Insecure Candidates: Chrome Wins Hacking Contest
At the CanSecWest Vancouver 2009 conference's PWN2OWN hacker's competition the Safari, Internet Explorer 8 and Firefox browsers were successfully hacked to run code on their systems. The Chrome browser was recognized as being the least impacted by the hackers.
The two-day PWN2OWN competition had but one goal: hacking an application as fast as possible to run code in it. The hacker contest is a feature of the annual CanSecWest conference, this year in Vancouver March 16-20, where standard PCs and Macs are subjected to vulnerabilities using the current version of the targeted software containing all the newest security updates. This year the hackers were to hack four fully patched browsers and five mobile devices. While the mobile devices remained "unscathed," almost all browsers failed the test in one way or another.
In less than 10 seconds Charlie Miller could open his MacBook with Safari and promptly won the $5,000 Zero Day Initiative prize. After jury members clicked a specially prepared link, Miller could control the system through an undocumented security hole.
Internet Explorer 8 was the next victim (ironically almost parallel to its official start in Las Vegas) to follow the MacBook pattern. A hacker named simply Nils used an undocumented vulnerability to control the Windows 7 subsystem and won another $5,00 prize from ZDI. He also exploited the first known security hole of IE8. Just earlier Microsoft's Dean Hachamovitch in his talk had praised the high security standards of IE8 with its Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection technologies.
Twice again Nils pulled off victories. First was a Safari exploit that won him another $5,000. Secondly, the Firefox competition didn't escape his schadenfreude and he won another prize through a zero day exploit: altogether $15,000 for Nils.
Uncontested winner of the day was Google's Chrome browser, even though Charlie Miller did find a vulnerability that he later admitted his sandbox prevented him from carrying out. Details of the vulnerabilities unfortunately weren't given out: the TippingPoint DVLabs host of the conference pretty much buys the discretion of the hackers through its prize money, but will pass things on to the browser manufacturers.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.
Opera