# Web browsers hacked, chrome surprise winner



## benanderson (Mar 20, 2009)

There was a contest held in Canada titled "PWN2OWN". This year the game was to hack web browsers.
The list of web browsers was as follows on the given platforms;
WINDOWS 7:
IE8
Fire Fox
Chrome

MAC:
Firefox
Safari

The first web browser to fall was Apple's safari which got "pwned" in a matter of seconds (no really, a matter of _seconds_). Infact it was hacked twice it was so easy!
Next to fall was Microsoft's brand new Internet Explorer 8. A huge hole was discovered (surprise, surprise) which made hacking a breeze. it took a few hours.  So much for "protection no other browser can match" Mr Balmer 

Firefox fell next, again taking a few hours.

All of these browsers were taken down in Day1 of the hacking competition.
The security issues were sent to the respected companies, all but one.

The surprise was Google's Chrome. It left the competition unscathed, standing tall with no security flaws people could pick at. My hat is off to Google, they've acctually beaten firefox! =O

Now that it's at v2.0 it's got loads of extra features and one mother of a speed boost [size=-5](stfu twille)[/size] I don't know about all of you but I've switched to chrome!


----------



## Panzermanathod (Mar 20, 2009)

I was planning to try chrome in the future, although since I don't have a computer of my own I have to old off for a while.


----------



## CaptainCool (Mar 20, 2009)

interesting^^
i just downloaded it to test it and it really is a little faster than the FF!
but ill stick with firefox. i dont like chrome, it feels clunky to use and looks... odd to me.


----------



## benanderson (Mar 20, 2009)

CaptainCool said:


> interesting^^
> i just downloaded it to test it and it really is a little faster than the FF!
> but ill stick with firefox. i dont like chrome, it feels clunky to use and looks... odd to me.



I will admit the GUI is a little funny to use because everything is accessed by right click menus and what buttons there is are very big. Even so it's not that bad compared to other browsers. Opera for example *ugghhh*


----------



## Cronus616 (Mar 20, 2009)

Wow that's...interesting.
I tried chrome but never really liked it too much
meh, i just love the look and feel of firefox ^-^


----------



## Grimfang (Mar 20, 2009)

Haha.. that's kind of funny. Safari fell _before_ IE? That's bad for one's reputation. Apple better keep the journalists away.

The reason I've adopted Chrome for only minimal use is because I'm such a furfag for Firefox <3
That, and I guess I still need to get used to Chrome.


----------



## TheDumbening (Mar 20, 2009)

I don't think they make Chrome for ubuntu. Of course I don't want to switch anyway.


----------



## Nalo (Mar 20, 2009)

well im dualbooting windows and ubuntu so its easier to just stick with FF


----------



## Irreverent (Mar 20, 2009)

Grimfang said:


> Haha.. that's kind of funny. Safari fell _before_ IE? That's bad for one's reputation.



Nah, look at the installed base.  Billions of IE testers, millions of Safari testers.  Of course the counter argument is that Chrome should be the buggiest (and it may yet still be, all it takes is a bad 0.1 patch) because they have the smallest user-base, but they also have had the longest chance to learn from the others mistakes.

Chrome may suffer from an architectural error tho, its being designed for virtualized application delivery and so-called cloud-based computing.  That's unexplored space for bugs and exploits.


----------



## Takun (Mar 20, 2009)

Not too surprised, but I like customizing Firefox.


----------



## Runefox (Mar 20, 2009)

TheDumbening said:


> I don't think they make Chrome for ubuntu. Of course I don't want to switch anyway.


There is actually a version being developed called "Chromium" for Linux, which should be available for Ubuntu. It's currently in alpha, IIRC, so it's not to be used as an everyday browser. In addition, these hacks probably won't be relevant to a Linux user, if only because no damage can come from it since you're (hopefully) not running as root. Still, data mining could be a problem if this were to succeed.



> Chrome may suffer from an architectural error tho, its being designed for virtualized application delivery and so-called cloud-based computing.  That's unexplored space for bugs and exploits


Interesting that you should mention this; Microsoft is currently investigating such a browser, code-named "Gazelle". It's slated to replace the Internet Explorer line following the end-of-life for IE8 if all goes well.

