
All Major Browsers Fall at Pwn2Own Day Two - wglb
https://threatpost.com/all-major-browsers-fall-at-pwn2own-day-2/111731
======
diminoten
> Lee wasn’t done and went on to bolster his daily total to $225,000 later in
> the day

Hooooly shit. That's insane, and if that's what you get from the company, I
can't even imagine the price of those exploits on the black market...

~~~
davmre
It's large when you present it as a single-day payout. If you imagine it might
have taken a year of work to discover and exploit these vulnerabilities, with
no guarantee of success, then the money is actually relatively low compared to
standard tech benefit packages. Tons of respect for anyone who does this and
avoids the urge to go to the black market (or NSA, etc).

~~~
criley2
>225k is standard?

100k income per year + 33% for employer taxes, medical/fringe benefits, etc,
so 133k.

1.5 years of work at 133k/yr = ~200k payout.

I wouldn't call that low since it already hinges on massively inflated
salaries due to massively inflated cost of living for developers in hubs.

That 100k of buying power in SF would come from about a 55-60k salary in my
area. (1)

(1)
[http://www.wolframalpha.com/input/?i=moving+from+San+Francis...](http://www.wolframalpha.com/input/?i=moving+from+San+Francisco+to+Atlanta+salary+%24100k)

~~~
VieElm
> massively inflated salaries

Why would you say that's inflated? Engineering is a professional occupation
that requires a high degree of skill and education. Much like lawyers, doctors
and other forms of professions. Many of the companies that employ software
engineers at those salaries are highly profitable. From big names like Google,
Oracle, Facebook, Apple and Amazon to smaller companies like FrogCreek,
Atlassian, and New Relic. So why would you say they're inflated? Software
engineers are employed by companies with real products, that provide real
value. Salaries have been at these levels for over a decade now, in fact there
was a big dip after 2000 when pay actually was hugely inflated, but within a
few years pay rose again to current levels. I'd say when you've been earning a
salary long enough at these levels to buy a home and raise a child that it's a
stable market rate and not inflated.

~~~
freehunter
They're inflated due to the extremely high cost of living in the areas where
these jobs are common: Austin, San Francisco, Seattle, Vancouver. If someone
at Google in SF is making $250k, their peer in Ann Arbor, MI (a small city
with a Google office) could have the same purchasing power with maybe $80k. If
the companies weren't located in SF, the salaries could be a lot lower for the
same work, and the employees wouldn't really be making any less even with a
lower salary.

~~~
sbov
Actually, I sort of think the cost of living is high because tech workers make
so much money. So you have your cause and effect reversed. They do seem to be
the primary reason why rents and housing prices are going up so much in the
bay area.

E.g. I've read about landlords who raise their rent because of the presence of
a google bus stop nearby.

~~~
simoncion
> [Tech workers] do seem to be the primary reason why rents and housing prices
> are going up so much in the bay area.

In 1998 (at about the height of the dotcom bubble) a 1-bedroom apartment in my
apartment building was renting for ~$500/month. In 2010 (shortly after the
real-estate bubble collapse) that same apartment rented out for ~$1500/month.

Does it seem to you that tech worker salaries explain that 3x increase?
Remember that as of last year, tech workers made up _~8%_ of SF's population.

~~~
bsder
> In 1998 (at about the height of the dotcom bubble) a 1-bedroom apartment in
> my apartment building was renting for ~$500/month.

That is very low according to my memory. I was in Santa Clara in that time and
my rent was over $1000/mo.

Now, I wasn't down in SF with all the cool kids. I do remember that SF in that
time frame was right at a gentrification inflection where there were really
expensive places right next to buildings that should have been condemned, so
I'm willing to concede your point.

> Does it seem to you that tech worker salaries explain that 3x increase?
> Remember that as of last year, tech workers made up ~8% of SF's population.

Yes. That one is easy. Nobody wants to rent to the 92% combined with highly
restricted supply.

Even back in the DotBomb days, there was a reason why people were commuting
from the Fresno area. (152 would be bumper to bumper at 4:30AM in the
morning!)

