Hacker News new | past | comments | ask | show | jobs | submit login
Pwn2Own owned all major browsers (hp.com)
111 points by zobzu on March 7, 2013 | hide | past | favorite | 63 comments



"All"? Not Safari yet (knock on wood). Which is a big change from back in the day when it was usually pwned first in this contest. Or are you saying it's not a major browser?


At 25% of mobile, I agree it is a worthwhile endeavor to find exploits for safari.

I was about to make fun of you for suggesting safari has significant usage until I considered mobile.


Safari's desktop share is somewhere between 5.5% and 15.5% depending on whose stats you trust:

http://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Sta...

Is it crazy to consider that significant?


I personally consider it not major but significant, not just due to market share but also because it's the default browser (and shares its inner components with applications leveraging WebView) on a certain platform. Therefore it's a prime target for establishing a foothold on that platform.


Mobile Safari was not in the list offered as targets if i read that right..


Safari actually has 60% of mobile web usage.

Source: http://tech.fortune.cnn.com/2013/02/01/apple-android-market-...


It looks like George Hotz [1] is attending! Judging by his work with the PlayStation 3, I expect him to do pretty well at cracking Adobe Reader.

[1] http://en.wikipedia.org/wiki/George_Hotz


Interesting how Java was pwned thee times in spite of the lowest reward.


Everyone is sitting on a java 0day now. They have lost a lot of value in the market since there is literally as much supply as demand. I keep reading CVEs waiting for the one I have to be discovered by someone.


I have a friend who tells me that good (windows) zero days, with remote execution, are worth about $50K on the market that transacts these things, with a contract to increase that value if their is no open disclosure. I.E. If your zero day remains a zero day for another six months, there is an opportunity to see further reward.

I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.

I also don't understand why people give good zero days away for free, if is really the case that there is a market in these types of properties. Anybody have actual insight into this?


Maybe because they don't want people's computers to be abused by people with lots of cash to spare? One can only assume they're getting more than $50k worth of value from the zero day, so something pretty dodgy must be going on


>I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.

According to this article: 3rd party middlemen, small security firms and large defense contractors are the ones paying for 0-days. There's also has a nice price list for Chrome, IOS, etc.

http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...


$50k sounds like a lot, but if you can weather the current storm of every firm and researcher digging into Java and finding all the low hanging fruit, it could be worth $300k+ when nobody else has an undisclosed Java vulnerability.

Usually the way it works is 6 monthly payments, so you get a wire for $8,500 every month that it is not disclosed.


people have ethics.


They also have to eat.


You're assuming that they have to make their living 'hacking'. If instead they have an oil well in the back yard providing a steady paycheck (I live in Texas, and know people just like this), they have plenty time for non-profit endeavors.


"I also don't understand why people give good zero days away for free..."

Quite some hackers are a really special (in a good way) kind of people who are in it only for the intellectual challenge.

Now food for thoughts:

Rudyard Kipling once warned students against an over-concern for money, position or glory, he said: “Some day you will meet a man who cares for none of these things. Then you will know how poor you are..."


Why sit on it? Why not disclose it and have it be your name on that CVE, and not someone else?


a cve is not worth that much. (nothing?)


Maybe not as cash. But on a resume?


I get the impression that dsl is a pretty successful person IRL already.


All the more reason to disclose the 0day.

If not for money or recognition, just plain simply for the users.


We've seen Java bugs in the news lately for use in co-ordinated attacks against large companies.

A nameless firm (not the one I'm working with now) that happens to be one of Europes largest banks has insainly locked down versions windows, everything disabled, some custom thing that has hooked NT kernel functiosn to check which image is being loaded to be executed.

And then it has Java. A very old, un-patched version running a vendor risk system (yes it is that french one your thinking of).

This means that despite the frankly anoying parinoid security there, you can pwn any of the machines easily. As we see more targeted attacking, remember that Java is heavily used by a lot of rich, often inept due to size, firms.