Honestly, the results don't surprise me. Apple has never been very careful when it comes to security, no matter what you say about OS X (its base OS is mostly responsible for that). Their browser has had numerous security holes over the years that have been claimed to be "features", such as the automatic downloading of files to the user's folder (OS X) or desktop (Windows) without confirmation or consent. The possibility exists for a further attack involving the execution of that file, either via social engineering or exploiting other vulnerabilities. Safari is swiss-cheese, just like IE.

Firefox has its holes, too, though these exploits typically don't allow such alarming things as, to borrow a phrase from Windows Update, "allowing a malicious user to take full control over an affected computer", and typically involve attacks against the Javascript engine, as I understand it. Browsing with noScript and FlashBlock should more or less plug most of those holes.

Myself, I use Firefox, but only because Chrome has had issues in the past, particularly with page rendering on some occasions. Otherwise, it's blazing fast in comparison to Firefox, having an almost instantaneous startup on my machine, never slowing down due to scripts or image-heavy sites, and having great crash handling (if a tab crashes, it typically doesn't kill the whole browser). I used to use Chrome exclusively for a while, and I would definitely go back to it, especially if more focus was placed on extensions, particularly analogues to AdBlock, noScript, and others.


----------



## Irreverent (Mar 20, 2009)

Runefox said:


> Interesting that you should mention this; Microsoft is currently investigating such a browser, code-named "Gazelle". It's slated to replace the Internet Explorer line following the end-of-life for IE8 if all goes well.



I expect all of the major vendors (virtual, OS and browser) to release cloud-based access portals in the near future.  The questions is, will they learn from past mistakes, or are we about to see history repeat itself.  I hope for the former, but expect the latter.

I've got two 1 petabyte storage arrays in dev, and a half-petabyte array in production right now, to support this new cloud based architecture and service offering.  Storage wont be a problem, the network is solid (gigE and 10gigE) processor load balancing shouldn't be (although detecting hung or lagging virtual sessions is becoming problematic)...the real unknown is the user interface and its portal.

The Olympics and HSPA roll outs are taking focus away from cloud computing, but right now, Chrome is the only browser that is being deliberately architected for it anyway.


----------



## Kangamutt (Mar 20, 2009)

Where's your "God" now, iFags?

MUAHAHAHAHA!!!!!


I should really get Chrome.


----------



## Runefox (Mar 20, 2009)

Might as well mention that since Google seems to have fixed Chrome's rendering issues, Firefox has decided to fail to retain any cookies and has long had stuttering image issues in videos, I've switched back to Chrome for now, at least until Firefox 3.1 is released proper.


----------



## Adelio Altomar (Mar 20, 2009)

Wow. I use Chrome as my default web browser, including pr0nz viewing! 
Once again a shining example of how great my tastes are! ^^

Yet I also believe all web browsers, especially FF, and including Chrome, are, without a doubt, over-rated. To some extent or another.


----------



## Not A Fox (Mar 20, 2009)

I don't know about you guys, but I'm smelling Covert Marketing. 


OP, care to link us to this article?


----------



## eternal_flare (Mar 21, 2009)

Firefox is more user friendly, at least for me, I think. :3
After messing with about:config on firefox a bit, it's speed is sure faster than before.
And I believe this testing thingy do it with initial newly installed condition, firefox has it best on extensions, imo, so this doesn't gonna change my view to it. :3


----------



## Gar-Yulong (Mar 21, 2009)

Runefox said:


> Might as well mention that since Google seems to have fixed Chrome's rendering issues, Firefox has decided to fail to retain any cookies and has long had stuttering image issues in videos, I've switched back to Chrome for now, at least until Firefox 3.1 is released proper.



Wait, so Viddler running choppy as hell and Firefox refusing to store my cookies isn't a problem with my computer?!

God damn, for the longest time I thought I had a PC issue there.


----------



## Runefox (Mar 21, 2009)

Gar-Yulong said:


> Wait, so Viddler running choppy as hell and Firefox refusing to store my cookies isn't a problem with my computer?!
> 
> God damn, for the longest time I thought I had a PC issue there.



Well, you can probably get around the cookies bit by completely reinstalling Firefox (that is, uninstall, remove ALL your profile data, and reinstall fresh), but that's a colossal pain in the ass. I've always had a problem with Firefox doing _something_ and causing the video to freeze periodically for a half-second to a second, and I've ruled out extensions being the cause and CPU usage is normal. Switching to a different browser works fine. The cookies issue tends to be rather common, I've found, or at least, not unheard of, and the fix is usually to reinstall Firefox or delete the profile (or both). You're the only other person I've seen complaining about the video playback but me, though.


