Skip to navigation
   
Davey Winder's Blog
RSS

Google Chrome stands alone at PWN2OWN

By Davey Winder in Editorial

Posted in Security, Firefox, Google, Internet, Microsoft, Apple on March 22, 2009 at 3:59 pm

Permalink | Author Profile

Which web browser client is least at risk from hackers? If the PWN2OWN hacking competition is any measure of client security, then the clear winner was Google Chrome.

Of course, not everything is always as straightforward as it seems. And that is certainly the case when it comes to the annual PWN2OWN hacking championships that are run during the CanSecWest security conference. Standard PCs and Macs running default OS installations are used, loaded up with fully patched and current versions of the target software and no additional plug-ins to help the hackers. The rules seems pretty simple: hack the app as quickly as possible, with code execution as a requirement.

First of the web browsers to fall was Apple Safari running on a MacBook which lasted between 5 and 10 seconds in total. Charlie Miller managed to ‘own’ it by exploiting a previously unknown vulnerability and then simply clicking on a malicious URL. He proved to the judges that as a result of the remote code execution he had full control over the Mac.

Next was, perhaps a little surprisingly, Internet Explorer 8. A German chap known only as Nils managed to exploit a new vulnerability in IE8, running on a recent build of Windows 7. Someone who was no doubt surprised would be the main Internet Explorer 8 man at Microsoft, Dean Hachamovitch, who gave his keynote at the Las Vegas Mix 09 conference to launch the public release of IE8 just a few hours later proclaiming that the browser had been engineered to withstand evolving attack methods used by hackers. Oh dear. Nils, mean while, went back to the keyboard and then managed to successfully hack the Firefox browser client as well.

Two bits of good news did emerge from all this though. Firstly that these new vulnerabilities will not remain exploitable for long, indeed Microsoft are said to have already fixed the IE8 one and the patch is likely to roll out real soon now. This courtesy of the competition sponsors, TippingPoint, who pay the winning hackers a cash prize which also buys them the rights to the vulnerability details and exploit code which are immediately passed over to the vendors concerned.

Secondly, the competition did seem to prove one thing: if you want the most secure of the mainstream web browser clients then Google Chrome would appear to be the way to go. During the course of the competition, it remained unhackable it would seem. Safari hacking supremo Charlie Miller did manage to find a vulnerability, but unlike previous vulnerabilities Miller reports that he was unable to exploit this one thanks to the sandboxing and security features of Chrome.

12345
Rated: 100% (5 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Pingback by IT PRO: Blogs: Davey Winder: In need of an urgent Firefox fix - March 26, 2009 on 7:59 pm

[…] Google Chrome is a more secure browser bet after all? Not yet rated  Loading […]

Pingback by Internet Explorer 8 - ScoobyNet - April 3, 2009 on 5:21 pm

[…] Its total ****e, there are now hundreds of exploits that are in the public domain, Ms can’t keep up. This is an interesting read.. IT PRO: Blogs: Davey Winder: Google Chrome stands alone at PWN2OWN […]

Comment by sikanrong - April 23, 2009 on 12:26 pm

I notice firefox didn’t get ‘pwn’d either, so chrome isn’t special or what?

Comment by Sean - April 23, 2009 on 3:16 pm

“…successfully hack the Firefox browser client…” last line of the third last paragraph, firefox was hacked. so chrome is still special, in a way

Pingback by NewbTech » Blog Archive » Microsoft IE 8.0 Browser Security best of all browsers? - April 27, 2009 on 3:04 am

[…] contest (forgetting to mention the wee lil fact that Google Chrome actually outlasted it.. - article from ITPro)… NSS Labs recently released a paper that touts putting all the current browsers through […]

Comment by ugg boots uk - October 15, 2009 on 9:59 am

The final reason why you should buy genuine, Aussie Uggs is that they will last longer. The merino sheepskin used is of a very high quality that will last you a long time and because the material allows your feet to breathe, they won’t get sweaty causing the fabric to decay.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

rootkits Blog ecommerce fake Children Experiment Finjan data open source Review Silverlight iPod Guardian computer gaming Jobs world of warcraft Education politics Research Kill Switch data protection acquisition HP SMS support linkedin Project transactional security books Mobile Phones man-in-the-middle Microchip digitise Netbook School console Mars Russia MSNBC broadband Web Development Trojan games compromise news payments VM meme Adobe Rumour hacking tax privacy App Store Mafia IDC Texas Instruments law App Architecture hardware e RATM development carbon copy Noro MiniBook Top 500 computers Scotland Internet Explorer Michael Jackson scan VPN Enterprise Networks NBC Digital Footprint web 2.0 McKinnon malware eBook Recall help remote working Parenting Cisco memory Palm smartphone stupid China money scareware Beta fun Military work second life service virtualisation Android Army Geeks Media Video christmas mobile fraud ISP Kindle workplace OS graphics social networking mail Rant Space Music services report e-commerce parental control wifi ROFL Steve Jobs Deal Zango hubdub Banned iPad Patents snooping Acer monetisation iPhone worker Gadget Energy recession GSM encryption BSI Amazon Supercomputer Apple Developers Obama Election Big Brother computing spam botnet Press Application remote scam economics XP Windows 7 email virus Dell Vista environment virtual world disclosure football home Programming IBM hacker crime admin Kaspersky ID Theft Psion campaign Employment Europe patch management xmas Windows Internet Firefox students Conference Psychic holidays adware Death Gateway standards statistics phishing ASUS The Federation iPhone 3GS earth hour Intel Notebooks Browsers banks RAM Ballmer Texting symantec science Olympics Game betting dumb Mobile Phone banking avatar copyright web global Trousers Microsoft policy iPhone 3G ISPA surveys credit crunch Tesco Johnny Depp Sex Eee Porn security patent Gartner Browser prison Bill Gates Jesus Phone staffing innovation Software terrorism EU code Steve Ballmer search Facebook outsourcing shopping Business information SSL Kin exploit virtual machine Digg BOFH MessageLabs InfoSec MSN economy Eee PC President FBI Google VeriSign worm IP hoax Nexus PS3 Hack printing YouTube Harry Potter Pirate debian Linux Paris Hilton Retail Data Centre Apps Windows Phone 7 Series hypervisor payment server GMail millions office Flash family stupidity HPC Licensing Meh OCR technology green IT Addiction Nintendo productivity migration Top 10 Sony Study Voice Opinion Madness tech nightmare survey credit card fraud biometrics Yahoo Performance computing universe storage Analysis poll Funny CAPTCHA Palm Pre Blogging spending Advertising lawsuit Spotify DNS desktop network trust Health theft documentation cloud Google Earth chips Backlash NASA Marketing AMD teleworking archiving Twitter USA Lotus management size black hat Battery Government gadgets sick fool library museum
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement