Every year, a group of hackers meet up in Vancouver to pit their skills against the leading browsers in an event called ‘Pwn2Own’. The concept is straighforward – hack a browser, and you win whatever hardware it was running on.
Generally, every year is the same – Internet Explorer and Safari fail the security test, and this year was no different. Apple’s Safari fell first, in a rather embarassing exploit, which took just 5 seconds to achieve. A victim running a fully patched version of OSX and Safari visited a specially designed website with malware and hackers were able to launch the Calculator program, proving to the judges that they could execute code on the compromised system. This means they had broken free of the browser ‘sandbox’ – a security feature to ensure that dubious people can’t get outside the browser code.
A French team called VUPEN walked away with $15,000 prize money and the hardware they hacked which was a 13 inch MacBook Air. Apple will be feeling rather sheepish this morning as they just launched a large patch to fix 40 security holes, but clearly not this one.
Microsoft’s Internet Explorer was next to fall, thanks to researcher Stephen Fewer. In a rather unusual move, Microsoft didn’t even try to be competitive this year, failing to even patch the browser prior to the high profile conference. They may take some comfort that Apple’s browser fell first.
Chrome, is still standing high as the ‘unhackable’ browser, because the hacker who was due to test the security of the browser didn’t even turn up, possibly because a huge security update by Google earlier this week had spoilt his fun. Google were even offering an additional cash incentive to anyone who could exploit their code, but they won’t be having to hand it over, yet again.
Pwn2Own hasn’t finished yet, the next browser to get attacked is Firefox, which happens later today. Android, iOS and Windows Phone 7 are also on the list of software to attack.
KitGuru says: Google’s Chrome is one tough browser.