IIRC, the instances in the news were attacks on the Java applet, not necessarily the runtime. Even if it was against the runtime, without the applet, it would have to be a trojan.


The federal government agency i deal with has similarly locked down computers but, as you say, java, old versions of browsers, and many unsigned applets.


Do these "insanely locked down" Windows have a browser and does that browser enable Java applets?

The 0-days affecting Java lately have all been using Java applets and drive-by exploits. I'm not saying it's not pathetic and lame for Java's security track records but it's not either as if your company was vulnerable to remote exploits in the case Java applets are not allowed in browsers.

I'm running Java webapp servers and I've been really pissed off that I needed to patch to remote Denial of Service exploits (the hashmap / URL query parameters degenerating to O(n) instead of O(1) SNAFU and the "endless loop" while parsing a certain floating-point number) in late 2011 / early 2012 IIRC but basically that's it.

The JVM is still incredibly secure on the server side (and can be installed on Unx systems in a user account, without needing to be root -- meaning that you can then lock down like mad that user account and have an even more secure setup).

Now to be honest if your company was truly paranoid they wouldn't be using old version of Windows with in-house brittle hacks supposedly bringing "more security".

I know that all too well (at Dexxia for example): some people somewhere decide on a shitty technology (Dexxia was at one point using shitty Java applets to allow clients to do online banking) and then says "We're going to have the most secure system ever".

So these guys think* they're paranoid but they're using: a) Windows and b) Java applets.

And at this point you have to wonder if you should laugh or cry at their definition of "paranoid".

People really paranoid about security ain't letting Windows in (unless they like NSA backdoors and consider patch-tuesday to be a reliable way to execute) and ain't letting Java applets in.


Guess how they distrabute the Java application.

However I really don't want to go too far into a former clients site details, just to say it was a laughably big gaping hole, that is really quite common in a lot of large enterprises. It was also completely seperate from my domain there)


Are any vendors offering no questions asked X$/0day rewards all year long instead of dedicated events? Seems like it would be a decent move. If the going rate is really in the 50k ballpark why can't say Google offer 10-20k per Chrome exploit?

Their engineers don't make peanuts and the attacks on the software happen regardless. After a year or two you'd probably have a pretty secure system for a reasonable cost.

I don't think there's much negative press involved either if you spin it a la "we have the best security experts in the world attack our software and fix it asap".

+You might pull off a decent talent grab or two as long as you understand how the people would like to work (probably not from a google office)


Google's bug bounty is $3,133.70 (elite). The black market can pay $80k-200k+[1]. Why doesn't Google pay more? Well, like you said, "attacks on the software happen regardless". Their objective is to maximize shareholder value. People adopt browsers for other reasons besides maximum security. You hear about critical vulnerabilities all the time, to the point where you get desensitized to it. I don't think there's been a bug out there that caused people to dump a browser en masse.

[1] - http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...


The bug bounty is for a security bug with no exploit. That makes it a lot less work for the security researcher. See the release notes on the Google Chrome blog for details of bounties paid.

Google also sponsors Pwn2Own and Pwnium with bigger prizes for bugs with working exploits.


> Are any vendors offering no questions asked X$/0day rewards > all year long

Both Mozilla and Google do, but those rewards are in the $3k range.


Few silly questions: 1) I got the feeling from this discussion and some other sources that there are a couple of known Windows kernel vulnerabilities that are making these exploitation easier. What about Microsoft? They don't care or are they fixing those bugs?

2) How secure is let's say Firefox + Ubuntu/Fedora, latest updates, default settings. I haven't seen that many exploits for Linux in general. Is it because no one cares about linux or because it is harder and thus more valuable than windows exploits so no one share linux ones?


I don't really understand the competiton. Do people come to these with just the intention of finding exploits, or do they come with the exploit ready, waiting to collect a reward?


Invariably all the researchers / organisations competing have developed their exploits well ahead of the event. The exploits are now pretty involved.

