
Pwn2Own 2016: Chrome, Edge, and Safari hacked, $460k awarded - jjuhl
http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/
======
freewizard
It's hilarious but worth noting that you only see China and Korea is likely
due to Wassenaar Arrangement which disallows citizens from the participating
countries to disclose exploits in foreign land. (Yes, Korea is also in the
list so I'm not sure why that Korean dude just came :P)

------
circlingthesun
What happened to Firefox?

~~~
tux1968
Bit sad.

[http://www.eweek.com/security/pwn2own-hacking-contest-
return...](http://www.eweek.com/security/pwn2own-hacking-contest-returns-as-
joint-hpe-trend-micro-effort.html)

mentions:

"We wanted to focus on the browsers that have made serious security
improvements in the last year," Gorenc said.

~~~
jakobdabo
So, politics.

~~~
tux1968
As Firefox is my primary browser, I'd be happier if it was part of this
competition. But it's fair for the organizers to not want to part with their
prize money for a browser that hasn't been hardened much since the previous
contest.

~~~
rockdoe
_for a browser that hasn 't been hardened much_

This claim is oft repeated, but the only reasons people seem to say it is that
multiprocess + sandbox is not in release Firefox (it's in
Nightly/Aurora/Beta).

That doesn't necessarily make it _true_. There's been some blogs since about
how the JS <-> C++ sandbox has actually been significantly strengthened, but
people just ignore truths that don't fit their preconceptions.

IE/Edge and Chrome also have sandboxes, and they still get cracked every
Pwn2Own.

~~~
pjmlp
If it isn't in released, it isn't in the majority of people's computers.

Normal people don't install development versions.

A sandbox isn't full proof, but it is way better than not having anything.

------
KayL
5 Teams, 4 from China, 3 from Tencent (China), 1 from Korea. All Asian?

------
blinkingled
Summary -

    
    
        Microsoft Windows: 6
        Apple OS X: 5
        Adobe Flash: 4
        Apple Safari: 3
        Microsoft Edge: 2
        Google Chrome: 1 (duplicate of an independently reported vulnerability)
    

Chrome is looking better each passing pwn2own. Even with the bloat and not
having all the add-ins I like on FF (Self Destructing Cookies(there's Vanilla
Cookie Manager it mostly works but not quite as it doesn't have access to
local storage, and given how bad Chrome Download manager is - DownthemAll) it
looks like it still is a good idea to compromise a bit of privacy and
convenience for the sake of security.

~~~
nacs
> a good idea to compromise a bit of privacy and convenience for the sake of
> security

Wouldn't using Chromium instead of Chrome get around most of the privacy
issues?

~~~
blinkingled
Some but not all - I was referring to tracking cookies and the likes. SDC on
FF allows auto deleting cookies and local storage that you don't need and that
takes care of the tracking. Given how much I have already invested in Google
ecosystem (Android, GMail, Photos, Hangouts etc.) I am not that much concerned
about privacy from Google.

------
nxrabl
Serious question: how do you pronounce 'pwn'? Is it 'pone'? 'poon'? 'pwin'?
'pown'? Something else?

~~~
mig39
Rhymes with 'own' \-- which is why it's "pwn to own."

It was originally a misspelling of 'own' I think.

~~~
beeboop
KnowYourMeme [1] is surpisingly high quality and informative sometimes. "pwn"
apparently has origins going as far back as the 60s, but I had to guess it's
mostly popular these days due to the brief leetspeak phase of the early 90s,
where it was a more pointed, edgier way to write "owned".

[1] [http://knowyourmeme.com/memes/owned-
pwned](http://knowyourmeme.com/memes/owned-pwned)

------
djadmin
11 attempts were made in total this year by five teams:

    
    
          Tencent Security Team Sniper (KeenLab and PC Manager): 3/3
    
          360Vulcan Team: 1.5/2
    
          JungHoon Lee (lokihardt): 2/3
    
          Tencent Security Team Shield (PC Manager and KeenLab): 1/2
    
          Tencent Xuanwu Lab: 0/1
    

Impressive.

~~~
kristofferR
Why is Tencent so dominant in this competition compared to all the others
potential companies?

~~~
dsl
Because they are willing to burn 0day to gain credibility. The top team got
$140k for what was easily $900k+ worth of exploits.

~~~
jjuhl
And I for one commend them on doing the contest and disclosing the exploits in
a responsible manner. Rather than peddling them on the black market.

------
chalion
Would EMET have stopped any of the browser or kernel exploits?

It's unfortunate that Microsoft's security blog (
[https://blogs.technet.microsoft.com/srd/](https://blogs.technet.microsoft.com/srd/)
) rarely posts EMET success stories. Is it not that effective?

------
dguido
How many more Pwn2Owns will we need to have until all the security
vulnerabilities in browsers are gone?

~~~
nazgob
It will never end until browsers evolve and code is changed. Each new version
can introduce new issues.

~~~
Buge
I think you mean "It will never end as long as browsers evolve and code is
changed."

------
mchahn
To me the big surprise was osX doing worse than flash. Ouch.

~~~
nacs
You're surprised a plugin has 1 less vulnerability than an entire operating
system?

~~~
mchahn
Yes, when that plugin is Flash.

Actually I understand what you are saying. Showing the list that way is kind
of unfair.

------
webaholic
Why is firefox not in the list?

~~~
rockdoe
They lost a lot of funding and VM escapes are a bit hotter than browser
exploits.

Also, Firefox installs generally still come with Flash which is easier to
exploit than the browser itself, and reaches a broader audience.

Officially, they claimed its because "Firefox security has not advanced in the
last year" but that is just utter BS.

~~~
tptacek
"Utter BS" is a pretty categorical statement. In what ways has Firefox
security advanced in the last year?

~~~
pcwalton
High entropy ASLR, for one:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1020362](https://bugzilla.mozilla.org/show_bug.cgi?id=1020362)

(A few months older than one year, but close enough. Also, of course I'm not
going to claim that sandboxing is unimportant.)

