

Pwn2Own owned all major browsers - zobzu
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

======
othermaciej
"All"? Not Safari yet (knock on wood). Which is a big change from back in the
day when it was usually pwned first in this contest. Or are you saying it's
not a major browser?

~~~
hayksaakian
At 25% of mobile, I agree it is a worthwhile endeavor to find exploits for
safari.

I was about to make fun of you for suggesting safari has significant usage
until I considered mobile.

~~~
othermaciej
Safari's desktop share is somewhere between 5.5% and 15.5% depending on whose
stats you trust:

[http://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Sta...](http://en.wikipedia.org/wiki/Usage_share_of_web_browsers#StatCounter_.28July_2008_to_present.29)

Is it crazy to consider that significant?

~~~
lloeki
I personally consider it not major but significant, not just due to market
share but also because it's the default browser (and shares its inner
components with applications leveraging WebView) on a certain platform.
Therefore it's a prime target for establishing a foothold on that platform.

------
fruchtose
It looks like George Hotz [1] is attending! Judging by his work with the
PlayStation 3, I expect him to do pretty well at cracking Adobe Reader.

[1] <http://en.wikipedia.org/wiki/George_Hotz>

------
omgtehlion
Interesting how Java was pwned thee times in spite of the lowest reward.

~~~
TheAnimus
We've seen Java bugs in the news lately for use in co-ordinated attacks
against large companies.

A nameless firm (not the one I'm working with now) that happens to be one of
Europes largest banks has insainly locked down versions windows, everything
disabled, some custom thing that has hooked NT kernel functiosn to check which
image is being loaded to be executed.

And then it has Java. A very old, un-patched version running a vendor risk
system (yes it is that french one your thinking of).

This means that despite the frankly anoying parinoid security there, you can
pwn any of the machines easily. As we see more _targeted_ attacking, remember
that Java is heavily used by a lot of rich, often inept due to size, firms.

~~~
martinced
Do these "insanely locked down" Windows have a browser and does that browser
enable Java applets?

The 0-days affecting Java lately have all been using Java applets and drive-by
exploits. I'm not saying it's not pathetic and lame for Java's security track
records but it's not either as if your company was vulnerable to remote
exploits in the case Java applets are not allowed in browsers.

I'm running Java webapp servers and I've been _really_ pissed off that I
needed to patch to remote Denial of Service exploits (the hashmap / URL query
parameters degenerating to O(n) instead of O(1) SNAFU and the "endless loop"
while parsing a certain floating-point number) in late 2011 / early 2012 IIRC
but basically that's it.

The JVM is still incredibly secure on the server side (and can be installed on
Un _x systems in a user account, without needing to be root -- meaning that
you can then lock down like mad that user account and have an even more secure
setup).

Now to be honest if your company was truly paranoid they wouldn't be using old
version of Windows with in-house brittle hacks supposedly bringing "more
security".

I know that all too well (at Dexxia for example): some people somewhere decide
on a shitty technology (Dexxia was at one point using shitty Java applets to
allow clients to do online banking) and then says _"We're going to have the
most secure system ever" _.

So these guys _think* they're paranoid but they're using: a) Windows and b)
Java applets.

And at this point you have to wonder if you should laugh or cry at their
definition of "paranoid".

People really paranoid about security ain't letting Windows in (unless they
like NSA backdoors and consider patch-tuesday to be a reliable way to execute)
and ain't letting Java applets in.

~~~
TheAnimus
Guess how they distrabute the Java application.

However I really don't want to go too far into a former clients site details,
just to say it was a laughably big gaping hole, that is really quite common in
a lot of large enterprises. It was also completely seperate from my domain
there)

------
kriro
Are any vendors offering no questions asked X$/0day rewards all year long
instead of dedicated events? Seems like it would be a decent move. If the
going rate is really in the 50k ballpark why can't say Google offer 10-20k per
Chrome exploit?

Their engineers don't make peanuts and the attacks on the software happen
regardless. After a year or two you'd probably have a pretty secure system for
a reasonable cost.

I don't think there's much negative press involved either if you spin it a la
"we have the best security experts in the world attack our software and fix it
asap".