----------



## benanderson (Mar 21, 2009)

Not A Fox said:


> I don't know about you guys, but I'm smelling Covert Marketing.
> 
> 
> OP, care to link us to this article?



Article*S*
Plural

It's all over the internet.
http://www.google.co.uk/search?hl=en&rlz=1C1GGLS_enGB319&q=pwn2own+chrome&start=0&sa=N


----------



## benanderson (Mar 21, 2009)

eternal_flare said:


> Firefox is more user friendly, at least for me, I think. :3
> After messing with about:config on firefox a bit, it's speed is sure faster than before.
> And I believe this testing thingy do it with initial newly installed condition, firefox has it best on extensions, imo, so this doesn't gonna change my view to it. :3



FF does have a better UI. I'm still figuring out where some of the bits and pieces are in chrome.

Safari, Chrome and FF all use the same plugins. The 2nd item in my chrome's "aboutlugins" list is "MicrosoftÂ® Windows Media Player Firefox Plugin". The first being the FF ActivX extension.



			
				Runefox said:
			
		

> Might as well mention that since Google seems to have fixed Chrome's rendering issues, Firefox has decided to fail to retain any cookies and has long had stuttering image issues in videos, I've switched back to Chrome for now, at least until Firefox 3.1 is released proper.



I always had problems with flash based media. IE: Flash running in one page (for example the FA media player) then when I open another tab that has flash embedded (anything from adverts to games) the entire browser would freeze for a few seconds and the audio coming from the media player would stop.


----------



## Runefox (Mar 21, 2009)

benanderson said:


> *Safari*, *Chrome* and *FF all use the same plugins.*


*
Yeah, they all use the Netscape plugin standard.




			I always had problems with flash based media. IE: Flash running in one page (for example the FA media player) then when I open another tab that has flash embedded (anything from adverts to games) the entire browser would freeze for a few seconds and the audio coming from the media player would stop.
		
Click to expand...

Yeah, that's mainly a problem with single-threaded browsers, but also a problem with single-core PC's. Myself, I can run flash in multiple tabs without really slowing down, but that gets annoying REALLY fast. Chrome should be even better at this, since each tab is a separate process, meaning that multi-core processing is easier to take advantage of, and each tab is completely separate from the other. So such slowdowns should only really happen on older/slower computers.*


----------



## Irreverent (Mar 21, 2009)

benanderson said:


> Article*S*
> Plural
> 
> It's all over the internet.
> http://www.google.co.uk/search?hl=en&rlz=1C1GGLS_enGB319&q=pwn2own+chrome&start=0&sa=N



Its also the second year in a row that Safari got pwned in under 30 seconds.


----------



## â„¢-Daley Leungsangnam475-â„¢ (Mar 21, 2009)

wow ... i'm gonna have to try Chrome ... but for now i'm gonna stick with Firefox


----------



## Stratelier (Mar 21, 2009)

Not A Fox said:


> OP, care to link us to this article?


*Exactly*.  Without a news article, all we have here is, essentially, word-of-mouth.

I mean, exactly what constituted a successful 'hack' in that competition?


----------



## benanderson (Mar 21, 2009)

Stratadrake said:


> *Exactly*.  Without a news article, all we have here is, essentially, word-of-mouth.
> 
> I mean, exactly what constituted a successful 'hack' in that competition?




Breaking through it allowing malicious code to be executed on the target computer.
Also;
http://www.google.co.uk/search?hl=en&rlz=1C1GGLS_enGB319&q=pwn2own+chrome&start=0&sa=N

Search engines are your friends.


----------



## Gar-Yulong (Mar 21, 2009)

Runefox said:


> Well, you can probably get around the cookies bit by completely reinstalling Firefox (that is, uninstall, remove ALL your profile data, and reinstall fresh), but that's a colossal pain in the ass. I've always had a problem with Firefox doing _something_ and causing the video to freeze periodically for a half-second to a second, and I've ruled out extensions being the cause and CPU usage is normal. Switching to a different browser works fine. The cookies issue tends to be rather common, I've found, or at least, not unheard of, and the fix is usually to reinstall Firefox or delete the profile (or both). You're the only other person I've seen complaining about the video playback but me, though.



