Experts Earn $280,000 for Hacking Safari, Flash, Chrome

Discussion in 'other security issues & news' started by ronjor, Mar 17, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Yeah, it looks like once again Adobe Flash gleefully opens its wonky screen doors for hackers to gain access to system privileges and such. Flash has become a certifiable security joke.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    And they weren't able to hack Chrome on day two, proving it's one of the mosts secure browsers. Microsoft Edge was hacked with a browser + kernel exploit. This also proofs that kernel exploits are crucial to hackers. So it's getting quite hard to hack browsers that run in a sandbox.

    http://community.hpe.com/t5/Securit...y-two-crowning-the-Master-of-Pwn/ba-p/6842863
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Good to see Chrome could withstand these latest hacking attempts against it, especially given the impressive skill level of these hackers. Even Edge required a kernel exploit, as you alluded to, for it to be hacked. Hopefully more time and effort can be directed toward the kernel, even linux', to secure it better.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    The other good news was that they weren't able to hack VMware Workstation, so they couldn't break out of a virtual machine.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Here’s the full breakdown for the 21 vulnerabilities:

    • Microsoft Windows: 6
    • Apple OS X: 5
    • Adobe Flash: 4
    • Apple Safari: 3
    • Microsoft Edge: 2
    • Google Chrome: 1 (duplicate of an independently reported vulnerability)
    -http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/
     
  9. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Google Chrome on Linux x64 should be the most secure browser (hopefully), which is what I am using now. No Edge and Windows, no Mozilla Firefox, certainly no safari.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Using it on Linux as well. Notice the hackers don't even attempt to hack it on Linux, probably feeling it's a lost cause. The seccomp-bpf sandbox is a fortress.

    They don't probe at Sandboxie, either. Maybe too much time and effort to hack?
     
  11. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Guess so.
    I basically ditched all my Windows 10 OS on all my home computers, installed Ubuntu 14.04.4, and made a offline Windows 7 VM just for MS Office, Adobe PS/Acrobat etc.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Probably, because you first need to gain remote code execution via the browser, and after that you need to elevate privileges plus disable SBIE's protection. So for sure they would need to use a kernel bug.
     
Loading...