~~~
91bananas
I could not imagine a worse fate than commuting from Fresno to the bay daily,
let alone doing so in bumper to bumper traffic in the middle of the night.

~~~
bsder
You forgot 40-60mph wind gusts because those are passes through the mountains.

It was stupid, but that demonstrates how bad things are in the central valley.

------
deweller
> Lee was able to take down both stable and beta versions of Chrome by
> exploiting a buffer overflow race condition in the browser. He then used an
> info leak and race condition in two Windows kernel drivers to secure SYSTEM
> access.

I'm trying to fully understand. Does this mean that by maliciously crafting a
website, someone can get SYSTEM access on a windows machine just by getting
someone to visit that site in Chrome?

And what does SYSTEM access mean? Is that user-level privileges or admin
privileges?

~~~
NathanKP
That's correct. The best paying exploits at Pwn2Own are exploits where just
browsing to a website gives an attacker root code execution on the machine.

These types of exploits pay well because they are extremely difficult to pull
off, as they require multiple exploits to break through the browser security,
out of the sandbox, and through the OS protections.

~~~
ianlevesque
And yet every year they have been found. It's safe to assume browsing to a
site can take over your entire machine at any time. Enjoy the web guys!

~~~
INTPenis
True it is a scary web but how many of those exploits have relied on default
settings and Javascript to run?

You are many times safer on the web if you have the discipline to use noscript
properly.

~~~
phazmatis
Fun fact: Noscript loads and parses all javascript and then just stops it from
running against the live DOM. Decreases page render time, sure. Prevents
exploits? Don't think so.

~~~
rudolf0
NoScript won't actually execute any of the Javascript, though. I am not aware
of any historical vulnerabilities from the mere act of loading and parsing
Javascript, though they're certainly theoretically possible. It's much easier
to secure a parser than a runtime.

------
kwentine
> He told Childs via translator that not only was it was his first time
> writing Native Client code but it was his first time dealing with a kernel
> exploit.

Well, I guess Lee has found a new lucrative hobby for rainy weekends.

More seriously, how can someone possibly own three major browser in two days
and on a first try at this kind of sport ? A pretty loud way to shout "Hello
World"...

~~~
lawnchair_larry
These exploits are all created well in advance. People hold them for the whole
year just to use them here. They're usually made by teams, with one person
chosen to run it at the event.

At the event, each person brings their exploit and the browser is run against
it.

Somehow this gets changed to "browser hacked in seconds!" because the media is
great like that.

That said, it is quite impressive for a newcomer to clean house like this,
even if he did have a year to prepare, assuming he wasn't working with a team.

~~~
spyder
_" People hold them for the whole year just to use them here"_

But does this mean that they will leave the vulnerability alive for a year,
half-year (or whenever before the conference they found it) by not reporting
it to the vendors till the conference? Because from the description it looks
like it has to work on the latest versions of the browser (for example Chrome
42).

~~~
anon1385
There is another perverse incentive. It has been suggested that in previous
years the browser vendors were sitting on fixes and waited till the week
before pwn2own to release them.

~~~
JimDabell
Who suggested that and what reason do they have to believe it?

------
kasabali

        Microsoft Windows: 5 bugs
        Microsoft IE 11: 4 bugs
        Mozilla Firefox: 3 bugs
        Adobe Reader: 3 bugs
        Adobe Flash: 3 bugs
        Apple Safari: 2 bugs
        Google Chrome: 1 bug
        $442,500 paid out to researchers
    

Looking at these figures, am I the only one who think competitions are not the
most effective method for finding bugs? Of course, 21 bugs is not small and
$442,500 is not much, but when you think those researches spend months of
their time for finding those bugs, wouldn't it be more appropriate to use that
money on proper security audits? (I know it will cost more but would be more
effective overall?)

~~~
billyhoffman
It's not 21 bugs. Anyone can find 21 bugs. It's 21 bugs that enable/facilitate
Remote Code Execution. These are some of the worse of the worse. $442,000 is a
steal to get these identified and fixed.

~~~
NathanKP
Additionally those 21 bugs are probably worth way more than a measly $442k if
sold on the blackmarket or to the NSA, etc.

~~~
Nitramp
Are there actually reliably numbers/analyses on that? I heard the sentiment
many times, but I have seen no proof of it.

------
lost_name
Do people go into Pwn2Own knowing the exploits they will use in advance? I'm
not sure I understand the format of such a contest.

~~~
liyanchang
Was similarly curious. Reading the rules here:
[http://zerodayinitiative.com/Pwn2Own2015Rules.html](http://zerodayinitiative.com/Pwn2Own2015Rules.html)

Major points:

\- You register for which browser + os combination[0]. Then they randomly
order the contestants.

\- When you are called, you have 30 minutes.

