
Pwn2Own 2014 Claims IE, Chrome, Safari and More Firefox Zero-Days - mikevm
http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html
======
higherpurpose
Mozilla really needs to add its own sandboxing system. Even Chris Soghoian
from ACLU says that right now it's hard to simply recommend Firefox over
Chrome, because Firefox may be better privacy wise, but it's not better
security wise.

~~~
Siecje
A sandbox is just code and code has bugs. As was said in the article you can
escape the sandbox.

~~~
sliverstorm
That's actually the point of a sandbox. Code has bugs, so you sandbox it.

Now, the sandbox is _also_ code, but to my understanding it's fewer LoC than
what you are sandboxing. As bug rate per LoC is a fairly stable value,
reducing LoC reduces total bug count. Ergo, by wrapping a large complex
program with many LoC inside a small sandboxing function, you increase
security (though it is not perfect, it still will have SOME bugs)

~~~
pcwalton
The amount of unsandboxed code in Chromium is not a whole lot smaller (if at
all) than the amount of sandboxed code on a lines-of-code basis. The advantage
of sandboxing is that most of the code that directly interacts with content
(the rendering engine) is prevented from directly performing malicious
actions, assuming the sandbox is secure.

------
nl
_Google 's Chrome Web browser was successfully exploited by VUPEN on March 13
with a use-after-free memory flaw that enabled a sandbox bypass._

Am I right in thinking that would be only the second Chrome exploit that
escape the sandbox (if we ignore exploits that relied on plugins)?

~~~
pcwalton
Pinkie Pie already achieved full sandbox escape in Chrome at least twice in
Pwnium.

------
twic
Yeah, but what about Lynx? Nothing? DIDN'T THINK SO! HA!

~~~
TazeTSchnitzel
I wonder if you could exploit Lynx with an SSL bug, given that it is the most
complex protocol it handles.

------
steveklabnik
Of note: the Firefox vulnerabilities were all buffer overflow related.

AKA, not possible in Rust...

~~~
Moral_
Not all of them. One was a use after free, which isn't related to buffer
overflows. Two other ones are not clear what they were caused by:

 _By Mariusz Mlynski:

Against Mozilla Firefox, two vulnerabilities, one allowing privilege
escalation within the browser and one bypassing browser security measures._

[http://h30499.www3.hp.com/t5/HP-Security-Research-
Blog/Pwn2O...](http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-
results-for-Thursday-Day-Two/ba-p/6412622#.UyYOW9tx0xC)

[http://h30499.www3.hp.com/t5/HP-Security-Research-
Blog/Pwn2O...](http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-
results-for-Wednesday-Day-One/ba-p/6410984#.UyYOXttx0xC)

~~~
steveklabnik
Whoops, thanks. That one is also not possible in Rust, so my point still
stands. ;)

