IE9 2nd to fall at Pwn2Own

IE 9, on most secure Windows yet, next browser to fall at hacker contest

Much more interesting is something that hasn't been covered by any MS blog:

http://arstechnica.com/business/new...st-windows-gets-stomped-at-hacker-contest.ars

 

I'm sure they will all go down before it is over. Firefox and Safari and probably both easier than Chrome and IE.

 

... is close to gaining parity with the current Chrome sandbox.

 

Not saying much since the current Chrome sandbox was the first to fall.

 

thank you for the balanced input

 

@Badkins,

the time that any of them fall is irrelevant - the researches have the exploits wayyyyy before pwn2own. They don't just come up with them on the spot.

They're basically attacking them in the "perceived order of security." Chrome was obviously their first target, as they said, because they wanted it clear that Chrome was not unbeatable. IE9 is the next logical target. Order has very little to do with which is the strongest or weakest.

 

I agree.

And, that means one needs to dedicate one's time entirely to finding the precious gap.

That also means that, while this sandbox breaks/bypasses are revelant, in a real world scenario one would have to make the following question - Would it be rewarding for cyber criminals to waste precious time trying to break these sandboxes, when there's plenty of easier fish out there?

Unless they know before hand they'll be putting hands on a great prize, I got my doubts. Even then, there are still easier ways, aren't there?

 

Yes, that's generally the idea of a sandbox. Can it be broken? Of course. But it's a lot harder to come up with two exploits than it is to come up with one.

For attacking a government/ company yes you might see a 0-day like this used. A user? No, I sincerely doubt it - much more likely you'll see a Java 0day or PDF or Flash.

 

Yeah I know. I was sort of making fun of the whole pwn2own PR. They usually hype it up when they release results by saying "OMG IE pwnd in only 0.7 seconds!" And likewise they claim "Chrome still unhackable 2 years in a row."

The time to execute an attack says nothing of the time to craft the attack. And when no one attempts an attack, it says nothing of the difficulty to craft an attack.

 

Yeah, definitely. I wish they wouldn't put out headlines like that lol they're completely misleading. In reality this IE9 hack took 2 weeks to formulate, who knows how long for Chrome.

And as you say, last year no one attempted to hack Chrome, which was not to say that Chrome was unhackable.

EDIT: It's a shame that this exploit still works in 8. I would have hoped that this would have helped:

Though they do give credit:

 

Considering Microsoft's new found focus on security I'm completely not surprised that the exploit is in code passed down from older versions.

 

I wish there were "demo pages" for these exploits. I'd be interested in how bottom up randomization effects heap overflows.