IE8 FF and Safari fall for Pwn2Own hack.

http://blogs.zdnet.com/security/?p=2917

http://blogs.zdnet.com/security/?p=2934

Macbook fell in seconds.

 

The bad guys are always going to get through no matter how long it takes or what methods they use. Microsoft has spent a year fortifying IE8, and hackers have spent a year poking at it. Gee, and on the day before official release too, lol, that has to suck.

 

Nothing really new here. All programs (and especially complex ones) will always have bugs that can be exploited to compromise a system.

 

Thanks for the link, that was interesting!

 

It wasn't only IE8 and Safari: Firefox was easily beaten too.

 

Yep thats why the title says IE8, FF and Safari.

 

Oops, you're right. Sorry.

 

I wonder how it was really done and how we can protect ourselves from this... Is using something as noscript enough? ...

 

this from Charlie Miller after taking seconds to use Safari to take full control of a Mac
http://www.osnews.com/story/21171/Miller_on_Mac_OS_X_Chrome_Firefox_Economics

 

That is freaking LAUGHABLE. NO ONE OWES the general public jack. I'm not for exploiting holes for "blackhat" uses, but it is no ones responsibility to plug these holes and disclose exploits other than the creators - open source or not.

 

google chrome is your best bet at the moment.it was the only browser not to get hacked and the guy who hacked safari and firefox said that he knows of exploits in google but as far as he could tell there is no way to exploit them because the google chrome browser sandboxes itself when you start browsing so anything you do to try and hack it will not get outside of the virtual sandbox the browser works in.
so check it out for yourselves but this was right from the hackers mouth.

 

When I had read the article from the guys from stanford in which they extrapolated that Chrome due to its internal sandbox shhould be around 70% less vulnarable to exploits than other browsers I switched to Chrome for daily browsing.

We now use IE8 only for on-line banking and shopping (due to a stupid restriction of only facilitating IE by one of my wife favourite on-line music shop) and Chrome for daily browsing. It is good to see that this stanford study assumption has been checked with real life tests.

On IE we have added website rating program and use the new IE smartscreen filter check before buying, to minimise buying from malware sites.

Using a policy sandbox (gesWall Pro on the older desktop and DefenseWall on the faster laptop at home) on top of that, I reduced my layered defense to a non-paranoid cover once setup (so no second safety nets with other HIPS etc to backup the policy management).

In real life it did not change a thing (we were not exploited in the past and are with these setups also not exploited until now), only difference is a much more responsive system. With security a step from ignorance to awareness seems to make a difference, but the step to awareness to hobby or een paranoia seems to add not very much. I am wondering how many wilders members have gone through this cycle. From hype- hope- help - horror to the (h)old fashioned firewall + AV + policy management (either with programs like GW/DW or implemented through facilities of the Operating system).

Thanks for the post by the way, nice read Arup.

 

I've gone through the stage you described, minus the horror phase. My mindset was until now, as follows:

1. IE is BAD, don't go near it, widespread destruction will surely follow.

2. There's "nuclear" malware out there that will get through anything you can throw at it. Get a HIPs/Behavior blocker right now and stack every security app that doesn't overlap, and then say a prayer.

3. Hackers are everywhere and they want YOU. Beware!

4. Everything you do, say, see, and hear is tracked online. "They" know where you are and what you're doing".




My new mindset:

1. No it isn't, and no it won't. I use IE8 and *gasp!*...I like it. Nothing's blown up yet.

2. No there isn't, shut up and enjoy the internet.

3. They are, but unless you've got something they want, no they don't.

4. Actually it's not, and no they don't. They have trouble finding laptops an employee left in the break room and say it's stolen. Cookies can track some things, sure, but cookies can be dealt with REAL quick and easy.


I like my new mindset, but that doesn't mean I'm not cautious. I stay on top of patches, my Avast is up and running just fine, I scan everything I download before I even think of opening them, and I'm sitting behind Sandboxie. That's all that's ever going to happen unless some huge new thing comes along. I'm not turning my computer into a 486 on dialup because I want to be "untouchable" as far as security, and I'm going to surf where I want, and download what I want, and get my 40 bucks a month worth of internet access.

 

Connect to my LAN, and you will soon find out that it's very true Lots of script kiddies around, with too much time on their hands.

You ARE tracked online, and sometimes it's good to be aware of it, it gives you an interesting perspective on things. Don't become too paranoid about it, but stay alert.

 

FYI: FF was patched within 8 days.

 

I don't worry about script kiddies, hell, if they want to scan my ports all day they can have at it. The data thieves are my concern, and I have no data stored on my system they'd even want. I know I'm tracked in some ways online, but again, it's mostly cookies, which are easily dealt with. I've spent too much time under my tin foil hat, time to hang it up.

 

This may be especially true for XP.

 

dw426,

You pretty much summed up my feeling of surfing online as well

So much so,I had to quote you

 

I generally use Linux and sometimes use Windows, on both my sensitive data is fully encrypted, I wouldn't be without it.

dw426 quote of turning your PC into a 486 is quite relevant in this sense. Too many security apps can make even a quad core into a 486 and also cause myriads of issues and clash with each other. Worse of all, browsing speed can be impacted as well.