Browser security: Pwn2Own topples all but Chrome
How safe is the browser you're using to read this?
The Pwn2Own browser security competition, held this week at the CanSecWest conference in Vancouver, Canada, saw Internet Explorer, Firefox, and Safari all fall to exploits. But don't panic. Your browser's not suddenly in jeopardy: the vulnerabilities identified are never made public. In fact, the event affords companies and programmers a chance to fix holes in their software before hackers can use them to inflict real-world damage.
Why would a hacker bring an exploit to the conference instead of wreaking havoc with it? This year's winners took home $5,000 per hack and the slick machines on which they executed them.
Safari was compromised in seconds, victim to a prepared attack that "allows a remote attacker to gain control of a machine by having a user click on a single malicious URL." Safari running on a Mac was the most-attacked browser at this year's conference this year, because "it's an easy target," according to last year's overall winner.
Internet Explorer, the world's most popular browser, fell next. Even with the latest security patches, Microsoft's IE yielded to a 25-year-old computer science student.
For those still wedded to IE, NetworkWorld's Bill Brenner asked conference attendees what a normal user can do to make it more safe and came up with his "10 IE Browser Settings for Safer Surfing." It's worth a read.
Firefox, which has long enjoyed a place as the geek browser of choice, was next to crack. ZDNet's Adrian Kingsley-Hughes asks whether the open-source web browser isn't at the end of its honeymoon period: "One complaint I find that’s directed at Firefox often is that the browser has shifted too far away from the early ideals of 'fast and secure' and has become bloated," he writes.
The notable survivors were Google's Chrome and mobile browsers for Windows Mobile, BlackBerry, and iPhone. Mobile browsers held up because they're relatively new to the scene, and their closed ecosystems pose unique challenges for hackers. Chrome escaped unscathed because, according to Pwn2Own hacker Charlie Miller, it's harder to compromise:
There are bugs in Chrome, but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.
In other words, with so many unsecured browsers out there (Safari was called "low-hanging fruit" by more than one competitor) it's not worth it to a hacker to struggle through Chrome's multiple levels of security.
Choosing a secure browser is a lot like locking up a bike. You don't necessarily have to shell out for the most expensive impenetrable über-lock – just make sure to park next to someone whose bike is less securely locked than yours. With web browsing, that means use Google Chrome or stick to mobile browsing.