Mar 2010
The myth that open source software is more secure than proprietary software is refuted by reality.

As Firefox demonstrates, open source software has plenty of security holes.

As an added "bonus":

Unlike IE8, Firefox doesn't support Protected Mode.

IE8's SmartScreen Filter is superior to Firefox's offering.
0 Votes
+ -
Firefox running in your machine may be vulnerable, in mine it isn't...
Great Kahuna Updated - 25th Mar 2010
firefox running in my machines is simply inexpugnable.
0 Votes
+ -
Dream on Sparky. (nt)
ths40 25th Mar 2010
...
0 Votes
+ -
It's all in the OS, really. No piece of software is safe when the OS isn't.
Great Kahuna Updated - 25th Mar 2010
Just run firefox in Ubuntu, then you will see just how safe it is.
0 Votes
+ -
I'll back you up!!
Ron Bergundy 25th Mar 2010
I bet not 1 person here can find even the tiniest article showing Linux has ever been hacked!!
0 Votes
+ -
AppArmor LSM renders attacks useless. 0-day Exploits less impactful when
Dietrich T. Schmitz GNU/Linux Advocate Updated - 25th Mar 2010
...Linux users of Internet-facing Apps run profiled by AppArmor Linux Security Module (LSM).

GPG Keyring-protected 'ring of safety' surrounds all Apps/Blobs/Drivers in the Ubuntu repository system.

These two Ubuntu Linux 'features' combined ensure that users will enjoy a maximum of safety.

Any not fully-patched Internet-facing App which is sandboxed by AA simply cannot be exploited.

So, in that respect, the 'rush' to patch a Zero-Day exploit becomes 'a lesser priority' because any exploit will fail on a AA-profiled system.[1]

The key difference between Windows and Linux is that all of the security model features of W7 run inside the kernel memory space. AppArmor (or SELinux) runs in its own protected memory space 'external' to the system kernel and is capable of policing both the 'profiled App' and kernel.

The LSM design is thus superior to Windows 7.
Exploits are stopped cold in their tracks by AA.

Linux is being intentionally overlooked but would not get owned by any hacker in this challenge.

I stake my reputation on it.

Dietrich T. Schmitz
GNU/Linux Advocate

==================================
[1] Users/Admins should patch their systems and be fully up to date but AppArmor provides an added layer of 'protection' to mitigate zero-day attacks.
0 Votes
+ -
You DO have a reputation around here...that's for sure...
ths40 25th Mar 2010
...the only problem is, it is a completly BOGUS one.
  • Flagged
0 Votes
+ -
My points are irrefutable. Ad hominem attacks reflect badly on you!
Dietrich T. Schmitz GNU/Linux Advocate 25th Mar 2010
nt
0 Votes
+ -
@DTS Irrefutable?
Earthling2 25th Mar 2010
Only in your own mind blinded by Linux propaganda. wink

iPhone had all its code signed. It failed.

Both IE8 and Firefox are code signed, too; no additional unsigned apps were installed on the hacked system. Conclusion? Code signing (GPG keyring in your terms) is an important component of security, it may protect against trojans, but it is not a 100% insurance against hacking.

Similarly, AA does not protect against all escalation of privilege and DOS attacks. Read ubuntu.com/usn or secunia for a long list of Lunux kernel vulnerabilties.

Finally, it is not enough to protect only Internet-facing apps. All apps that deal with data downloaded from untrusted sources must be profiled, but this, if at all possible, will interfere with app usabiltiy, if they are not designed correctly. And again, it won't protect against vulnerabilties that do not require unusual system calls.
0 Votes
+ -
Whatever
bmonster 25th Mar 2010
"Linux is being intentionally overlooked but would not get owned by any hacker in this challenge."

Did any of the hackers or say why Linux wasn't hacked? If not you are making a few very self-serving assumptions.
0 Votes
+ -
Linux would put them out of business, that's why.
Great Kahuna Updated - 25th Mar 2010
They all make their livings out of exploiting vulnerable computers, be it legally or otherwise. Linux with its rock solid security features means death to their source of income. The day Linux starts to dominate the market will be the last day for the AV industry.