+You might pull off a decent talent grab or two as long as you understand how
the people would like to work (probably not from a google office)

~~~
vellum
Google's bug bounty is $3,133.70 (elite). The black market can pay
$80k-200k+[1]. Why doesn't Google pay more? Well, like you said, "attacks on
the software happen regardless". Their objective is to maximize shareholder
value. People adopt browsers for other reasons besides maximum security. You
hear about critical vulnerabilities all the time, to the point where you get
desensitized to it. I don't think there's been a bug out there that caused
people to dump a browser en masse.

[1] -
[http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...](http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-
for-zero-days-an-price-list-for-hackers-secret-software-exploits/)

~~~
ErikCorry
The bug bounty is for a security bug with no exploit. That makes it a lot less
work for the security researcher. See the release notes on the Google Chrome
blog for details of bounties paid.

Google also sponsors Pwn2Own and Pwnium with bigger prizes for bugs with
working exploits.

------
soda123
Few silly questions: 1) I got the feeling from this discussion and some other
sources that there are a couple of known Windows kernel vulnerabilities that
are making these exploitation easier. What about Microsoft? They don't care or
are they fixing those bugs?

2) How secure is let's say Firefox + Ubuntu/Fedora, latest updates, default
settings. I haven't seen that many exploits for Linux in general. Is it
because no one cares about linux or because it is harder and thus more
valuable than windows exploits so no one share linux ones?

------
andrewchoi
I don't really understand the competiton. Do people come to these with just
the intention of finding exploits, or do they come with the exploit ready,
waiting to collect a reward?

~~~
raesene2
They have the exploits ready to go, the challenge is whether they can exploit
the target system (which is fully patched) within their time slot.

It's a useful excercise, I think, in that it demonstrates that even the most
hardened of codebases still has security bugs and it also serves as a
cautionary tale for people who think they don't need multiple layers of
defence..

~~~
martinced
_"...it demonstrates that even the most hardened of codebases still has
security bugs"_

Browsers the most hardened codebase? I nearly spilled my coffee ; )

Every single browsers out there (including Chrome) was designed with security
as an after-thought.

As for me I browse the Web from Linux, using a throwaway user account which
doesn't have Java installed. And that user account is itself "hardened" (e.g.
no login shell, specific per user-id firewalling rules, etc.). At this point
seen the state of insecurity the Web is in I'll probably go back to the VM
route (a browser in a locked down separate user account, but itself running
inside a KVM VM).

My definition of an hardened codebase would be something like OpenBSD or
OpenSSH or esL4 (in esL4 the code has been verified (using formal provers) to
be free of buffer overrun/overflow and whatnots).

What I don't like about your comment is that you consider the current
situation to be "acceptable". You apparently do really believe current
browsers are "hardened" and that there are people thinking like you is
precisely part of the problem.

We can do _much_ better than that.

For a start I'd love to read a rant from Theo de Raadt about what should be
done to conceive more secure web browsers.

~~~
zobzu
if you trust linux or theo for security, you're going to have a bad time.

------
pavs
woah! whats with the hp site permalink/URI/url formatting?

<http://h30499.www3.hp.com/>

~~~
verbophobe
[http://daringfireball.net/linked/2010/03/09/hp-license-
plate...](http://daringfireball.net/linked/2010/03/09/hp-license-plate-
domains)

~~~
pavs
Thanks for the link. This is crazy. SquareWheel was right. This is an
absolutely brain-dead way of doing this, by a very incompetent IT admin.

~~~
btipling
And yet that it persists brings to mind all the problems faced by large
organizations. An inability to change processes, execute quickly on decisions,
disconnect between customers and company operations. Which is why startups can
disrupt them. Pretty much everything HP produces seems mediocre and of
substandard quality including their printers, ink, devices, services such as
their open stack cloud offerring.

~~~
yuhong
Which is only now improving with Meg Whitman.

------
dereksy
Where's Safari?

~~~
dhbanes
Directly below "Mozilla Firefox on Windows 7 ($60,000)"

~~~
lloeki
Safari is a target in the event, but has not been pwned yet:

    
    
        Wednesday:
        1:30 - Java (James Forshaw) PWNED
        2:30 - Java (Joshua Drake) PWNED
        3:30 - IE 10 (VUPEN Security) PWNED
        4:30 - Chrome (Nils & Jon) PWNED
        5:30 - Firefox (VUPEN Security) PWNED
        5:31 - Java (VUPEN Security) PWNED
        
        Thursday:
        12pm - Flash (VUPEN Security)
        1pm - Adobe Reader (George Hotz)
        2pm - IE 10 (Pham Toan)
    

Interestingly enough, last year it was the only target not 0-day pwned (but
was in the CVE contest, via CVE-2011-0115 and CVE-2010-0050).