I've linked to a blog post from the Chrome developers that details the exploit that won late 2011 [1]. 'Pinkie Pie', the pseudonym of the person who won it, is pretty infamous in those circles.

[1] http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.h...


AFAIK most have exploits ready before the event, and demonstrate them publicly (for the first time) at the event.

In general, skilled crackers/reverse engineers/security experts will look for new bugs -- and when found, can either a) Tell the vendor, b) Tell the world, c) Sell the exploit to the highest bidder, or d) Use the exploit for nefarious purposes themselves.

In general some combination of a) and b) or c) is the most common -- these events is a way to compensate people to do a) and b) -- and provide some incentive to avoid c) (and d)).


They have the exploits ready to go, the challenge is whether they can exploit the target system (which is fully patched) within their time slot.

It's a useful excercise, I think, in that it demonstrates that even the most hardened of codebases still has security bugs and it also serves as a cautionary tale for people who think they don't need multiple layers of defence..


Most teams have something which will work though, so the "winner" often depends on what order the contestants get drawn in.


"...it demonstrates that even the most hardened of codebases still has security bugs"

Browsers the most hardened codebase? I nearly spilled my coffee ; )

Every single browsers out there (including Chrome) was designed with security as an after-thought.

As for me I browse the Web from Linux, using a throwaway user account which doesn't have Java installed. And that user account is itself "hardened" (e.g. no login shell, specific per user-id firewalling rules, etc.). At this point seen the state of insecurity the Web is in I'll probably go back to the VM route (a browser in a locked down separate user account, but itself running inside a KVM VM).

My definition of an hardened codebase would be something like OpenBSD or OpenSSH or esL4 (in esL4 the code has been verified (using formal provers) to be free of buffer overrun/overflow and whatnots).

What I don't like about your comment is that you consider the current situation to be "acceptable". You apparently do really believe current browsers are "hardened" and that there are people thinking like you is precisely part of the problem.

We can do much better than that.

For a start I'd love to read a rant from Theo de Raadt about what should be done to conceive more secure web browsers.


if you trust linux or theo for security, you're going to have a bad time.


woah! whats with the hp site permalink/URI/url formatting?

http://h30499.www3.hp.com/



Thanks for the link. This is crazy. SquareWheel was right. This is an absolutely brain-dead way of doing this, by a very incompetent IT admin.


And yet that it persists brings to mind all the problems faced by large organizations. An inability to change processes, execute quickly on decisions, disconnect between customers and company operations. Which is why startups can disrupt them. Pretty much everything HP produces seems mediocre and of substandard quality including their printers, ink, devices, services such as their open stack cloud offerring.


Which is only now improving with Meg Whitman.


You know, I've actually seen a pretty useful writeup on why HP urls are so crazy. I wish I knew where to find it, but there was some allegedly logical reason. I think it had to do with the site knowing which server to talk to? I wish I could remember more.


If this is the reason, thats a horrible way to do it. Would love to know whats their thinking behind this.


What's wrong with that? Seems perfectly fine to me.


If I didn't know my computer stuff, I would say it's a virus website.

What's that h30499? www3?

Why not communities.hp.com? (this actually redirects to h30507.www3.hp.com). h30500 asks for httpauth.

It's just ugly, is it not?


> If I didn't know my computer stuff, I would say it's a virus website.

If you didn't know your computer stuff you wouldn't have ever noticed the URL.


If you're trying to auth, and you get one subdomian vs. another - it's a pain in the ass for all users. That's why other big properties have unified to one domain and subroutes (e.g.: google.com - no more reader.google.com, but www.google.com/reader).


I could be a basic user that knows how to avoid clicking strange links to avoid email viruses.

I could know enough to notice the URL, but not enough to know that the domain hp.com is what really counts.


Where's Safari?