Survival is the real reason these guys must play Linux down.
0 Votes
+ -
Dude...
bmonster 25th Mar 2010
Can you please respond with substantive posts. You opinion is not highly valued. Since you couldn't quote anybody related to the pwn2own contest going on record to explain why Linux was overlooked, don't speculate.
0 Votes
+ -
@Great Kahuna How do you call cheese with thousands of little holes in it?
Earthling2 Updated - 25th Mar 2010
Ubuntu 8.04 (previous LTS release):

Affected By:
249 Secunia advisories
811 Vulnerabilities

http://secunia.com/advisories/product/18611/

Ubuntu 6.06 (as old as Vista):

Affected By:
441 Secunia advisories
1371 Vulnerabilities

http://secunia.com/advisories/product/10611/
0 Votes
+ -
@Earthling2: Maybe, but those holes are nanoscopic...
Great Kahuna 25th Mar 2010
... there's no way you can pass an exploit through them.

It's as if they were not there.
0 Votes
+ -
@Great Kahuna
bmonster 25th Mar 2010
I'm sure they seem small to you, but you're not a hacker-guru type are you?
0 Votes
+ -
How many exploits have you seen pass through those holes?
Great Kahuna 25th Mar 2010
Hmm... just as I thought, they are too tiny to be of any use in the real world.

Let them live inside your head where no doubt they will be able to thrive and flourish into magnificent security compromises.
0 Votes
+ -
Well...
bmonsterman 25th Mar 2010
Here is one from last summer:

http://news.zdnet.com/2100-9595_22-322456.html
0 Votes
+ -
That's EXACTLY right Big Kahuna!!!
Ron Bergundy 25th Mar 2010
I don't know who you are, but I do know that we've got to be some of the smartest people here since we both think the EXACT SAME THING!!!

its been proven time and time and time again that you CAN'T hack Linux or open source!!!
With Chrome OS and the Chrome browser, computing will once again be safe, an M$ and Apple will be nothing but a memory!!
0 Votes
+ -
Since when the hacked Firefox is not open source? (nt)
Earthling2 25th Mar 2010
.
0 Votes
+ -
Wrong on both counts.
AzuMao 25th Mar 2010
Nothing stopped them from trying. They just don't try to find vulnerabilities and exploit them at Pwn2Own; they do that ahead of them. None of them were able to make a working attack against it ahead of time, nothing more to it than that.

And Firefox is open source.

And Safari is just a GUI for an open source renderer originally made for an open source OS.
0 Votes
+ -
Just keep telling yourself that.
AzuMao 25th Mar 2010
Every day, it's the same story; "The only reason Windows/IE/Safari get hacked so much is cause they are sooo special and everyone loves them so much!".. give it up.
0 Votes
+ -
I didn't even say that, let alone tell myself that
rtk 27th Mar 2010
Your strawman is burning, but that's all.
0 Votes
+ -
Then what did you mean by
AzuMao 27th Mar 2010
no need to guess
apathy and disinterest.
0 Votes
+ -
What's confusing you?
rtk 27th Mar 2010
It surely doesn't say anything about anything being special and universally loved.
0 Votes
+ -
It sounded like you were trying to say Windows was more special/interesting
AzuMao 27th Mar 2010
0 Votes
+ -
That's your bias showing through
rtk 27th Mar 2010
I didn't even mention Windows.
0 Votes
+ -
Then what did you mean? Did you mean anything at all???
AzuMao 27th Mar 2010
0 Votes
+ -
It's pretty clear
rtk 27th Mar 2010
I meant there's not need to guess why, as TippingPoint confirmed, it was removed due to apathy and disinterest in previous years.
0 Votes
+ -
So Windows isn't more interesting than Linux..
AzuMao 27th Mar 2010
..and Linux wasn't included this time because it wasn't interesting enough, but Windows was included..


Talk about cognitive dissonance.
0 Votes
+ -
So in your world interest equals love?
rtk 28th Mar 2010
You make some mighty leaps of logic, it's no wonder you miss the landing so often.
0 Votes
+ -
Cool, just keep falling back ad hominem attacks whenever called out.
AzuMao 28th Mar 2010
Instead of trying to derail the thread again, why not just respond logically??

Synopsis;

You stated as fact here that the reason nobody hacked Chrome was because they were all apathetic to and disinterested in it (as opposed to the other browsers).

So I call you out here on the obvious implication of your statement, that the others are somehow more loved/interesting (as opposed to inciting apathy and disinterest like you stated Chrome did).


You respond by denying your previous post here .

I quote it ad verbatim here .

You deny it again here and start trying to change the subject with an ad hominem attack against me.

I again point out the obvious implications of your post here .