Yeah, until Firefox comes out with another update I'm just going to use Chrome again. It seems a lot less buggy than when I tested it waaay back when it first came out, so I'm gonna have fun.


----------



## Aden (Mar 21, 2009)

Opera gets ignored? :/


----------



## benanderson (Mar 21, 2009)

Aden said:


> Opera gets ignored? :/



Sadly yes, I would've loved to have seen the results.


----------



## Eevee (Mar 21, 2009)

Irreverent said:


> Nah, look at the installed base.  Billions of IE testers, millions of Safari testers.


what does installed base have to do with finding security holes?



Irreverent said:


> Of course the counter argument is that Chrome should be the buggiest (and it may yet still be, all it takes is a bad 0.1 patch) because they have the smallest user-base


that would be a dumb argument.  chrome uses the same engine as safari, which has been hammered on for *years*.  all they wrote was some UI and clever forking.



Runefox said:


> There is actually a version being developed called "Chromium" for Linux, which should be available for Ubuntu. It's currently in alpha, IIRC, so it's not to be used as an everyday browser.


I wouldn't even go that far.  as I understand it, tabs don't even work yet.


----------



## Irreverent (Mar 21, 2009)

Eevee said:


> what does installed base have to do with finding security holes?



Simple really.  More users, more combinations and permutations of OS, patches levels, hardware revisions and  more possibility for errors to pop up and to be investigated and exploited.  Nobody designs attacks/exploits for an esoteric browser that no one uses.



> that would be a dumb argument.  chrome uses the same engine as safari, which has been hammered on for *years*.  all they wrote was some UI and clever forking.



Perhaps its dumb.  I think that assuming that just because a new UI and clever forking is built on an established platform, its somehow magically safe is equally dumb.  The linux crowd has been drinking that cool-aid for years tho.  BTW, that "hammered on" engine got pwned in 30 seconds, twice in as many years; during the PWN2OWN competition.

But even if the foundational elements are safe, there's no magic guarantee that Chrome's new UI and clever forking are safe.  It has to be proven, tested, and evaluated.


----------



## Eevee (Mar 22, 2009)

Irreverent said:


> Simple really.  More users, more combinations and permutations of OS, patches levels, hardware revisions and  more possibility for errors to pop up and to be investigated and exploited.


that is kinda my point.  security errors don't often just _pop up_, and rarely in any way a casual user would notice.



Irreverent said:


> Perhaps its dumb.  I think that assuming that just because a new UI and clever forking is built on an established platform, its somehow magically safe is equally dumb.


of course not.  but it's not equivalent to a brand new platform, either.


----------



## Irreverent (Mar 22, 2009)

Eevee said:


> that is kinda my point.  security errors don't often just _pop up_, and rarely in any way a casual user would notice.



Not by the average user, no.  But the black-hat crowd would notice.  "Hey, what happens when I try this?  Oooooo buffer overflow!  Kewel!"



> but it's not equivalent to a brand new platform, either.



But with regression testing becoming an expensive, lost art better to assume that it is.  Expect the best, prepare for the worst.


----------



## Not A Fox (Mar 22, 2009)

Ok.... Before I download Chrome....


Are there any privacy issues with it?

I'm used to hearing about google gathering all kinds of information out of you from their products / services.


----------



## WarMocK (Mar 22, 2009)

Not A Fox said:


> Ok.... Before I download Chrome....
> 
> 
> Are there any privacy issues with it?


I love rhetorical questions. xD

http://www.srware.net/en/software_srware_iron.php
That's the version that doesn't permanently call home. ;-)


----------



## Adelio Altomar (Mar 22, 2009)

*TO ALL CHROME USERS*

Click on that link below and see if you can view that huge PDF file alright.
When loading or displaing, does it freeze up on ya or cause the whole window to become unclickable, particularly between other windows?

It did for me, but I managed to save all my windows by clicking the desktop icon. I can't believe I'm having to go back to IE to view it. >>

Edit: forgot the link. >>

http://www.austincc.edu/catalog/


----------



## Runefox (Mar 22, 2009)

*Re: TO ALL CHROME USERS*



Adelio Altomar said:


> http://www.austincc.edu/catalog/



Works fine in Chrome over here. It's the Adobe PDF plugin if that's happening. If you're using Firefox, you might be interested in the PDF Download plugin, which lets you view/download PDF's in multiple different ways.