Directly below "Mozilla Firefox on Windows 7 ($60,000)"


Safari is a target in the event, but has not been pwned yet:

    Wednesday:
    1:30 - Java (James Forshaw) PWNED
    2:30 - Java (Joshua Drake) PWNED
    3:30 - IE 10 (VUPEN Security) PWNED
    4:30 - Chrome (Nils & Jon) PWNED
    5:30 - Firefox (VUPEN Security) PWNED
    5:31 - Java (VUPEN Security) PWNED
    
    Thursday:
    12pm - Flash (VUPEN Security)
    1pm - Adobe Reader (George Hotz)
    2pm - IE 10 (Pham Toan)
Interestingly enough, last year it was the only target not 0-day pwned (but was in the CVE contest, via CVE-2011-0115 and CVE-2010-0050).


Poor Vupen. Their Safari exploit must have broke.


Or they aren't about to kill the same bug in MobileSafari, since it is worth exponentially more.

https://twitter.com/i0n1c/status/309585202810867712


WebKit code execution against Chrome is also likely to work (in modified form, but same basic exploit) against desktop or mobile Safari. Desktop Safari sandbox escape is likely to be completely different from MobileSafari sandbox escape. And in all three cases, the sandbox escape is the harder part.

So that logic does not explain to me why people are going after Chrome but not Safari.

I honestly don't know why it is. In particular, I don't have specific reason to believe Mac Safari's sandbox is more bulletproof than Windows Chrome's, but I guess Safari has the advantage of not being exposed to Windows kernel bugs.


Yeah, the WebKit exploit will work effectively unmodified on Safari. And the sandbox escape used against Chrome on Windows was a kernel bug in surface that can't be turned of from user-space (or really at all on Win7). Also, they softened the target quite a bit by using 32-bit Win7 for the contest, rather than 64-bit Win8 (or even 64-bit Win7).

As for why no one's targeting Safari, I think it's simple market forces at play. The iOS exploit market is established and pays very well, while the core vulnerabilities, expertise, and techniques are all shared with Safari on Mac OSX. And since Safari isn't a soft target (in no small part due to Abhishek's mass slaughter of WebKit security bugs and our bounty program), $65k just doesn't compete with the real-world exploit market.


Getting sandbox escapes from Mac Safari and iOS Safari requires completely different exploits. The code execution stage of a complete exploit could be shared, but it could also be shared with Chrome. So you'd think the same argument of iOS Safari exploit market value would apply either way.

My theory is that not much research has been done yet on breaking the WebProcess sandbox. Which makes me sad.


>Getting sandbox escapes from Mac Safari and iOS Safari requires completely different exploits.

You're focusing too narrowly on the sandbox itself. You have to consider the whole stack, and all of the surface exposed from within the sandbox. Consider the Chrome sandbox escape from yesterday, which didn't use anything specific to Chrome. It targeted part of the Windows stack that's guaranteed to be exposed to every process on the system.


Considering Chrome had a last minuite patch applied http://nakedsecurity.sophos.com/2013/03/06/last-minute-pre-p...

It's good to know it still got taken down, because I had a horrible fear they where going to try and advertise they were 100% safe because they weren't exploited.


There's no last minute patch. We push security and stability updates every 2-3 weeks. Just go look at our release history to verify. As for your other claim, it's so absurdly off base that it doesn't warrant an explicit response.


Which is fair enough, I'm in no way going to suggest having a reactive security update schedule is a bad thing.

However the time of the conference could easily give a vendor that had a compatable release cycle a slight edge.

When I read that story (before hearing the results) I was filled with a kind of dread, I am less than impressed about the claims for Chrome OS, in the UK where its advertised it strikes me as Apple during the bad days who simply advocated bad pratice with regards to security (you've bought us, don't worry) type thing.

If you feel that is at all unfair to you, I am sorry, but Google Chrome has been an agressively marketed product in London and I have general contempt for most of the adds (but then I'm not the target market).

I also think its really important to remind people just how unsafe browsers are (all of them) and how people need to be increasingly aware of the impact such security.

Side Note: If your one of the team, thanks, yours has been my favourite browser for years now :)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: