
Down go all the major browsers at Pwn2Own - tanglesome
http://www.zdnet.com/crash-bang-boom-down-go-all-the-major-browsers-at-pwn2own-7000027343/
======
Spittie
Since the article cite it, I guess I can make a comment too and raise
awareness regarding EMET.

EMET is a free application published by Microsoft
([http://www.microsoft.com/en-
us/download/details.aspx?id=3927...](http://www.microsoft.com/en-
us/download/details.aspx?id=39273)) that enable advanced protections for many
applications, such as DEP and ASRL. It comes out of the box with rules that
cover many popular applications, so it's an "install and forget" solution for
many users.

If anyone is interested, this is the article that made me aware of EMET:
[http://rationallyparanoid.com/articles/microsoft-
emet-3.html](http://rationallyparanoid.com/articles/microsoft-emet-3.html)
(slightly outdates as Microsoft has released EMET 4, but it's still an
interesting read, especially the "Does EMET make a difference?" part), and
there is also an interesting user guide here:
[http://download.microsoft.com/download/4/E/9/4E9A5137-F73D-4...](http://download.microsoft.com/download/4/E/9/4E9A5137-F73D-4A4C-9192-444810C26F6B/EMET%204.0%20User's%20Guide.pdf)

I suggest to everyone to gave it a try, it's very lightweight and it has yet
to cause a single problem on my system.

~~~
maaaats
I've skimmed the links, and have some questions: How does it prevent these
things? And why isn't it enabled by default in Windows?

~~~
skymt
EMET offers a grab-bag of mitigation techniques that are described in some
detail in its manual (PDF download):
[http://download.microsoft.com/download/4/E/9/4E9A5137-F73D-4...](http://download.microsoft.com/download/4/E/9/4E9A5137-F73D-4A4C-9192-444810C26F6B/EMET%204.0%20User%27s%20Guide.pdf)

Some of these techniques are enabled by default or on an opt-in basis in
recent versions of Windows, and EMET can be used to enable them on older
Windows systems. Other techniques would be too easily triggered by the normal
operation of badly-written software, making the software unusably crashy.

------
fijal
I wonder when will people realise that writing browsers in a language like C++
is not a good idea if you're semi-serious about security.

~~~
CJefferson
What do you think a sensible alternative is? I have serious problems with C++,
but few people (including me) would accept a "security upgrade" which made my
browser significantly slower and memory hungry.

~~~
wyager
Rust or Go would be pretty straightforward replacements for C++. Mozilla is
actively using Rust to make Servo. I think both Rust and Go are less conducive
to bugs than C++.

There are other languages that could be used to write very secure browsers,
but using them wouldn't necessarily be straightforward.

~~~
deluvas
Mind if I ask, what's up with these languages, showing up everywhere on
(Rust/Go)? Are they _that_ useful? Can you summarize for me what are they good
at?

~~~
wyager
They're relatively straightforward procedural object-oriented languages.
They're not amazing. They won't make you say "Wow, that's awesome!" when you
use them.

They do have a few practical advantages over C++. For one, they don't allow
dangerous things like pointer manipulation. They both support garbage
collection. Go has some nice built-in support for multithreading. Both have
some nice iteration features. Useful syntactic sugar. Stuff like that.

Where C++ is basically just C with random features shoddily spot-welded on in
different places, Go and Rust were designed from the ground up to be
relatively very simple and straightforward. Like I said, they're not amazing;
they're just better than C++.

~~~
CJefferson
Saying that Rust and Go are better than C++ seems like an extreme stretch,
when Rust isn't even finished yet and is changing significantly on a week-by-
week basis and the go compiler is still written in C and every benchmark I
have seen puts Go at 2x to 5x slower than C++.

I have high hopes for Rust in the future, but Go just does not seem like a
replacement for C++ in the places where it excels (although many people do use
C++ in places where they could probably have used say python, and Go is a
reasonable alternative to Python).

~~~
derefr
Go isn't a replacement for C++. You wouldn't write an entire browser in Go.

Instead, I think, you'd write a bunch of fast browser component libraries in C
(which is what already happens now), and then _glue them together_ in Go to
produce a nice, static, easily-deployed binary for each platform.

You know how in, say, games, you see people writing (needs-to-be-performant)
mechanism in C, and then scripting (can-be-slower) policy in Lua? Go excels in
this same niche[1] and the results from Go, unlike from Lua, can be treated
(and debugged!) as native linked-in code.

I'd still rather the whole browser was written in Rust, though; those
libraries that are right now written in C for performance could do with fewer
crashes.

\---

[1] ...if-and-when it's the policy-writer who compiles and links the binary.
If FooCorp ships a game engine as a complete executable binary, and you're
expected to just write policy _hooks_ in Lua against the FooCorp's
"framework", then there _is_ an equivalent workflow for Go--you'd produce a
dynamic library that the executable dlopen()s--but the result doesn't have the
same sort of elegance. (You don't get to code-sign the resulting complete
executable yourself, for example.)

~~~
pjmlp
> You wouldn't write an entire browser in Go.

Why not? AOS has one written in Active Oberon, which is quite similar to Go
feature wise.

The main differences is that Active Oberon's SYSTEM package is more powerful
than Go's unsafe and support for untraced pointers. The later can also be
achieved in Go via a mix of syscalls and unsafe.

------
dobbsbob
Would be nice if more information on these exploits were provided, such as
would a GrSecurity reinforced sandbox (or SELinux sandbox for that matter) for
Chromium have stopped the exploit from gaining a shell, or the OpenBSD priv
separation of X

Do they release the exploits after patching? I want to run unpatched versions
on said above configurations or at least be able to read the code to see if
it's yet another javascript problem.

~~~
eliteraspberrie
These exploits usually target browsers running on Windows, which until
recently did not have ASLR or DEP enabled by default (and still doesn't in the
case of some browser plugins). Many Linux distros like Debian or Ubuntu have
had RELRO, SSP, PIE, and ASLR enabled by default for browsers for a few years
now. PaX and Grsecurity would indeed protect against all of these exploits --
up until one or two years ago. These newest exploits are way out of my league,
and I don't know if anything could stop their authors.

------
PhantomGremlin
I want to see a new contest. I want to see if Firefox can be cracked if
JavaScript is disabled.

Right now I'm using NoScript and I have exactly 10 sites whitelisted. That
list doesn't include common sites such as Google or Yahoo.

IMO Google search is eminently usable w/o JavaScript, as is Gmail. But I don't
really care about frills like search suggestions.

Oh, and get off my lawn.

~~~
meowface
It's extremely unlikely. The chances of finding a RCE exploit that can be
triggered without any Javascript are much lower.

It's not unheard of, of course. A bug in the CSS, HTML, or image
parsing/rendering libraries can be exploited in this way.

------
guardian5x
I love the pwn2own contest, because it shows all the fanboys that their
OS/browser is not secure, because they hack pretty much all, every year.

~~~
azakai
Except for linux :P

I kid, of course. Last I heard they don't even target it in the competition.
But maybe neither do hackers ;)

~~~
viraptor
To some extent it's true though. If you want to do things the paranoid way,
then Linux does offer you many more possibilities of protection.

For example setting up different profiles for social networks / banking /
random browsing / ... and protecting them externally to the browser using
selinux/tomoyo/apparmor/whatever-you-prefer (or even go full virt with qubes!)
will give you much more security - no breakout on a random page will be able
to touch your sensitive data. And it doesn't even matter what the browser
exploit does.

~~~
pfraze
I'm trying out Qubes on my next install - it just looks too cool not to try.

------
blibble
this is why I have a hard time believing that cryptocurrencies will achieve
mass adoption: eventually everyone gets hit by a 0-day, and then your money is
gone forever.

(I realise cold storage exists, but most people won't bother...)

~~~
erikpukinskis
Cash has the same problem, which is why banks and credit cards exist. There's
no reason your bank account and your VISA card couldn't be denominated in
Bitcoins, affording you exactly the same protections you have now.

You might lose $100 out of your smartphone wallet every now and then. But that
will hopefully be rare.

~~~
jerf
No, cash does not. There is no equivalent to issuing one command to a botnet
and collecting a hundred thousand people's wallets. Cash has _other_ problems,
which is why bank and Visa exist, but there's no zero-day exploit equivalent.

It's one of the reasons computer security is so hard. What in the real world
would be a minor weakness that really is unlikely to ever be exploited is in
the computer world an invitation for a bad actor to "SELECT * FROM
private_customer_data" and be walking away with everything you own before the
alerting system you probably don't have and probably aren't paying attention
to can even go off.

------
chinpokomon
How did ChromeOS fair? I can understand how general purpose OSs can be pwn'd,
but I'm more curious about how mobile platforms such as iOS, Windows RT,
Android, and ChromeOS hold up to these competitions.

~~~
georgemcbay
ChromeOS/Pwnium 4:

[https://plus.google.com/+GoogleChromeDevelopers/posts/QbtZ7A...](https://plus.google.com/+GoogleChromeDevelopers/posts/QbtZ7A8knW7)

Looks like one full-blown exploit (of an unknown nature but serious enough to
get the $150,000 award), but maybe specific to a single device (HP Chromebook
11), and one partial exploit on the same device. Unclear from the blog post if
the issue is something very specific to that one HP device or if it is ARM-
platform related and impacts the Samsung ARM Chromebook as well since AFAIK
Pwnium was just focusing specifically on a couple of newer ChromeOS devices.

------
thefreeman
Do they release more technical information on the exploits after the browser
makers have had time to produce patches? The things these guys do always blow
my mind.

At the same time it just reinforces the point that if you are targeted by an
entity with enough resources there is pretty much nothing you can do to
prevent exploitation. I am pretty sure all browsers get "pwned" at nearly all
of these competitions.

------
ryandetzel
I can't find how these are executed. Are they sites that have malicious code
on them? Are they required to have a certain plugin install (e.g. flash)?

------
Rizz
A bit off topic perhaps, but is it fair, as the article does, to call these
hackers "white hat"? Especially Vupen which sells to the highest bidder(s),
although selected, should be considered black hat, as they don't work with the
intention of securing software, they even advertise on their site that they
will sell the worst security holes for offensive use only.

~~~
bluefinity
If you read their page on offensive 0days, it states they only sell to non-
embargoed government agencies. I wouldn't really consider that black-hat.

~~~
meowface
Depends, do you consider NSA's TAO white hats or black hats? :)

------
contingencies
Motivated by the same, a couple of days ago I went to the trouble of
downloading rust and building Mozilla Servo. Unfortunately, if my build is
anything to go by, it won't even render most pages yet, so that practical
alternative path is presently closed.

------
RoboTeddy
Were these bugs discovered during the contest, or were part or all of the
exploits discovered beforehand?

~~~
letstryagain
Beforehand. The contestants work on finding exploits before coming to the
event.

