Tag Archives: Charlie Miller
Chrome Still Standing at Pwn2Own
Posted on 25. Mar, 2010 by Daniel Cawrey. 
2 Comments
Yesterday’s first day for the Pwn2Own contest came and went literally for the Chrome browser. The competition, which pits security minded hackers against web browsers, operating systems and mobile phone platforms did however do a number on Apple products. Apple’s Safari browser was hacked on both Snow Leopard and the iPhone, while Charlie Miller, a previous winner, snagged ten grand by remotely taking control of Safari on a MacBook Pro. Miller is the one who was quoted a while ago saying that Chrome 4 without Flash on Windows 7 was the most secure computing environment out there today.
Also, IE8 on Windows 7 was successfully hacked on the first day of Pwn2Own, with researcher Peter Vreugdenhil getting past Windows 7′s data execution protection (DEP) and address space layout representation (ASLR) to exploit IE8. An hour after that, a freelancer named Nils was also able to use those same Windows vulnerabilities to also hack Firefox 3.6.
Yesterday was the day for Windows 7, and today the competition will face Vista, with tomorrow highlighting XP. Will Chrome fall on a less secure system? We shall see. Here is the complete three day schedule for Pwn2Own:
Day 1
The target pairings for day one are:
- Microsoft Internet Explorer 8 on Windows 7
- Mozilla Firefox 3 on Windows 7
- Google Chrome 4 on Windows 7
- Apple Safari 4 on MacOS X Snow Leopard
Day 2
- Microsoft Internet Explorer 7 on Windows Vista
- Mozilla Firefox 3 on Windows Vista
- Google Chrome 4 on Windows Vista
- Apple Safari 4 on MacOS X Snow Leopard
Day 3
- Microsoft Internet Explorer 7 on Windows XP
- Mozilla Firefox 3 on Windows XP
- Google Chrome 4 on Windows XP
- Apple Safari 4 on MacOS X Snow Leopard
Most top prizes are in the $10,000 range, plus the hardware that is hacked on is also awarded. There is also a focus on these mobile platforms (and as we said that the iPhone has already been hacked):
- Apple iPhone 3GS
- RIM Blackberry Bold 9700
- Nokia E72 device running Symbian
- HTC Nexus One running Android
We’ll keep you posted, especially on the Google-related products.
First $1,337 Prize Given Out by Chromium Team
Posted on 19. Mar, 2010 by Daniel Cawrey. 0 Comments
As mentioned previously, the Chromium team is giving out cash awards to researchers who are able to find vulnerabilities in the browser’s software. While most awards given out are in the $500 range, there is another tier for those who are able to find very serious flaw. Finally, someone has won the top award, getting $1,337 from Google for finding what must be a serious exploit. Although we cannot see what the flaw is because not all browsers have been updated, I’m Sergey Glazunov, who won the award, is happy to be receiving some recognition since most of the time these folks don’t get the appreciation that they deserve.
This is coming at a good time, and there is no doubt that the recent rash of updates to Chrome’s stable build has to do with the upcoming Pwn2Own contest which pits hackers against browsers and operating systems in a contest to see who can compromise a system the fastest. Charlie Miller, one of the past winners, has gone on record to say that he thinks Google Chrome is one of the most secure browsers along with Windows 7 being the most secure operating system.
Although it appears that smartphone operating systems will be a big focus of the year’s Pwn2Own, it will still be interesting to see which browsers are the most secure. Computerworld is predicting that Chrome will last the longest which is a promising sign and shows how much effort has been put into a browser that has only been around since 2008.
Charlie Miller: Most Secure Browser is Chrome, IE8
Posted on 04. Mar, 2010 by Daniel Cawrey. 2 Comments
Best known as the hacker that is able to consistently deliver results in the Pwn2Own contest which awards contestants for successfully exploiting OS vulnerabilities, Charlie Miller gave an interview recently and shared his thoughs about the most secure computing platform for users. While he was unable to comment on Chrome OS (he said he didn’t have enough info yet) his thoughts and the best browser and OS were of interest.
“Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about”, Miller told oneitsecurity. And while we agree with his point, it stands out that he would find that IE8 is comparable to Chrome in any way other than security. Chrome offers a better UI, is faster and has far better web compliance scores.
He discussed the potential of hacking Linux, saying that it would be relatively easy to pull off. But the low adoption rate of Linux as inhibited any motivation for researchers to try to point out flaws that are inherent to the system. Chrome OS is based off of a flavor of Linux so it will be interesting to see how it evolves from the perspective of security.
Miller is clearly not impressed by Flash, and that’s no surprise. With Pwn2Own’s 2010 contest coming up, the focus this year is going to be on exploiting mobile phones. That would probably be made easier if some of these platforms like the iPhone actually had Flash, so expect Android to be a big target with a lot of entrants trying to win the big prize by hacking that platform. The total prize allocation for the contest is set at $100,000.
