"iPhone, IE, Firefox, Safari get stomped at hacker contest"

Discussion in 'other security issues & news' started by mvario, Mar 25, 2010.

Thread Status:
Not open for further replies.
  1. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    http://www.theregister.co.uk/2010/03/25/pwn2own_2010_day_one/


    .
     
  2. Watasha

    Watasha Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    233
    Location:
    United States
    Chrome was still standing....:cool:
     
  3. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    One of the articles I read said no one took a shot at Chrome. o_O
     
  4. Dogbiscuit

    Dogbiscuit Guest

    The sandbox model does seem to make hacking more difficult.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It certainly helps. But, as this weeks 11 patches to Chrome shows, malware authors can attack it if they want to. As much as I get seizures when I have to admit something positive about Google, their method of vulnerability reporting and their subsequent lightning fast patches is an excellent example of how software development and support SHOULD be.
     
  6. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    That's thanks to the open-source nature of the development. Things just go smoother and faster with open collaboration.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think we must belive in Security by Obscurity. :eek:
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Curious to know the results about Nexus One, Chrome and BlackBerry. :p
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    I've suffered a slight case of internal vomiting when reading the article.

    While the competition is a healthy exercise and fun overall, I believe it does not teach the users anything about proper computing and prevention, merely shows that you can create traps that allow software logic to be defeated and exploited.

    I do not think the web is scary at all. Nor do I believe in any kind of market share versus browser pwnage statistics. Because pwnage is directly related to usage model and has nothing to do with browsers. Linux and Mac users in this regard enjoy a safer model, even if specific software may be inherently insecure or less secure.

    One thing that really bothers me is the insistence on fear. There's such a pressure to portray browsers as insecure - and force people into submission and buying security software that it borders on super-ugly. The message is, your browser is unsafe. OK, what now? What is Mr. Average Joe supposed to do? Cut the wrists with plastic knife? Use a different browser?

    Only when there's no money agenda can the security advice be genuine. At the moment, it's just a scare train with no alternative. Plus, the truth is not as grim as portrayed. Far from it.

    Finally, as a former dabbler in experiments and lab-controlled stuff, I can tell you there's a difference between what you do in a lab and what you do in real life.

    Mrk
     
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    That's funny, Linux was not even tested this year. And the last time I remember it being tested (Ubuntu) it didn't fall at all. And the market share argument is fallacious anyway since *nix dominates the world in web servers.

    P.S. Your sig is stupid. There is no such a thing as a "HIPS" in the Linux world. That is a 'doze thing. In Linux we call them MAC's. And, yes, Ubuntu does come with "security software." It's called AppArmor and iptables.
     
  12. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    I found the agenda for Pwn2Own (here: http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010)


    Day 1
    The target pairings for day one are:
    • Microsoft Internet Explorer 8 on Windows 7
    • Mozilla Firefox 3 on Windows 7
    • Google Chrome 4 on Windows 7
    • Apple Safari 4 on MacOS X Snow Leopard
    Day 2

    The target pairings for day two are:
    • Microsoft Internet Explorer 7 on Windows Vista
    • Mozilla Firefox 3 on Windows Vista
    • Google Chrome 4 on Windows Vista
    • Apple Safari 4 on MacOS X Snow Leopard
    Day 3

    The target pairings for day three are:
    • Microsoft Internet Explorer 7 on Windows XP
    • Mozilla Firefox 3 on Windows XP
    • Google Chrome 4 on Windows XP
    • Apple Safari 4 on MacOS X Snow Leopard
    Also live updates on Twitter: http://twitter.com/thezdi

    .
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    If anything, the agenda shows how overlying errors in browsers can be used to ruin the underlying os ... so, this tell us ... nothing about linux, even though some bragged about it being as insecure ... and nothing about the privilege escalations models. Hmmm ....
    Mrk
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think web servers are run by people who know something about computers, they are not ordinary users.

    BTW my signature might be stupid but far less than a person who fails to understand it.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Mrk does it really matters or really you think that some Operating Systems can,t be hacked even via targeted attacks?
     
  16. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Well said by Miller.
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Everything can be hacked, except maybe "hello world" program. That's not the point. The point is - how probable that is? What is the likelihood of that happening and if it does happen, what are the consequences?

    And here it becomes, os model and os security rather than software used to break in. The browser is just an entry vector.

    Personally, the situation is a little absurd. Software developers have no legal responsibility for their code. On the other hand, you cannot expect them to cover every single possiiblity what some user might do. You can't protect from deliberate harm. And you want to have a usable product at the end of the day.

    The simplest solution today is to limit the user - limited user. And this is the key to the problem. Don't let the user do harm - and they won't. In this regard, some operating systems have advantage over others.

    All combined, you are pretty well off actually. The situation is not grim. There will always be browser vulnerabilities. The only question you should be asking is how they affect you? If your browser has a critical hole and it's patched within a day, does it really bother you? And if you're running as limited user and the exploit can't really do much, does it really bother you?

    Targetted, personal attacks can happen. But so can your hard disk die. What do you think is more likely? Your hard disk WILL die one day, but there's no guarantee you will be hacked. So if that's the case, you might as well not use hard disks :)

    Just simple math. Calculate your odds. The odds are in your favor.

    Mrk
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree with you in that but it,s interesting to follow this discussion. :)

    I also agree that money is behind all this security fuss, it,s a big business afterall. :rolleyes:
     
  20. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    And incidentally, it was Ubuntu 7.04 and not the latest 9x series that kept standing. I am so sick and tired of the Linux has less market segment and thats wy its safe argument repeated oft with redundancy. Nix kernel used in Ubuntu is same thats used in mission critical servers doing billion dollar monetary transactions. Day in and out, Fedora, Ubuntu, SuSE and others issue security related update patches and for a good reason. Linux is protected by its design and also by its exposure in the server and enterprise world, thats combined with a dedicated team which is quick to patch flaws keeps it out of the hacker's ways but then, nothing and I mean nothing is invincible. Past experience has shown that even mighty Linux has been bought down to its knees by group of determined hackers, after all, its human mind and last time Deep Blue went against it in a chess game, it didn't do that well did it.
     
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I agree that any OS can be cracked if the attackers are dedicated and knowledgeable enough. But such attackers are never going to target us average desktop users. Linux servers do need to stay vigilant, however.

    My concern is really only on automated attacks. I think Linux is much safer than Windows when it comes to those (especially when compared to XP and prior).
     
  22. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Excellent post! I only use firefox and even after reading all these "scary contests results" I'll still be running it without fear :thumb:
     
Loading...
Thread Status:
Not open for further replies.