Chrome survives first day of hacking contest; Safari and IE8 don’t

Yesterday afternoon, the Pwn2Own hacking contest kicked off at the CanSecWest 2011 conference in Vancouver, British Columbia. According to ComputerWorld, Apple’s freshly released Safari 5.0.4 and Microsoft’s Internet Explorer 8 browsers both proved easy meals, falling to the first teams who attempted to hack them.

Reportedly, folks from a French security firm called Vupen managed to break into a MacBook Air running the new version of Safari, winning both the laptop and a $15,000 prize. Meanwhile, Harmony Security founder Stephen Fewer was successful in exploiting IE8 by bypassing Microsoft’s "Protected Mode."

As ComputerWorld points out in a separate story, though, Google’s Chrome didn’t draw any hacking attempts. Pwn2Own organizer and HP security researcher Aaron Portnoy told the site, "The first contestant was a no-show . . . And the other team wanted to work on their BlackBerry vulnerability. So it doesn’t look like anyone will try Chrome."

Google had a $20,000 prize set aside for anyone who might manage to break through the browser’s defenses on the first day of Pwn2Own, but the cash didn’t leave Google’s coffers. $10,000 is still on offer if Chrome gets hacked today or tomorrow, the last day of the contest. ComputerWorld expects Chrome to survive the contest without getting exploited. If it does, that would be a record-breaking third time in a row.

Comments closed
    • jcw122
    • 9 years ago

    This would be cool except that Google collects data from your address bar of Chrome so it doesn’t matter whether your being hacked or not.

      • hapyman
      • 9 years ago

      That’s why you use Iron… basically Chrome with extra privacy. I actually use a mix of Firefox and Iron but if Firefox 4’s performance is as good as I’m hearing I’ll switch exclusively to that.

        • OneArmedScissor
        • 9 years ago

        Eh…correct me if I’m wrong, but isn’t Iron pretty much just Chromium, rebadged? They make a big to do about having “removed” tracking features, but they either just disabled things that are options in the preferences, or it wasn’t there to begin with in Chromium.

        And then Chromium is just Chrome, but without the integrated Flash, PDF viewer, auto-updating, and the one “privacy” difference being the opt-in to send usage info to Google.

        In other words, it’s pretty much Chrome without the things that set Chrome apart.

    • vikramsbox
    • 9 years ago

    I’ve nothing against Chrome. But the way the article declares that Chrome is better that IE or Safari juts because no one attempted a hack on it it absurd.
    By this measure, IE6 must be invincible as no one ‘dared’ to even include it in a competition of the ‘vulnerables’.
    And I’m thinking that I better head to Windows 98 as hackers didn’t dare to include that on the menu as well.
    Please try and keep the articles also sound free from bias.

      • Anomymous Gerbil
      • 9 years ago

      I think you’re missing the point that the hackers go into the competition with a pre-prepared attack (or attacks). So if no-one tried to attack Chrome, it’s because no-one has been able to do so in the last xx months, or if they had, the vulnerability has already been fixed.

        • hapyman
        • 9 years ago

        Anon Gerbil, you’re right… and on top of that its because right before the competition begins every browser in the competition has a chance to update some known security holes. Safari and Chrome both chose to do so while IE did not. The safari hack didn’t rely on any previously known hacks and the guy said it was pretty difficult. The group hacking chrome is rumored to had been using one of the vulnerabilities that was patched.

        I am interested in seeing the results for the second day which includes: Firefox, iPhone, Blackberry, Android and some others.

    • BobbinThreadbare
    • 9 years ago

    I would have liked to see how Firefox would do in this competition.

    • albundy
    • 9 years ago

    i truly have no idea why anyone would want to run an Active X browser. you might as well email out your credit card number and the pin to everyone, cus if the keyloggers don’t get it….oh who am i kidding.

    • oldog
    • 9 years ago

    According to Wikipedia Chrome has had 15 “major versions” since 2008 based on 15 WebKit versions. By my math that would mean 5 new versions between each of these “contests”.

    As a some time skeet shooter I would state unequivocally that hitting a moving target is harder than hitting a stationary one.

