Tag Archives: browser security
The Chrome browser was able to survive the first day of Pwn2Own, despite a reward of $20,000 being offered by Google themselves for anyone who could compromise the browser’s security on a Cr-48 during Day 1. That made an incentive to try and crack Chrome: better than the rewards for other browsers at $15,000.
Two rival web browsers were not so lucky: Internet Explorer 8 on 64-bit Windows 7 was hacked by a researcher and Safari 5 on Max OS X was taken down by a security firm.
According to ITWorld, there were two teams that did sign up to take a shot at Chrome, but one of them did not show for the contest and the other decided to hack RIM’s Blackberry instead. If Chrome does not get hacked in the next two days, it will have a record three year showing at Pwn2Own without it being hacked.
It’s expected that Firefox will be a target today and tomorrow at the competition.
Researcher Charlie Miller explained last year what it is that makes Chrome so difficult to attack. He believes that Flash is one of the main culprits leading to compromised situations. However, he also said that IE8 was as secure as Chrome. But that was last year, and now IE8 has been successfully exploited.
When will someone find a successful Chrome hack?
It was a big deal when Google released Chrome and decide that the browser needed to be updated automatically without user prompting. While somewhat controversial, the method works and keeps Chrome as current as possible, thwarting it from malicious attacks. Indeed, a recent study has shown that 97% of Chrome users are running the most recent version because of the auto-update method.
Now the new version of Firefox, the fourth installment, will go down this route and Mozilla will quietly update their browser automatically. Not only does this keep the browser safer, it allows Mozilla to better compete directly with Chrome by being able to stream updates to users.
Take a look at these graphs on update cycles for both Chrome and Firefox.
You can see that Chrome users in the past have been recipients of browser updates that allow previous versions to simply die off. Consider that if Microsoft had been doing this method some time ago, they wouldn’t be confronted with the Internet Explorer 6 scrutiny they’ve been under; instead they have opted to promote Windows 7 instead which does version 8 of IE.
For the past six months, those who have been able to find a flaw in Chromium were awarded cash prizes for doing so. Now that this program has been ongoing for some time, the Chromium team has decided increase the amount given out for the most critical of flaws found, moving from $1,337 to $3,133.70. Most awards will remain at the $500 level, depending on the published severity guidelines.
The Chromium project has lead to Chrome being one of the most secure browsers on the market. The annual conference where researchers try to compromise browsers and other computer platforms, Pwn2Own, had no takers for Chrome browser this year. It could be because Chrome is still the newcomer on the market. Nevertheless all of the other major browsers ended up getting hacked at Pwn2Own.
It’s unknown whether or not the decision from the Chromium team relates to Mozilla recently raising their Security Bug Bounty Program award up from $500 to $3,000. With that being said, moving the amount just above Mozilla’s while keeping the cachet of the original award may mean something when thinking about Firefox versus Chrome: actions speak louder than words.
While news has been sparse since Day 1 of Pwn2OWn, word is that Chrome was the only major browser to make it through the entire competition unscathed. That means it even got through the vaunted Windows XP Day 3, where many expected that Chrome would be exploited by using some of XP’s inherent holes. Not to mention withstanding the service packs that XP is nine years old.
Major browsers such as IE8, Safari and Firefox were hacked within minutes of the start.
Pwn2Own, by the way, is a contest that awards “researchers” cash prizes for successfully hacking computer platforms – prizes in the range of $10,000 to $15,000 plus the computer that they are hacked on.
OK, so Chrome made it through. But let’s think about this. Chrome has only been out since 2008, and there still aren’t that many users who have adopted it yet. W3schools, a web developer site, cites an 11.6% rate of users who visit their site as running Chrome for February 2010. And that is a site for early adopters of web technology! The real number for the entire web population is probably closer to five percent. That may be one of the reasons that researchers have yet to find vulnerabilities in it: they hack what they know, which are the other browsers out there.
Of course, there is also the idea that the other browsers on the market are simply weaker than Chrome which is also a possibility. There was some stir in the days leading up to the contest that Google quickly patched up a slew of security flaws in what was seen as a pre-emptive move. But when you are actually awarding outside experts with cash when they see a flaw in Chrome, it’s probably easier to patch up things that may be hard to see when they are right in front of you.