Pwn2Own organizer predicts Chrome will survive first day
But sandboxed browser may fall second or third day when hacking rules change
Computerworld - Google's Chrome will likely survive the first day at next month's Pwn2Own hacking challenge, but may fall the next when the rules change, the contest organizer predicted today.
The other three target browsers -- Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox -- will almost certainly tumble at Pwn2Own again this year, said Aaron Portnoy, the manager of HP TippingPoint's security research team. But Chrome is the wild card.
"I'm fairly certain that most, if not all, of the browsers will be compromised," Portnoy said. "I suspect that IE, Firefox and Safari will all be hacked, but Chrome won't, not on the first day."
TippingPoint is the sponsor of the fifth annual Pwn2Own contest, which runs March 9-11 at CanSecWest, a Vancouver, British Columbia, security conference.
Chrome will last longer than the other browsers -- or maybe make it out of Pwn2Own unscathed for the third year running -- because it's the only one of the four that relies on a "sandbox." A sandbox isolates system processes, theoretically preventing malware from escaping an application -- like Chrome -- to infect the computer.
To exploit a sandboxed program like Chrome -- another is Adobe Reader X -- hackers need not just one vulnerability but a pair: The first to escape the sandbox and a second to exploit the application itself.
"The sandbox in Chrome is the big hurdle," said Peter Vreugdenhil, a TippingPoint researcher and past winner of Pwn2Own. Vreugdenhil will be one of the contest judges this year.
Researchers have to play under different rules if they take on Chrome. The first day of the contest, hackers can tackle the browser -- and walk off with the $20,000 prize if successful -- only by exploiting vulnerabilities in Google's own code.
On the second and third days of the contest, researchers can employ a non-Chrome bug -- one in Windows, for instance -- to break out of the browser's sandbox. A successful attack on the second or third day will still put $20,000 in the researcher's pocket, but Google and TippingPoint will split the check.
"Google didn't want to pay for a vulnerability in someone else's code," Portnoy said.
Google is the first browser vendor to put money into the Pwn2Own prize pool, and will pay out a maximum of $20,000. The company approached TippingPoint with its offer, a move that may have saved Chrome a spot in the challenge, Portnoy said.
"They threw out the number $20,000," he said. "Actually, we weren't going to include Chrome, we weren't going to have it in the contest at all because we already had a WebKit browser." WebKit is the open-source browser engine that powers not only Chrome but also Safari.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Desktop Apps White Papers | Webcasts