\- The user browses to a particular piece of content that you specify. Then no
further user interaction is allowed (like clicking a dialog, downloading a
file). [1][2]

\- The prize money goes to the first successful exploit. Money differs by
browser.

[0] Chrome, Firefox, IE, Adobe Reader in IE, Adobe Flash in IE. Safari on OSX.
Fully patched OS.

[1] How does one get to specify the content? What if I have a http header that
downloads a file?

[2] I remember back in the day, they used to have a fully no interactive
version? Like the user was just on the same wireless network?

~~~
tptacek
The exploits that take down hardened browsers take months to develop. The time
limits and race dynamics are theater.

~~~
hnnewguy
> _" The time limits and race dynamics are theater."_

That makes more sense. Otherwise, this is movie-script-like hacking ability.

~~~
eeeeeeeeeeeee
"I just need to break the encryption......ok...it's done."

------
ejstronge
Any insights into how researchers find these bugs? I'm particularly interested
in the kernel timing bug - how did the researcher know that he would find the
kind of exploit he needed? It seems like he's a fast learner, going from no
native client code to a big exploit...

~~~
fintler
I found CVE-2010-0539 (Safari remote code execution) by setting up a website
that just fuzzed a ton of stuff. It had a meta-refresh setup so the browser
would just keep reloading with a new random fuzz payload. I was in my 2nd year
of a CS undergrad program, so I would do stuff like this when I was bored.

I think much of it is just a bit of luck that you're looking in the right
place.

~~~
tracker1
What's funny, is back in the mid-late 90's, I found a lot of bugs in Netscape
Navigator simply by running the browser in a more secure OS (Windows NT) vs.
Windows 9x... There were a lot of conditions where the browser would crash in
NT, but in 9x meant you had an exploit.

Many of those were pretty simplistic... fortunately for almost everyone at the
time, the browser wasn't a widely used method of exploit, and to my knowledge
compromising distributed computer networks via such compromises and ad
networks wasn't thought of either. Though by 2002/2003, I had started blocking
Flash, Java and Adobe Reader at home when I saw what could be done in the
browser.

------
nightcracker
Saying that all browsers fall in less than 2 days at Pwn2Own is like saying a
mathematician proves a long standing theorem in 2 days of a conference.

~~~
perdunov
Yeah, like at today's _provathon_ Grigori Perelman proved Poincaré conjecture
in under 30 minutes.

------
soapdog
We get that all browsers were pwned, but what OS where they running? For
example, we can see on that post that there were three bugs in Firefox but we
don`t know in what system those bugs would allow escalation of privileges and
arbitrary code execution. Or is there a bug allowing arbitrary code execution
in Windows, Linux, *BSD, Macs at the same time?!

~~~
mccr8
All were running on Windows, except Safari which was running on OSX. You can
see the details at this overly long URL from the contest organizers:

[http://h30499.www3.hp.com/t5/HP-Security-Research-
Blog/Pwn2O...](http://h30499.www3.hp.com/t5/HP-Security-Research-
Blog/Pwn2Own-2015-Exploitation-at-its-Finest/ba-p/6708265#.VQyBsbfYDOQ)

~~~
nodata
Here is my chance! Anyone know why hp.com urls are still, in 2015, so full of
subdomains?

~~~
warkdarrior
Because their web admins have not figured out how to do transparent load
balancing.

------
fierycatnet
Here's the first lecture among many from FSU on Offensive Security, it looks
like they are going pretty indepth, I started watching first few recently.
Very relevant for those who want to explore how exploitation is done.

[https://www.youtube.com/watch?v=lk3rp53b2NA](https://www.youtube.com/watch?v=lk3rp53b2NA)

~~~
bradleysmith
this was a very good overview, I appreciate the link. May be watching through
much more of this class.

------
perdunov
If one read all those headlines and news without proper critique, they would
eventually start believing in all kinds of magic, like that one dude can
discover race condition exploits in the browser and the drivers in under 30
minutes.

