Attention: Everybody. Your Browser is Insecure. Deal With It.

By  |  Friday, March 20, 2009 at 12:55 pm

War GamesYesterday’s most significant browser-related event wasn’t the release of Internet Explorer 8–it was the upshot of day one of the Pwn2Own browser-hacking contest at the CanSecWest security conference in Vancouver, British Columbia. The competition offered cash and hardware incentives to attendees who could exploit zero-day vulnerabilities in Chrome, Firefox, IE 8, and Safari.

The results? Chrome was the only browser that escaped unscathed, apparently because of the way it sandboxes Web code to prevent it from doing damage. (Chrome has, however, been shown to be insecure in the past.) Yup, IE 8–which Microsoft says its “safer than ever”–didn’t even get through its first day on the market without being hacked.

Which wasn’t a surprise in the least–really, it would have been more startling if a bunch of enterprising hackers with money, prizes, and publicity dangled in front of them weren’t able to break into the majority of browsers they tried to attack. Every browser company has smart folks working on making software safe, but it’s painfully obvious that the people who want to show that software is insecure are just as smart.

I don’t look at the people who enter Pwn2Own as white knights–they are, after all, tampering with products to get a chance at monetary reward, and bad guys can and do learn from their attacks. But ultimately, the contest and similar stunts do the world a favor: It’s important that browser companies know about the holes in their products, and if it takes a contest to find some of them, that’s okay. (Pwn2Own’s organizers turn over information on the vulnerabilities that are discovered to the companies in question so they can fix them.)

And the results of day one of Pwn2Own are also a useful reminder to all of us who use browsers: There are less secure browsers and more secure browsers, but there’s no such thing as a fully secure browser. (Even houses with deadbolts on all the doors and pricey alarm systems get broken into.) Remember that when you hear browser companies brag about their safety measures.

Day two of Pwn2Own, incidentally, included a competition to bust into mobile-phone browsers: Android, BlackBerry, iPhone, Symbian, and Windows Mobile. They all survived, apparently–mostly because almost nobody even showed up to try and attack them. Betcha phone browsers come under a lot more scrutiny from Pwn2Own contestants in years to come…

 
6 Comments


Read more: , ,

3 Comments For This Post

  1. Paulo Sargaço Says:

    I was waiting for the “how to deal with it” part.

  2. Steven Fisher Says:

    The only way browsers will ever be secure is if it is in the best interest of people with exploits and without ethics to report the exploit to the developer. I don’t think that will ever happen, but Pwn2Own is a step in the wrong direction. By holding this contest on a schedule, people with exploits are encouraged to sit on them and save them for this contest.

  3. J. Cole Says:

    Note that Pwn2Own did not test Opera, though it also has its share of vulnerabilities: http://secunia.com/advisories/34135/.

3 Trackbacks For This Post

  1. links for 2009-03-21 | Seth Goldstein Online Says:

    […] Attention: Everybody. Your Browser is Insecure. Deal With It. | Technologizer Yesterday’s most significant browser-related event wasn’t the release of Internet Explorer 8–it was the upshot of day one of the Pwn2Own browser-hacking contest at the CanSecWest security conference in Vancouver, British Columbia. The competition offered cash and hardware incentives to attendees who could exploit zero-day vulnerabilities in Chrome, Firefox, IE 8, and Safari. (tags: security browser hacking) […]

  2. [TechBlogWatch] Best of Blogs für den XX. MMMMM 2009 | TechFieber | Hot Gadgets. Smart TechNews. Says:

    […] Attention: Everybody. Your Browser is Insecure. Deal With It. […]

  3. SharePoint Daily for March 23, 2009 - SharePoint Daily - Bamboo Nation Says:

    […] Attention: Everybody. Your Browser is Insecure. Deal With It. (Technologizer)Yesterday’s most significant browser-related event wasn’t the release of Internet Explorer 8–it was the upshot of day one of the Pwn2Own browser-hacking contest at the CanSecWest security conference in Vancouver, British Columbia. The competition offered cash and hardware incentives to attendees who could exploit zero-day vulnerabilities in Chrome, Firefox, IE 8, and Safari. […]