Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: IE and Safari out at Pwn2Own on day 1

10 Mar 2011   #21
pparks1

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Tepid View Post
"Google's Chrome browser was also up for grabs, but no one stepped forward to try hacking it."

Sorry,, wrong answer for me.

Really? Why, specifically? So, what they are saying,, Google Chrome has their browser so locked down that The NSA, CIA, MI5, what ever initials you want to put up there can be 100% garraunteed to never, ever, not once, EVER, FOREVER, be NOT ONE TINY BIT vulnerable?

I call BS.
This doesn't mean that there will never ever be a vulnerability of any kind. But it does seem to clearly indicate that there isn't a known exploit yet to these hackers which can be used to gain administrative access to the host computer which is the whole point of the Pwn2Own contest.

Hackers at Pwn2Own and BlackHat do not pussy foot around and pretend that everything is all perfect and beautiful. They hack, attack and bring systems to their knees. They didn't manage it on either Firefox or Chrome...that says a lot.


My System SpecsSystem Spec
.
10 Mar 2011   #22
Tepid

Win 7 Ultimate 32bit
 
 

an doesn't matter, I made my point and I stick by it.

I call BS.
My System SpecsSystem Spec
10 Mar 2011   #23
pparks1

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Tepid View Post
an doesn't matter, I made my point and I stick by it.

I call BS.
Thats fine you are entitled to this opinion. But considering either 20k or 35k was on the line, it seems rather far fetched.

You do realize that hackers come into the contest with known exploits and such. They aren't released from vacuum tubes and just start hammering away at the keyboard until they find something right?? It seems painfully obvious to me that previous to right at this moment, these guys/gals are not equipped with anything to exploit Chrome to the point where the machine is administratively owned.

Edit: i too will bow out at this point as I'm trying to be a jerk towards anybody and I firmly believe that it was not rigged and results are fair.
My System SpecsSystem Spec
.

10 Mar 2011   #24
Tepid

Win 7 Ultimate 32bit
 
 

There is the possibility that no one tried, because there are much easier fish to fry, but that doesn't mean that it is not possible, nor that the browser is safe, it just means that no one spent time on it.

The problem is, they say, no one is testing it.

Then it is automatically assumed, "wow, none of these guys are testing it, must be hard to crack"
"These guys would want to be the first to crack it, but, they haven't even tried, that says a lot."

What about,,,

How much time did they spend trying to crack it?
What methods did they use and failed?

Sorry, but you know what they say about Assume ing things.
My System SpecsSystem Spec
11 Mar 2011   #25
pparks1

Windows 7 Ultimate x64
 
 

Nobody ‘Pwns’ Google Chrome at Pwn2Own 2011
Quote:
Looks like Google will leave from Pwn2Own with same amount of money they came with. Pwn2Own is a competition at the CanSecWest security conference in Vancouver. In order to ‘pwn’ something, the hacker must successfully execute code using a 0-day vulnerability (meaning a vulnerability that has has not been made public, a new one) on the browser running on that machine. IE8, Safari, and Chrome were the three choices at this years conference.
A month ago Google said they would pay $20,000 to the first person that successfully cracked their Chrome Browser, and it looks like no one is up to that task.



Safari was cracked in a mere 5 minutes, and IE8 on the first day of the competition. An interesting note is that Apple released a new version of Safari minutes before the competition started. Anyone who thought they had an edge on the competition had to rethink their plan of attack.



Google Chrome on the other hand is still waiting for anyone to challenge their security. Out of the two contestants that signed up, one didn’t show up, and the other team decided to put their efforts into something else.

Here is the sign up sheet for the conference;
TippingPoint | DVLabs | Announcing Pwn2Own 2011

Quote:
As mentioned previously, we've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD. While HP TippingPoint is funding $105,000 of that, we've partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser. Kudos to the Google security team for taking the initiative to approach us on this; we're always in favor of rewarding security researchers for the work they too-often do for free.
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.

As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.
Here is a link that describes the Google bounty
https://www.infosecisland.com/blogvi...t-Pwn2Own.html
My System SpecsSystem Spec
11 Mar 2011   #26
Dave76

Microsoft Community Contributor Award Recipient

Windows 7 Ult x64 - SP1/ Windows 8 Pro x64
 
 

Nice info pparks1.

They get 15k and ZDI Silver for hacking IE, Safari, or Firefox and 35k for hacking Chrome.
So what was the reason they didn't hack Chrome?

Firefox and Chrome are the two safest browsers, so far.
My System SpecsSystem Spec
11 Mar 2011   #27
seekermeister

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

I will admit that I didn't read it in detail, but perhaps one of you that feel so safe with Chrome can explain this for me:

PSI says Chrome 10.0.648.127 is insecure. - Programs - Forum - Community
My System SpecsSystem Spec
11 Mar 2011   #28
pparks1

Windows 7 Ultimate x64
 
 

I'm not a chrome user, but I think that PSI was detecting the previous version as insecure and wanted you to get to the newest version. Unfortunately that was the newest version. If you update PSI and scan again, I think you come back clean.
My System SpecsSystem Spec
11 Mar 2011   #29
malexous

Arch Linux 64-bit
 
 

Quote:
There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now you’r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.
Questions for Pwn2Own hacker Charlie Miller | ZDNet (2009)
My System SpecsSystem Spec
11 Mar 2011   #30
Everlong

 

Quote   Quote: Originally Posted by seekermeister View Post
I will admit that I didn't read it in detail, but perhaps one of you that feel so safe with Chrome can explain this for me:

PSI says Chrome 10.0.648.127 is insecure. - Programs - Forum - Community
From what I gather from that, it was fixed when PSI was updated.

Quote   Quote: Originally Posted by malexous View Post
Quote:
There are bugs in Chrome but theyíre very hard to exploit. I have a Chrome vulnerability right now but I donít know how to exploit it. Itís really hard. Theíve got that sandbox model thatís hard to get out of. With Chrome, itís a combination of things ó you canít execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now youír ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.
Questions for Pwn2Own hacker Charlie Miller | ZDNet (2009)
That explains Chrome's Sandbox quite well. Maybe if you took the time to read things liek that, Tepid, you'd understand more and not just call BS at everything.
My System SpecsSystem Spec
Reply

 IE and Safari out at Pwn2Own on day 1




Thread Tools




Similar help and support threads
Thread Forum
CanSecWest Pwn2Own Victories
The big excitement at the popular CanSecWest Applied Security Conference in Vancouver, British Columbia, Canada is the Pwn2Own events. The take-downs, so far, from ZDNet: Pwn2Own 2010: iPhone hacked, SMS database hijacked Pwn2Own MacBook attack: Charlie Miller hacks Safari again Hacker...
System Security
iPhone, Safari, IE8, Firefox fall on day one of Pwn2Own
iPhone, Safari, IE8, Firefox all fall on day one of Pwn2Own
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 16:36.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App