~~~
dsl
Poor Vupen. Their Safari exploit must have broke.

~~~
fuzzbang
Or they aren't about to kill the same bug in MobileSafari, since it is worth
exponentially more.

<https://twitter.com/i0n1c/status/309585202810867712>

~~~
othermaciej
WebKit code execution against Chrome is also likely to work (in modified form,
but same basic exploit) against desktop or mobile Safari. Desktop Safari
sandbox escape is likely to be completely different from MobileSafari sandbox
escape. And in all three cases, the sandbox escape is the harder part.

So that logic does not explain to me why people are going after Chrome but not
Safari.

I honestly don't know why it is. In particular, I don't have specific reason
to believe Mac Safari's sandbox is more bulletproof than Windows Chrome's, but
I guess Safari has the advantage of not being exposed to Windows kernel bugs.

~~~
justinschuh
Yeah, the WebKit exploit will work effectively unmodified on Safari. And the
sandbox escape used against Chrome on Windows was a kernel bug in surface that
can't be turned of from user-space (or really at all on Win7). Also, they
softened the target quite a bit by using 32-bit Win7 for the contest, rather
than 64-bit Win8 (or even 64-bit Win7).

As for why no one's targeting Safari, I think it's simple market forces at
play. The iOS exploit market is established and pays very well, while the core
vulnerabilities, expertise, and techniques are all shared with Safari on Mac
OSX. And since Safari isn't a soft target (in no small part due to Abhishek's
mass slaughter of WebKit security bugs and our bounty program), $65k just
doesn't compete with the real-world exploit market.

~~~
othermaciej
Getting sandbox escapes from Mac Safari and iOS Safari requires completely
different exploits. The code execution stage of a complete exploit could be
shared, but it could also be shared with Chrome. So you'd think the same
argument of iOS Safari exploit market value would apply either way.

My theory is that not much research has been done yet on breaking the
WebProcess sandbox. Which makes me sad.

~~~
justinschuh
>Getting sandbox escapes from Mac Safari and iOS Safari requires completely
different exploits.

You're focusing too narrowly on the sandbox itself. You have to consider the
whole stack, and all of the surface exposed from within the sandbox. Consider
the Chrome sandbox escape from yesterday, which didn't use anything specific
to Chrome. It targeted part of the Windows stack that's guaranteed to be
exposed to every process on the system.

------
TheAnimus
Considering Chrome had a last minuite patch applied
[http://nakedsecurity.sophos.com/2013/03/06/last-minute-
pre-p...](http://nakedsecurity.sophos.com/2013/03/06/last-minute-pre-pwnium-
chrome-update-closes-numerous-holes/)

It's good to know it still got taken down, because I had a horrible fear they
where going to try and advertise they were 100% safe because they weren't
exploited.

~~~
justinschuh
There's no last minute patch. We push security and stability updates every 2-3
weeks. Just go look at our release history to verify. As for your other claim,
it's so absurdly off base that it doesn't warrant an explicit response.

~~~
TheAnimus
Which is fair enough, I'm in no way going to suggest having a reactive
security update schedule is a bad thing.

However the time of the conference could easily give a vendor that had a
compatable release cycle a slight edge.

When I read that story (before hearing the results) I was filled with a kind
of dread, I am less than impressed about the claims for Chrome OS, in the UK
where its advertised it strikes me as Apple during the _bad days_ who simply
advocated bad pratice with regards to security (you've bought us, don't worry)
type thing.

If you feel that is at all unfair to you, I am sorry, but Google Chrome has
been an agressively marketed product in London and I have general contempt for
most of the adds (but then I'm not the target market).

I also think its really important to remind people just how unsafe browsers
are (all of them) and how people need to be increasingly aware of the impact
such security.

Side Note: If your one of the team, thanks, yours has been my favourite
browser for years now :)

