Pwn2Own 2010 - Which browser will be the first to crack?
Summary: With the annual Pwn2Own contest a little more than a month away (it kicks off March 24th) it's time for some predictions - which browser will be the first to fall this year?
With the annual Pwn2Own contest a little more than a month away (it kicks off March 24th) it's time for some predictions - which browser will be the first to fall this year?
Pwn2Own, in case you're not familiar with it, is a contest run by TippingPoint Zero Day Initiative (ZDI) where individuals compete to hack a variety of applications and platforms. The rules are simple - you gain control of the system, and you get to keep the hardware and get a cash prize.
[poll id="507"]
The event is spread over three days.
Day 1:
- Microsoft Internet Explorer 8 on Windows 7
- Mozilla Firefox 3 on Windows 7
- Google Chrome 4 on Windows 7
- Apple Safari 4 on MacOS X Snow Leopard
Day 2:
- Microsoft Internet Explorer 7 on Windows Vista
- Mozilla Firefox 3 on Windows Vista
- Google Chrome 4 on Windows Vista
- Apple Safari 4 on MacOS X Snow Leopard
Day 3:
- Microsoft Internet Explorer 7 on Windows XP
- Mozilla Firefox 3 on Windows XP
- Google Chrome 4 on Windows XP
- Apple Safari 4 on MacOS X Snow Leopard
So, which browser will be the first to be breached?
There's also a raft of mobile devices waiting to be hacked:
- Apple iPhone 3GS
- RIM Blackberry Bold 9700
- A Nokia device running Symbian S60 (likely the E62)
- A Motorola phone running Android (likely the Droid)
Should be interesting!
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
It would change the outcome if Linux were in the lineup
I am so confident that Ubuntu Linux 9.10 with AppArmor is impervious to exploits that I'll put my machine in the DMZ along with an ip if someone thinks they can pwn it.
Here's my WAN ip: ***.***.***.***
I'll fill the above octets in when I get confirmation from a black hatter.
I'll do the same with Windows 7 and IE 8
Though I doubt anyone will take me up on the offer as I made it before and the Linux zealot was nowhere to be found.
[i]But that's TippingPoint's bias.[/i]
Or maybe it's their acceptance that Linux market share isn't worth it. What does that say about Linux as a niche product when it's been replaced with smartphones?
Windows 7 Caveats
[b]Other caveats[/b]
"The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.
In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox."
Linux partitions the kernel functions from LSM MAC functions in AppArmor or SELinux.
As such LSMs have an added security advantage in that they police both the 'App' (Internet-facing App) and the Kernel.
Not so with Windows 7. Google above even 'disclaims' that the sandbox is only as good as the underlying kernel. Injected dlls was given as an example of how the sandbox might become compromised.
All the more reason to take me up on my offer.
So how about it Dietrich? Care to take me up on it?
I've already made the offer. Bring it.
Deleted - dup of the message below.
Great! What are the rules?
I'll set up a default Windows 7 installation with current patches, no anti-malware, and send you a remote assistance request (so I can monitor what you're doing). You do your best to compromise the system by browsing around the Internet. Go wherever you like (save for illegal sites). Sound good?
Oh no no no....someone else has to do the hackery, not me.
Capiche?
@D. T. Schmitz: And that tests AppArmor how?
Doesn't sound like you're willing to expose Ubuntu in a default configuration.
But I'll be happy to do the same with Windows 7. Configured for a public network. Again what are the rules?
Define standard configuration?
My $HOME partition is encrypted with eCryptFS.
No special tweaks otherwise a standard installation.
Questions?
@D. T. Schmitz: As it would be OOTB
You can reach me at my website email address if you want.
My machine is fully patched; clean install done yesterday.
@D. T. Schmitz: That's not OOTB Dietrich.
You took steps to harden the system which I expressly said was prohibited.
And once (if) you return this system to an OOTB configuration what exactly is supposed to be tested?
No. AppArmor is std, FF profile is installed std, eCryptFS is an option
These are features present in Ubuntu's standard installation without adding any other applications. No hardening.
https://help.ubuntu.com/community/AppArmor
https://help.ubuntu.com/community/AppArmor#How%20can%20I%20enable%20AppArmor%20for%20Firefox?
https://help.ubuntu.com/community/EncryptedHome
These are standard features ye.
Questions?
@D. T. Schmitz: You seem to be having problems understanding...
"Without special configuration/hardening."
To my knowledge, and maybe that's changed with 9.10, AppArmor is not configured OOTB. The fact you're using a standard feature means nothing if you have to configure/enable it post install.
Out of the box? Yes all of the aforementioned are out of the box.
See the links I gave you.
Any more questions?
@D. T. Schmitz: Yes, I do have a question:
Do you know the difference between OOTB and standard feature? It doesn't appear so because I was very clear the system would have to be in the default state after installation (save for applying patches):
"Without special configuration/hardening. IOW install the OS and apply the latest patches."
I don't care if AA is a standard feature. As I said earlier:
"The fact you're using a standard feature means nothing if you have to configure/enable it post install."
To my knowledge AA requires you to configure/enable it post install. Therefore it doesn't meet the criteria I specified.
AA is running post install. Don't believe it? Install it and try...
It's there.
As for the profile for Firefox, that is configurable during install, or post-install.
Your understanding of AA is incorrect.
Any more questions?
@D. T. Schmitz: Sigh...I can only assume you've no interest...
[i]As for the profile for Firefox, that is [b]configurable[/b] during install, or post-install.[/i]
See the highlighted word? I clearly said:
"[b]Without special configuration[/b]/hardening. IOW install the OS and apply the latest patches. [b]As how your average end user would use it[/b]."
The average end user isn't going to configure AA either during install or post install.
Since you seem interested in only furthering your juvenile behavior by ignoring this obvious difference I can only conclude you're not serious. I have to say you're good at roping people in under the guise of having a genuine mature discussion.