    • no51
    • 9 years ago

    Opera wins again!!!

      • NeelyCam
      • 9 years ago

      That’s like saying “MacOS has no viruses”

        • sweatshopking
        • 9 years ago

        No, it isn’t. It’s like saying “nobody cares about opera!!!” I love it, however. They’ve got the #1 mobile browser, you’d think they’d have more on the desktop front…

          • BobbinThreadbare
          • 9 years ago

          Why? Rim used to have the #1 mobile OS, and they didn’t have anything on desktops.

    • ET3D
    • 9 years ago

    I understand that IE9 should arrive any day now, and I figure that’s why Microsoft made no attempt to patch IE8.

      • potatochobit
      • 9 years ago

      if you look at past microsoft products
      IE8 gonna be around awhile

      • Frith
      • 9 years ago

      So you’re saying that Microsoft is a company that abandons support for old software as soon as they release a new version?

      Microsoft are irresponsible, but they’re not so irresponsible as to drop support for a browser that’s still used by tens of millions of people. In Microsoft’s case it’s more total incompetence, which is arguably even worse.

        • ET3D
        • 9 years ago

        That’s not what I was saying. It was previously reported that Microsoft didn’t intend to patch IE8 before Pwn2Own even though it had some security patches for it. I figured that because IE9 is around the corner Microsoft didn’t feel like making an effort to make IE8 look better by pushing the updates earlier.

        Microsoft supports its old products (up to a point). It has pretty clear policies on that. However Microsoft also always touts the extra security of its new products, and I expect it will be the same with IE9. Microsoft would like as many people as possible to move to a new product, that’s only natural. Therefore it has no interest in making IE8 look particularly good. It will still patch it, it just has no reason to go above and beyond.

        Besides, does Google abandon updates to the old version of Chrome when a new one appears? If it does, would you call it irresponsible?

      • Helmore
      • 9 years ago

      Isn’t Microsoft still releasing security patches for IE6? If so, what makes you assume that Microsoft will stop supporting IE8?

    • TheBob!
    • 9 years ago

    Just have to say to all those that are saying Chrome is not secure because no one tried to hack it. Why the heck do you think no on is trying to hack it. Because no one has a attack set up against it. Or they going for the lower hanging fruit. If someone was there with a attack that would work I don’t think they would have just said meh not feeling it right now to the $20,000.

      • NeelyCam
      • 9 years ago

      Isn’t that the point? Since it’s not a low-hanging fruit, its users are naturally safer..?

    • indeego
    • 9 years ago

    [url=http://secunia.com/advisories/43698/<]IOS System level access[/url<] Man the updates are furious this week.

    • Dposcorp
    • 9 years ago

    Chrome pwn’d the pwners the last two years.

    Like it said above, “$10,000 is still on offer if Chrome gets hacked today or tomorrow, the last day of the contest. ComputerWorld expects Chrome to survive the contest without getting exploited. If it does, that would be a record-breaking third time in a row.”

    It is a weak and lame argument to try and downplay Chrome’s security because no one tried it for one day.

    It has a proven track record of being pretty good, just as Apple & MS have a proven track record of being weak.

    • bdwilcox
    • 9 years ago

    That has to be the most misleading headline… Compare:
    [b<]Chrome survives first day of hacking contest; Safari and IE8 don't[/b<] [i<]As ComputerWorld points out in a separate story, though, Google's Chrome didn't draw any hacking attempts.[/i<] ??????????

      • dpaus
      • 9 years ago

      In a related story, I ‘survived’ the first day of the new season of Survivor by not being a contestant.

        • ludi
        • 9 years ago

        Survivor? That’s how *I* would prefer to survive it.

        The story isn’t entirely without merit, though. Google put $20k on the line and nobody showed to claim it. That at least suggests that it has fewer known vulnerabilities than the competitors.

          • vince
          • 9 years ago

          That, and we can assume no one attempted to hack it because they probably know it is much harder? Based on the previous years as well…

          Which prize are you going to go for? The bigger one you have little to no chance of getting, or the smaller one (that’s still a decent amount), that you have a good chance of getting?

