Yesterday’s most significant browser-related event wasn’t the release of Internet Explorer 8–it was the upshot of day one of the Pwn2Own browser-hacking contest at the CanSecWest security conference in Vancouver, British Columbia. The competition offered cash and hardware incentives to attendees who could exploit zero-day vulnerabilities in Chrome, Firefox, IE 8, and Safari.
The results? Chrome was the only browser that escaped unscathed, apparently because of the way it sandboxes Web code to prevent it from doing damage. (Chrome has, however, been shown to be insecure in the past.) Yup, IE 8–which Microsoft says its “safer than ever”–didn’t even get through its first day on the market without being hacked.
Which wasn’t a surprise in the least–really, it would have been more startling if a bunch of enterprising hackers with money, prizes, and publicity dangled in front of them weren’t able to break into the majority of browsers they tried to attack. Every browser company has smart folks working on making software safe, but it’s painfully obvious that the people who want to show that software is insecure are just as smart.
I don’t look at the people who enter Pwn2Own as white knights–they are, after all, tampering with products to get a chance at monetary reward, and bad guys can and do learn from their attacks. But ultimately, the contest and similar stunts do the world a favor: It’s important that browser companies know about the holes in their products, and if it takes a contest to find some of them, that’s okay. (Pwn2Own’s organizers turn over information on the vulnerabilities that are discovered to the companies in question so they can fix them.)
And the results of day one of Pwn2Own are also a useful reminder to all of us who use browsers: There are less secure browsers and more secure browsers, but there’s no such thing as a fully secure browser. (Even houses with deadbolts on all the doors and pricey alarm systems get broken into.) Remember that when you hear browser companies brag about their safety measures.
Day two of Pwn2Own, incidentally, included a competition to bust into mobile-phone browsers: Android, BlackBerry, iPhone, Symbian, and Windows Mobile. They all survived, apparently–mostly because almost nobody even showed up to try and attack them. Betcha phone browsers come under a lot more scrutiny from Pwn2Own contestants in years to come…