Chrome withstand the first day of the CanSecWest contest

BaLtO · Mar 22nd, 09, 06:38 AM

"During a contest at the CanSecWest event, security researchers competed to exploit vulnerabilities in web browsers. Firefox, Safari, and Internet Explorer were all successfully compromised, but Chrome was able to withstand the first day of the competition."

Quote:

A recent contest at CanSecWest, an event that brings together some of the most skilled experts in the security community, has demonstrated that the three most popular browser are susceptible to security bugs despite the vigilance and engineering prowess of their creators. Firefox, Safari, and Internet Explorer were all exploited during the Pwn2Own competition that took place at the conference. Google's Chrome browser, however, was the only one left standing—a victory that security researchers attribute to its innovative sandbox feature

Chrome only browser left standing after day one of Pwn2Own - Ars Technica

Share|

techniqu · Mar 22nd, 09, 08:53 AM

are they sure it's because of this feature and not because IE, Safari, and Firefox have been around longer?

-Zero- · Mar 22nd, 09, 09:38 AM

First of all, Internet Explorer has a sandbox as well. So it's completely wrong to say that Chrome's sandbox is an 'innovative new feature'.

Microsoft IE came out with that first.

But the problem is that IE's sandbox mode only works if UAC is on. And we do not know what OS they were using for the test, and neither do we know if UAC had been turned off as well. If they were using Windows XP, then of course IE would fall quickly since XP does not have UAC to trigger sandbox mode aka Protected Mode in IE.

But the fact that Safari fell first in seconds: now THAT's something to put the Apple fanboys in their place.

BaLtO · Mar 22nd, 09, 09:57 AM

Quote:

Fresh from winning the PWN2OWN contest yesterday, Charlie Miller has been interviewed by ZDNet. He talks about how Mac OS X is a very simple operating system to exploit due to the lack of any form of anti-exploit features. He also explains that the underlying operating system is much more important in creating a successful exploit than the bowser, why Chrome is so hard to hack, and many other things.

...

Miller repeated his claim that Mac OS X is easy to exploit. He makes a clear distinction between the browser and the underlying operating system, stating that for example while Firefox on Windows is very hard to crack, Firefox on Mac OS X is easy, because Mac OS X lacks all the anti-exploit features Windows has built-in. "The things that Windows do to make it harder [for an exploit to work], Macs don't do," Miller says, "Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows."

...

When it comes to Chrome, Miller is positive about the sandboxing technology in the browser, explaining that you need two bugs in order to create a Chrome exploit; a bug in the browser, and a bug that gets you past the sandboxing. "There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it," he states, "It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows, and the Sandbox."

Miller on Mac OS X, Chrome, Firefox, Economics

babybearbear · Mar 22nd, 09, 02:15 PM

Quote:

Originally Posted by -Zero-

First of all, Internet Explorer has a sandbox as well. So it's completely wrong to say that Chrome's sandbox is an 'innovative new feature'.

Microsoft IE came out with that first.

But the problem is that IE's sandbox mode only works if UAC is on. And we do not know what OS they were using for the test, and neither do we know if UAC had been turned off as well. If they were using Windows XP, then of course IE would fall quickly since XP does not have UAC to trigger sandbox mode aka Protected Mode in IE.

But the fact that Safari fell first in seconds: now THAT's something to put the Apple fanboys in their place.

A LOT of people still using XP, that means IE sandbox is not working for LOTS OF PEOPLE?