You continue launching ad hominem attacks against me here and denying the post you made.

I give you another chance to explain what else it could have meant here .

You respond by simply rewording it here , with the same obvious conclusions.

I directly call out the contradictions (that the only reason Chrome wasn't hacked was that nobody was interested in it, but that this didn't mean IE (which was hacked) was somehow more interesting) here.

And in response, only get more baseless ad hominem attacks directed at me.

This is going nowhere.
0 Votes
+ -
You haven't called out anything
rtk 28th Mar 2010
Instead of trying to derail the thread again, why not just respond logically?

There's no thread to derail, just you and I, back and forth at this point. Most of it will probably disappear on Monday when the mods are back.

loved/interesting

Love is not a synonym for interest. You wrongly accused me, based on your own biased inferences and conclusions, that I said something I clearly did not. You even put it in quotes.

Asking for the source of your confusion or pointing out where you are demonstrating an obvious bias are not ad hominem attacks.
0 Votes
+ -
Resorting to petty semantics now, eh? Replace "love" with "care". Happy?
AzuMao Updated - 28th Mar 2010
0 Votes
+ -
It's not petty semantics.
rtk 29th Mar 2010
You attempted an appeal to emotion, just another red herring.
0 Votes
+ -
Anyways, I've fixed it. Do you have any further objections or was that it?
AzuMao 29th Mar 2010
0 Votes
+ -
Not in regards to the attempt to put words in my mouth
rtk 29th Mar 2010
but overall I can't see where else you'd want to take this sub-thread.
0 Votes
+ -
Hmm?
AzuMao 29th Mar 2010
You've contradicted yourself. I don't need to put any words in your mouth.

I just want to know if you have any other excuses or if love not being the exact antonym of apathy was it.
0 Votes
+ -
Weak attempt
rtk 30th Mar 2010
You were guilty of trying to put word in my mouth, a pattern you've continued in the other thread we're replying to.

Do you have anything to offer this thread other than your appeal to emotion?
0 Votes
+ -
Did you miss my post?
AzuMao 30th Mar 2010
In case you did, here.
0 Votes
+ -
Yup, I saw your gish gallop.
rtk 30th Mar 2010
I've no interest in pointing out all of the continued half-truths, straw men, red herrings and general twist and spinning.

I did not say what you implied back on the 25th, that was your interpretation of what I said, assuming inferences based on your personal bias.

Ya done?
0 Votes
+ -
So you're again denying that you said the only reason Chrome survived was..
AzuMao 30th Mar 2010
.."apathy and disinterest"?
0 Votes
+ -
I'm starting to wonder if
rtk Updated - 30th Mar 2010
English is your second language? You repeatedly claim I've said things I clearly have not, maybe you have a bad translation service?

So you're again denying that you said the only reason Chrome survived was.. .."apathy and disinterest"?

I haven't denied anything anywhere in this talkback, and I answered the question posed by great kahuna:

""... none of the hacking contestants chose to target that browser" (chrome)

Great Kahuna - 03/25/10 (Edited: 03/25/10 @ 09:38)

We can only guess what might be holding them back.

Anyway, I think I could dare to throw an educated guess as to what it is. "

I'm assuming your guess is that chrome was just too durned seee-cure?

My guess was apathy and disinterest.

Then we got off topic when you tried to put words in my mouth about things being special and loved.
0 Votes
+ -
Will you stop claiming to have never said it if I post a link to it???
AzuMao 31st Mar 2010
I didn't see the need, since it's right there in plain view, and I already linked to it earlier in this discussion, but here you go again. It's right there.

Mouse your mouse over the link to see where it's pointing to if you're worried this is some kind of a trick or something.
0 Votes
+ -
Your translator is still broken.
rtk 31st Mar 2010
The link you post to doesn't say what you are claiming, you've (once again) twisted, restated and added meaning that was not in my post.

http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=77473&messageID=1511672

Read you subject line, here you make the claim that I'd said "The only reason chrome survived", notice that word "survived". I said nothing of the sort, I said it wasn't "targeted" because of apathy and disinterest, IMHO.
0 Votes
+ -
Survived as in made it through the competition without being taken down.
AzuMao 31st Mar 2010
Maybe Chrome is rendering your post wrong, because it looks like you said "no need to guess", not "in my honest opinion"/"my educated guess"/etc.
0 Votes
+ -
That's not a time.
AzuMao 2nd Apr 2010
Just link to the post where I did, okay.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix