All Five Smartphones Survive Pwn2Own Contest 144
CWmike writes "Although three of the four browsers that were targets in the PWN2OWN hacking contest quickly fell to a pair of researchers, none of the smartphones were successfully exploited. TippingPoint had offered $10,000 for each exploit on any of the phones, which included the iPhone and the BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems. 'With the mobile devices so limited on memory and processing power, a lot of [researchers'] main exploit techniques are not able to work,' said TippingPoint's Terri Forslof. 'Take, for example, [Charlie] Miller's Safari exploit,' referring to Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year. 'People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000?' she said. 'The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone.'"
Chrome was the only browser at the contest that was not successfully exploited. We previously discussed day one of the contest, and a summary of day two is available as well.
All 5, eh? (Score:3, Insightful)
Re:Chrome only browser ... (Score:5, Insightful)
as someone who recently gave Opera another go, i can see why.
i would appear that i've been missing out
Re:Chrome only browser ... (Score:3, Insightful)
Re:Hmm (Score:3, Insightful)
You talked earlier about the value of vulnerabilities. Was it a surprise that he (Nils) basically gave up three "high-value" bugs for $5,000 each?
It's clear he's incredibly talented. I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I've talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I'd say $50,000 is a low-end price point.
For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.
Re:Chrome only browser ... (Score:4, Insightful)
For the same reason high school sports teams don't play NFL teams; it just would be disheartening to the players.
My guess is that Opera never really got the attention because it never had a big company pushing it (MS, Apple, Google, and Firefox had the whole Mozilla/FOSS thing).
Re:Chrome only browser ... (Score:3, Insightful)
I switched to Opera when FF was in version 2, because Opera was considerably faster in most cases. Now that FF is up to speed with Opera, I'm still with it because I'm more familiar with it...and it feels more 'complete' out of the box to me...no need for extensions. For someone who uses it regularly on four different machines (and irregularly on several more), that's important.
Sure, it's not open source, but I'm concerned about free beer more than free speech (not to say that it's unimportant, I just have my priorities...as far as my browser is concerned, open vs closed is not nearly as important as it is with OS or production stoftware).
But Firefox has changed the browser 'market' more than any other I think, and in a very good way. They were striving to make a good free browser when no one else seemed to care about the web browser as much, as long as it worked. Opera was the only one really trying, and to compete they dropped the ads and became completely free. MS actually tried with IE7 (still failed), and...I know I will catch crap for this...have actually did a pretty damn good job with IE8. Chrome came out, obviously, and Apple has shown more interest in improving Safari.
So while Opera is my browser of choice, I know I owe a lot to FF for setting the bar higher.
Re:Not any tougher on iPhone according TFA (Score:1, Insightful)
Which raises the question, why is Safari less secure than Chrome?
It might not be, it might just have been how the content was set up.
On day 1, the targets were IE, Firefox, and Safari. All three browsers got compromised, some more than once.
On day 2, the targets were Chrome and the mobile phones, although contestants were allowed to attack the other 3 browsers again, provided they did not use the same bug to do so. None of the browsers had a successful (new) attack against them, and none of the phones did either (although only 2 attempts were made against the total of 5 phones I believe, one against the Blackberry Bold and one against a Symbian phone).
Chrome very well might be just as vulnerable as Safari is, but since they were attacking Chrome on day 2, they couldn't use the exploits that worked against Safari on the previous day.
If they had Chrome on day 1 and Safari on day 2, we might be reading that Safari was the only browser that was not compromised. I'm not sure why they structured the contest that way, but I'm thinking that's the primary reason that Chrome was not exploited.
You are under obligation to inform the vendor (Score:3, Insightful)
The static point is that if you find an exploit, you are under no obligation to inform the vendor. You are not evil if you do not inform the vendor.
I couldn't disagree more. If I walk by a house and see that the door is standing wide open, and then I see the owner on the street a couple minutes later, the ethics are clear. I should tell the guy he left his door open. I'm under no legal obligation but I should because it is the right thing to do. If he gets robbed later I should feel bad because I could have helped prevent it.
Well maybe you say, no, they're a business. Doesn't matter. If I'm in a jewelry store and see that a clerk forgot to put away a diamond ring, which is the more ethical choice of action: ignore it and walk away, or remind the clerk to put it away?
It is NOT ethical to go through life just ignoring what you perceive. Copping out is a choice too. Didn't you see Spiderman??
It's particularly bad if you go around LOOKING for open doors or unlocked jewelry cabinets. You want to try to convince me that it's ok to spend a lot of time and effort looking for flaws, then just walk away when one is found? That seems like a ridiculous argument to me. Who goes through a bunch of effort and trouble to find a weakness, and then just blithely does nothing?
Sorry, but I think you are a scumbag if you find an exploit in a popular OS or piece of software and do not report it to the vendor. Because if you found it, someone else will too and eventually it will get exploited. That will have a real impact on real people and you could have prevented it.
If that doesn't seem fair, here's the way out--don't go looking for exploits unless you're contracted to do it. It's a very fair bargain--you don't waste your time and society doesn't hold you responsible for that choice. But please don't ask me to believe that it's ok to go hunting for exploits, but then it's somehow someone else's fault you don't get paid for the ones you find. That is what consulting contracts are for.