----------



## Adelio Altomar (Mar 22, 2009)

So it downloaded all 344 pages? =O
I already had PDF installed and that plug-in won't help since I don't use FF. 
I think it might be the connection as well. It kept dying when I was trying to load it up and everyone who's talked to me knows I'm notorious for just dropping out like that.

And I just now got an update made so maybe that should help.


----------



## sirfragalot (Mar 23, 2009)

benanderson said:


> Sadly yes, I would've loved to have seen the results.



Me too, we don't know the true results until Opera gets tested. 

I tried google chrome, but it's simplicity annoyed me too much to use, lol. I am used to having everything with firefox and since I don't visit bad sites I am not worried about getting hacked.


----------



## Runefox (Mar 23, 2009)

sirfragalot said:


> Me too, we don't know the true results until Opera gets tested.


OK, while we're at it, we have to be fair to the other browsers, too; Otherwise, we don't know the results!


Lynx
ELinks
Arachne
MSN Explorer, AOL Explorer, Avant Browser, Maxthon, other Trident shells
Camino
Seamonkey
ABrowse
AWeb
Voyager
Galeon
Konqueror
K-Meleon
IceCat/IceWeasel
Amaya
IBrowse
Netscape 4.x
Netscape 6-7
Netscape Navigator 9
NetFront browser for PSP
Myriad/OpenWave mobile
Fennec
And all the rest



> ...and since I don't visit bad sites I am not worried about getting hacked.


Browsing "bad" sites is only one of the preventative measures you should take to ensure that you're not being tracked/etc. There are still phishing sites and things of the like that look legitimate, and there's also the concept of poisoning a legitimate website with bad code. That said, Firefox should usually be OK, but unless you know what you're doing and understand the risks, you should look at add-ons that enhance its security.


----------



## Mogu (Mar 23, 2009)

Shoulda tested Opera.


----------



## Aden (Mar 23, 2009)

Runefox said:


> OK, while we're at it, we have to be fair to the other browsers, too; Otherwise, we don't know the results!
> 
> 
> Lynx
> ...



While Opera has a very small market share, it's still considered a "major" browser.

Browser market shares for Q1 2009:

Microsoft Internet Explorer: 67.29% 
Firefox: 21.77% 
Safari: 8.20% 
Chrome: 1.15% 
Opera: 0.71% 
Netscape: 0.63% 
Mozilla: 0.08% 
Opera Mini: 0.07% 
Playstation: 0.04%


----------



## Stratelier (Mar 23, 2009)

benanderson said:


> Breaking through it allowing malicious code to be executed on the target computer.
> Also;
> http://www.google.co.uk/search?hl=en&rlz=1C1GGLS_enGB319&q=pwn2own+chrome&start=0&sa=N
> 
> Search engines are your friends.



>> Ars Technica article

Ahem:



> The contest awards security researchers with hardware and cash prizes for finding efficient ways to trick browsers into *executing arbitrary code.* During the first day of the competition, the contestants are required to do this *in default browser installations without plugins* such as Flash or Java, which are commonly used as vectors for attacks.



Noting the word is 'arbitrary' code, not necessarily 'malicious', fwiw.



> Early this month, prior champion Charlie Miller told reporters that he would be attempting to exploit a Safari vulnerability on Mac OS X. Safari, he said, would be the first to succumb to the contestants. As he promised, Safari went down first: he was able to execute his *prepared* hack in only a matter of seconds. Another security expert known only as Nils took longer, but was able to successfully exploit all three of the most popular browsers.
> 
> ... Miller said that the vulnerability he used in the contest was *one that he had originally found while preparing for the contest last year.* Instead of disclosing it at that time, he decided to save it for the contest this year.



Note that the hacker used a bug he discovered during the _previous_ year.  He didn't hack Safari from the ground up, he knew about the bug for a full twelve months in advance.  On the one hand, that's almost cheating.  But on the other hand....


----------



## Runefox (Mar 23, 2009)

Stratadrake said:


> Note that the hacker used a bug he discovered during the _previous_ year.  He didn't hack Safari from the ground up, he knew about the bug for a full twelve months in advance.  On the one hand, that's almost cheating.  But on the other hand....



On the other hand, Apple would have found an excuse not to fix the bug, just like the whole "automagical spam-downloading of files to the user folder/desktop" _feature_.

I should say that while I haven't checked on it lately, when I last saw the state of that _feature_, Apple had no intention of removing/fixing it.


----------