------
r1ch
Are regular bug bounty programs simply not paying enough whereby researchers
decide to hold onto exploits for high paying events like Pwn2Own? How much
would these kind of exploits go for on the black market?

~~~
tptacek
Pwn2Own has a lottery dynamic that the bug bounty programs don't. As for the
_sub rosa_ pricing for these exploits, it gets complicated. Among other
important details: to maximize your returns you need to be a competent
salesperson (you need to have the contacts to sell them to), and the best
returns make you at least morally and in some cases even legally culpable for
what's done with them.

There's probably some headroom left for escalating valuations for browser
RCEs, but they're not like an order of magnitude mispriced.

Also remember you're looking at the subset of bugs with the absolute peak
valuation.

(I'm both ideologically opposed to bug sales and not smart enough to get RCE
on Chrome, so: take this with a grain of salt).

------
chockablock
Anyone else find that this comments page crashes their tab in Chrome for Mac?
Could be the strange string submitted by frenchtouch206?

Yup: it's a known crashing string:
[http://venturebeat.com/2015/03/20/these-13-characters-
will-c...](http://venturebeat.com/2015/03/20/these-13-characters-will-crash-
your-chrome-tab-on-a-mac/)

~~~
makomk
Bug report closed as a duplicate of a non-public (i.e. security) bug. That's
not a great sign.

~~~
greggman
Why is that not a great sign. All security bugs are non-public, even on
Firefox, until they are fixed. The fact that they are non-public is arguably a
sign someone looked at the bug and marked it a security issue which also means
it's likely being actively worked on.

Keeping the public just means if you want own people's machines you could scan
the bug database for bugs marked as "security" and exploit to your heart's
content until they were fixed.

------
0xFFC
This is off the topic , but my problem with chrome is it become a OS itself ,
I don't need another OS on top of my OS.I just need a browser, Chrome was
excellent one before they start pushing it to OS/framework level software.

~~~
josephagoss
I'm on the fence with this one.

It does make for a massive attack surface with the massive amount of
complexity a modern browser brings to the table, however it's also giving us a
truly Operating System agnostic world. (I think? Javascript based applications
are OS agnostic right?)

The browser may become a universal operating system, where web applications
become the norm and it brings an end to the Linux vs Windows vs Mac wars.

Who knows?

------
tux
Pwn2Own 2015 Is On! --
[https://www.youtube.com/watch?v=6IKeUHpUR7g](https://www.youtube.com/watch?v=6IKeUHpUR7g)

Pwn2Own 2015: Day 1 Highlights --
[https://www.youtube.com/watch?v=X2Ssw2sLUHI](https://www.youtube.com/watch?v=X2Ssw2sLUHI)

Pwn2Own 2015: Day 2 Highlights --
[https://www.youtube.com/watch?v=V99skqmTyiY](https://www.youtube.com/watch?v=V99skqmTyiY)

------
josteink
> He told Childs via translator that not only was it was his first time
> writing Native Client code but it was his first time dealing with a kernel
> exploit.

To me this just confirms that no matter what the proponents say, Google native
client is just another form of active x, just with a Google badge this time.

Letting a website run native code on your machine is a terrible decision, and
completely disrespectful to your users.

Needles to say, I'm not going to switch to chrome anytime soon.

~~~
mike_hearn
Well, it means you have to break out of the nacl sandbox instead of the V8
sandbox. Neither allow you to run arbitrary code and I'm not sure if there's
any particular difference in hardness between them.

That said - Native Client doesn't seem to be used for anything on the web. It
might have been useful if other browsers had adopted it, but with Mozilla
pushing asm.js I wonder at what point they decide to pull the plug on this ...

------
Tloewald
My takeaway is that flash, by itself, doubles your vulnerability and acrobat
triples it. Obviously these results alone aren't statistically significant but
flash and acrobat have been dire sources of vulnerabilities for over a decade
(and bear in mind that safari renders pdf natively).

~~~
jeromegv
Safari uses its own PDF renderer, wondering if the Acrobat bugs really apply
for that?

------
cLeEOGPw
> Hacked Chrome browser in 2 minutes

Does that mean it took 2 minutes for script to finish it's job?

------
wtbob
So, I wonder how lynx, links, elinks, w3m and emacs-w3m fare at this sort of
thing…

------
nfoz
I think it's reasonable to consider that we should stop adding new features to
the web until it's at a point where we could have at least one www that
doesn't leave users vulnerable.

Literally every browser is unsafe, and has always been unsafe. There's zero
reason this should be the case. Transferring documents online is not _that_
hard a problem. Perhaps blinging out all the latest features for all the
latest ad companies is not worth the cost to users' system security.

~~~
samspot
Add operating systems, servers, and languages to your list for completeness.
The reason they are unsafe is because they are created by humans, who make
mistakes. You are basically proposing that all technology innovation should
cease until these things are 100% secure.

