Insecure Candidates: Chrome Wins Hacking Contest
At the CanSecWest Vancouver 2009 conference's PWN2OWN hacker's competition the Safari, Internet Explorer 8 and Firefox browsers were successfully hacked to run code on their systems. The Chrome browser was recognized as being the least impacted by the hackers.
The two-day PWN2OWN competition had but one goal: hacking an application as fast as possible to run code in it. The hacker contest is a feature of the annual CanSecWest conference, this year in Vancouver March 16-20, where standard PCs and Macs are subjected to vulnerabilities using the current version of the targeted software containing all the newest security updates. This year the hackers were to hack four fully patched browsers and five mobile devices. While the mobile devices remained "unscathed," almost all browsers failed the test in one way or another.
In less than 10 seconds Charlie Miller could open his MacBook with Safari and promptly won the $5,000 Zero Day Initiative prize. After jury members clicked a specially prepared link, Miller could control the system through an undocumented security hole.
Internet Explorer 8 was the next victim (ironically almost parallel to its official start in Las Vegas) to follow the MacBook pattern. A hacker named simply Nils used an undocumented vulnerability to control the Windows 7 subsystem and won another $5,00 prize from ZDI. He also exploited the first known security hole of IE8. Just earlier Microsoft's Dean Hachamovitch in his talk had praised the high security standards of IE8 with its Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection technologies.
Twice again Nils pulled off victories. First was a Safari exploit that won him another $5,000. Secondly, the Firefox competition didn't escape his schadenfreude and he won another prize through a zero day exploit: altogether $15,000 for Nils.
Uncontested winner of the day was Google's Chrome browser, even though Charlie Miller did find a vulnerability that he later admitted his sandbox prevented him from carrying out. Details of the vulnerabilities unfortunately weren't given out: the TippingPoint DVLabs host of the conference pretty much buys the discretion of the hackers through its prize money, but will pass things on to the browser manufacturers.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome OS Adopting systemd-sysupdate
Gnome OS is about to undergo a major under-the-hood change that promises enhanced security.
-
Endless OS 6 has Arrived
After more than a year since the last update, the latest release of Endless OS is now available for general usage.
-
Fedora Asahi 40 Remix Available for Macs with Apple Silicon
If you've been anticipating KDE's Plasma 6 for your Apple Silicon-powered Mac, then you're in luck.
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
Opera