48 comments

[ 3.7 ms ] story [ 91.6 ms ] thread
What happened to Firefox?
Bit sad.

http://www.eweek.com/security/pwn2own-hacking-contest-return...

mentions:

"We wanted to focus on the browsers that have made serious security improvements in the last year," Gorenc said.

So, politics.
As Firefox is my primary browser, I'd be happier if it was part of this competition. But it's fair for the organizers to not want to part with their prize money for a browser that hasn't been hardened much since the previous contest.
for a browser that hasn't been hardened much

This claim is oft repeated, but the only reasons people seem to say it is that multiprocess + sandbox is not in release Firefox (it's in Nightly/Aurora/Beta).

That doesn't necessarily make it true. There's been some blogs since about how the JS <-> C++ sandbox has actually been significantly strengthened, but people just ignore truths that don't fit their preconceptions.

IE/Edge and Chrome also have sandboxes, and they still get cracked every Pwn2Own.

If it isn't in released, it isn't in the majority of people's computers.

Normal people don't install development versions.

A sandbox isn't full proof, but it is way better than not having anything.

No, Firefox is not even a challenge enough to be listed.
Easy money if it were true, as there's both official bug bounty programs and a black market. Unfortunately for you, it isn't.
How much is a Firefox exploit worth, in any market, compared to a Chrome exploit? My understanding is: significantly less.
The difference in the size of the userbase is a confounding factor, though, no?
It is, but that doesn't matter for this specific argument.
Yeah, they lost funding etc.
Don't worry, Firefox is becoming the most secure browser since less people are using it everyday.
How many more Pwn2Owns will we need to have until all the security vulnerabilities in browsers are gone?
Until they get rewritten in memory safe systems programming languages.
Won't eliminate all security vulnerabilities, or even all security vulnerabilities of this class. But it should make them a lot harder to find :)
Yep, removing memory corruption from possible exploits is already an improvement.

Removing logic errors might be possible with formal methods, but even those can contain false premises.

It will never end until browsers evolve and code is changed. Each new version can introduce new issues.
I think you mean "It will never end as long as browsers evolve and code is changed."
(comment deleted)
Summary -

    Microsoft Windows: 6
    Apple OS X: 5
    Adobe Flash: 4
    Apple Safari: 3
    Microsoft Edge: 2
    Google Chrome: 1 (duplicate of an independently reported vulnerability)
Chrome is looking better each passing pwn2own. Even with the bloat and not having all the add-ins I like on FF (Self Destructing Cookies(there's Vanilla Cookie Manager it mostly works but not quite as it doesn't have access to local storage, and given how bad Chrome Download manager is - DownthemAll) it looks like it still is a good idea to compromise a bit of privacy and convenience for the sake of security.
> a good idea to compromise a bit of privacy and convenience for the sake of security

Wouldn't using Chromium instead of Chrome get around most of the privacy issues?

Some but not all - I was referring to tracking cookies and the likes. SDC on FF allows auto deleting cookies and local storage that you don't need and that takes care of the tracking. Given how much I have already invested in Google ecosystem (Android, GMail, Photos, Hangouts etc.) I am not that much concerned about privacy from Google.
Unfortunately, Chrome's security is hobbled by being forced to sync to Google or risk data loss. At least on Windows. Your profile is locked to a given PC. If your Chrome settings change at all (partially corrupt file, third party app modifying them, etc), Chrome will unceremoniously reset your settings as well as wipe out all your extensions and all your extension data. If you sync to Google, this will then all be restored. If you don't sync to Google, your data is just gone.

This also happens if you try to transfer your Chrome data from one PC to another, say when you buy a new laptop.

At least all the above happened the last time I checked it out, which is why we started recommending Firefox Portable over Chrome Portable for portable use or use on your synced could folder.

This is apparently by design to prevent third party apps from modifying your homepage, default search engine, or adding advertising to your web pages via extension.

Chrome is great, but only if you log in to your Google account and sync everything back to Google.

5 Teams, 4 from China, 3 from Tencent (China), 1 from Korea. All Asian?
To me the big surprise was osX doing worse than flash. Ouch.
You're surprised a plugin has 1 less vulnerability than an entire operating system?
Yes, when that plugin is Flash.

Actually I understand what you are saying. Showing the list that way is kind of unfair.

11 attempts were made in total this year by five teams:

      Tencent Security Team Sniper (KeenLab and PC Manager): 3/3

      360Vulcan Team: 1.5/2

      JungHoon Lee (lokihardt): 2/3

      Tencent Security Team Shield (PC Manager and KeenLab): 1/2

      Tencent Xuanwu Lab: 0/1
Impressive.
Why is Tencent so dominant in this competition compared to all the others potential companies?
Because they are willing to burn 0day to gain credibility. The top team got $140k for what was easily $900k+ worth of exploits.
And I for one commend them on doing the contest and disclosing the exploits in a responsible manner. Rather than peddling them on the black market.
Serious question: how do you pronounce 'pwn'? Is it 'pone'? 'poon'? 'pwin'? 'pown'? Something else?
It's whatever you want it to be
Rhymes with scone
Only in America
Rhymes with 'own' -- which is why it's "pwn to own."

It was originally a misspelling of 'own' I think.

KnowYourMeme [1] is surpisingly high quality and informative sometimes. "pwn" apparently has origins going as far back as the 60s, but I had to guess it's mostly popular these days due to the brief leetspeak phase of the early 90s, where it was a more pointed, edgier way to write "owned".

[1] http://knowyourmeme.com/memes/owned-pwned

It's pronounced "own" like "I am going to own you!" Or "you lost that 1 on 1 rocket arena match 10-0, he owned you." It's a corruption /slang evolution of own. p being next to o on qwerty keyboards.

Probably accidental at first and then subsequently used mockingly to engender cavalier sloppyness as if the recipient was not worthy of the respect or fleeting seconds required to fix simple mistakes before sending the message. This etomology is now lost on most users of "pwn". People who were not around before "pwn" was ever used pronounce it differently. Generally "poned"

It's hilarious but worth noting that you only see China and Korea is likely due to Wassenaar Arrangement which disallows citizens from the participating countries to disclose exploits in foreign land. (Yes, Korea is also in the list so I'm not sure why that Korean dude just came :P)
Why is firefox not in the list?
They lost a lot of funding and VM escapes are a bit hotter than browser exploits.

Also, Firefox installs generally still come with Flash which is easier to exploit than the browser itself, and reaches a broader audience.

Officially, they claimed its because "Firefox security has not advanced in the last year" but that is just utter BS.

"Utter BS" is a pretty categorical statement. In what ways has Firefox security advanced in the last year?
Firefox does not come with Flash preinstalled.