~~~
mike_hearn
I think it's more like saying maybe before massively increasing the browser
attack surface we should consider if it's really the right thing to do. A lot
of sandbox escapes in recent years have been in very rarely used features like
WebGL and Native Client. Cool tech for sure, but also big new exploit zones.

The main problem is that what used to be called "mobile code" before
smartphones were a thing is really convenient. That's why Java tried it too.
Sandboxed code helps a lot, so there's this constant tension between trying to
make the sandbox less restrictive and keeping it secure.

Sometimes I think that despite poor execution the JVM guys had the right idea.
Sandbox code from the net, but also have code signing to fall back on.

~~~
greggman
Care to back that up? Please list this "lot" of WebGL and Native Client
exploits. AFAIK there's been < 5 total over 5 years. Compared to the total
number of exploits that's certainly doesn't seem like WebGL nor Native Client
are an issue.

As for rarely used, I'd guess Google Maps is a pretty well used site that uses
WebGL.

~~~
mike_hearn
Well, just search for "webgl cve", there seem to be quite a few. It exposes 3D
drivers to untrusted code, and they can run to millions of lines of code.

You're right, Google Maps is a good example of WebGL use. But it could also
just be a regular desktop app. People would download it just fine.

------
mrottenkolber
Is nobody paying for Linux bugs or weren't any found?

~~~
eugeneionesco
Very very few people run Linux a desktop(unfortunately).

The Chrome and Firefox bugs are probably exploitable on Linux too.

------
tonyhb
If you're interested in doing some research, just google "use after free".
Google has a message for you.

~~~
ccvannorman
This is one of the core reasons computers need to be reinvented.

~~~
tormeh
It's simple. Just stop using memory-unsafe languages. Just say no.

------
bsaul
Anyone knows if mobile OSes are Part of the competition ?

I've always thought surfing on safari mobile was the most secure way of
surfing (because of the sandbox, but also partly because of app store pre-
release evaluation policy that limit the risks of installing a malware ).

~~~
throwaway41597
There was a method to jailbreak the iPhone by exploiting some vulnerabilities
some years ago, all you had to do was go to a website from safari if I recall
correctly. iOS is mainly OS X without unsandboxed apps, no silver bullet.

~~~
thejosh
And the jailbreak fixed it for users as well, which was cool :).

------
maninalift
dumb question: "more ht2000 lines of code" \- is that a typo of "more
than...", is "ht2000" something I don't know and can't google, or are are
these hacks in some way related to an antique motherboard?

~~~
weaksauce
I'd say it's a safe bet they meant "more than 2000 lines of code"

------
vskarine
Curious to know how WhiteHat
Aviator([https://www.whitehatsec.com/aviator/](https://www.whitehatsec.com/aviator/))
would perform there, any ideas?

~~~
eugeneionesco
Vulnerable to the same bugs as Chrome.

------
coob
I can't seem to find any info on versions - Safari 8.0.4 was released a couple
of days ago, does the exploit affect this security release?

~~~
notatoad
It's my understanding that any vulnerability that has been disclosed is
ineligible. If 8.0.4 patched the exploit that won here, it would have been
merely by coincidence.

------
largote
What about Opera?

~~~
eugeneionesco
Nobody uses Opera, why add it to this competition?

But since you asked, I would be a lot of money Opera is vulnerable to the same
bugs as Chrome since it's using the same rendering engine.

------
paulftw
Good to see microsoft products on top of at least one comparison against
opensource alternatives.

------
serve_yay
Is this the correct headline? I would expect something more like "Apple Safari
falls at Pwn2Own Day Two (Other Browsers Too)"

~~~
bmm6o
Not sure what you're implying. Is ThreatPost supposed to be anti-Apple?

~~~
billyhoffman
Its a common trend in tech report to mention/place stories in the context of
Apple, because they are the largest company in the world (by revenues), and so
it drives page views. Even when Apple are only tangentially related to the
story.

Perfect example of this right now are all the "Is Apple Pay causing fraud?"
news stories. The fraud has nothing to do with Apple Pay. The fraud is
happening because banks are doing a poor job verifying who someone is when
they are trying to register/activate a credit card. But they all focus on
Apple, despite being a minor aspect of the story, because it drives page
views.

~~~
parasubvert
FWIW Apple aren't even in the top 10 for revenues. Most are oil or car
companies. Apple is #14.

[http://www.statista.com/statistics/263265/top-companies-
in-t...](http://www.statista.com/statistics/263265/top-companies-in-the-world-
by-revenue/)

Top market cap, yes.