        • hapyman
        • 9 years ago

        Chrome survived because the hacking group scheduled to hack it knew they couldn’t so they didn’t show up.

        So its more like: Winning a boxing match by default because your opponent withdrew because he knew he couldn’t beat you.

        (I was going to use the survivor scenario but it would sound silly if the island would give up)

      • donkeycrock
      • 9 years ago

      I think it is accurate. Google offered a reward, no team can do it, so nobody tried. therefor it survived. Did you never take reasoning classes? LOL JK

        • LauRoman
        • 9 years ago

        Don’t I techincally survive a plane crash, if i arrive at the airport late and miss the plane?

      • DancinJack
      • 9 years ago

      Are you just mad Opera didn’t get a chance?

      • Da_Boss
      • 9 years ago

      That’s not quite fair to the work that Chrome has done to ward off hackers.

      For the two previous years, people have been unable to hack Chrome, essentially walking away with nothing. If you had only 3 days to make some money, would you go for the hardest challenge in the competition, or the easy pickings (like Blackberry, according to the article)?

    • sweatshopking
    • 9 years ago

    OSX how secure ???

    “it took French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting MacBook at the CanSecWest Conference’s pwn2own contest in Vancouver, British Columbia.”

    5 seconds to hack. f apple. that’s a joke.

    Mr. Miller sums up OS X security the best, with his famous remark, “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”

    as for chrome, nobody was there to try. I have a buddy who is the BC chess champion. You know why? cause he was the only one who showed up in his class. he has the trophy and everything. That doesn’t prove anything.

      • Corrado
      • 9 years ago

      I agree on the Chrome commentary. If you leave your doors unlocked and your windows down in your car, but no one bothers trying to take anything, that doesn’t mean its secure.

      • Da_Boss
      • 9 years ago

      Just to be clear: The OS was hacked through Safari, making it the weak link, as opposed to Mac OS itself.

      I’m sure simply using Chrome would address those vulnerabilities.

      EDIT: Correction. I looked at another site’s coverage of the event. It looks like Safari’s crap security, mixed with a flaw in OS X 10.6’s memory security is what facilitated the breach.

      I stand corrected.

        • GrimDanfango
        • 9 years ago

        Can’t see why that makes a difference. Surely the browser on any system is about the most likely route into the OS for remote attacks? Surely an OS isn’t secure if it’s unable to contain an attack from a program running on it?

        People can claim Mac OS to be as impenetrable as they like, it doesn’t exactly mean a lot to the person who gets hacked.

      • Hattig
      • 9 years ago

      These people have their hacks ready to go when they turn up at these hacking contests. It just means that once you have the hack, it is really quite easy to run it.

      • stdRaichu
      • 9 years ago

      Remember the “5 seconds to hack” came from a specially crafted web page. I suspect it might have taken them slightly longer than 5s to discover the vulnerability beforehand and craft a web page to exploit it.

      Not trying to say apple has spotless security (anything but, in fact), but the “five seconds to hack” claim is spurious.

        • kuraegomon
        • 9 years ago

        Yes, but the fact that the hack is a drive-by in a single step is still significant. It’s not like there’s multiple steps (any of which could presumably fail) required to break into a target system. So there the 5 seconds has some validity. It indicates how quickly (and atomically) a machine can be compromised.

        • willyolio
        • 9 years ago

        that doesn’t matter, because they don’t have to re-write and re-tailor a new hack for every computer. released in the wild, this hack would average 5.0001s per computer if you factored in the “development time.”

      • Farting Bob
      • 9 years ago

      Yep nobody tried chrome. Google offered $20,000 and nobody even attempted it on day 1. That tells you something, notably that either nobody was able to work out how to get around it beforehand or that there is someone who can hack an Os through Chrome but feels its worth more than $20k.
      Either way, impressively secure.

      • NeelyCam
      • 9 years ago

      BC is beautiful. Where are you from again?

        • sweatshopking
        • 9 years ago

        Originally I’m from Vancouver island. Now I live in Nova Scotia.

Pin It on Pinterest

Share This