IE and Safari out at Pwn2Own on day 1

Tepid said:

"Google's Chrome browser was also up for grabs, but no one stepped forward to try hacking it."

Sorry,, wrong answer for me.

Really? Why, specifically? So, what they are saying,, Google Chrome has their browser so locked down that The NSA, CIA, MI5, what ever initials you want to put up there can be 100% garraunteed to never, ever, not once, EVER, FOREVER, be NOT ONE TINY BIT vulnerable?

I call BS.

This doesn't mean that there will never ever be a vulnerability of any kind. But it does seem to clearly indicate that there isn't a known exploit yet to these hackers which can be used to gain administrative access to the host computer which is the whole point of the Pwn2Own contest.

Hackers at Pwn2Own and BlackHat do not pussy foot around and pretend that everything is all perfect and beautiful. They hack, attack and bring systems to their knees. They didn't manage it on either Firefox or Chrome...that says a lot.

an doesn't matter, I made my point and I stick by it.

I call BS.

Tepid said:

an doesn't matter, I made my point and I stick by it.

I call BS.

Thats fine you are entitled to this opinion. But considering either 20k or 35k was on the line, it seems rather far fetched.

You do realize that hackers come into the contest with known exploits and such. They aren't released from vacuum tubes and just start hammering away at the keyboard until they find something right?? It seems painfully obvious to me that previous to right at this moment, these guys/gals are not equipped with anything to exploit Chrome to the point where the machine is administratively owned.

Edit: i too will bow out at this point as I'm trying to be a jerk towards anybody and I firmly believe that it was not rigged and results are fair.

There is the possibility that no one tried, because there are much easier fish to fry, but that doesn't mean that it is not possible, nor that the browser is safe, it just means that no one spent time on it.

The problem is, they say, no one is testing it.

Then it is automatically assumed, "wow, none of these guys are testing it, must be hard to crack"
"These guys would want to be the first to crack it, but, they haven't even tried, that says a lot."

What about,,,

How much time did they spend trying to crack it?
What methods did they use and failed?

Sorry, but you know what they say about Assume ing things.

Nobody ‘Pwns’ Google Chrome at Pwn2Own 2011

Looks like Google will leave from Pwn2Own with same amount of money they came with. Pwn2Own is a competition at the CanSecWest security conference in Vancouver. In order to ‘pwn’ something, the hacker must successfully execute code using a 0-day vulnerability (meaning a vulnerability that has has not been made public, a new one) on the browser running on that machine. IE8, Safari, and Chrome were the three choices at this years conference.
A month ago Google said they would pay $20,000 to the first person that successfully cracked their Chrome Browser, and it looks like no one is up to that task.



Safari was cracked in a mere 5 minutes, and IE8 on the first day of the competition. An interesting note is that Apple released a new version of Safari minutes before the competition started. Anyone who thought they had an edge on the competition had to rethink their plan of attack.



Google Chrome on the other hand is still waiting for anyone to challenge their security. Out of the two contestants that signed up, one didn’t show up, and the other team decided to put their efforts into something else.

Here is the sign up sheet for the conference;
TippingPoint | DVLabs | Announcing Pwn2Own 2011

As mentioned previously, we've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD. While HP TippingPoint is funding $105,000 of that, we've partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser. Kudos to the Google security team for taking the initiative to approach us on this; we're always in favor of rewarding security researchers for the work they too-often do for free.
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.

As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.

Here is a link that describes the Google bounty
https://www.infosecisland.com/blogvi...t-Pwn2Own.html

Nice info pparks1.

They get 15k and ZDI Silver for hacking IE, Safari, or Firefox and 35k for hacking Chrome.
So what was the reason they didn't hack Chrome?

Firefox and Chrome are the two safest browsers, so far.

I'm not a chrome user, but I think that PSI was detecting the previous version as insecure and wanted you to get to the newest version. Unfortunately that was the newest version. If you update PSI and scan again, I think you come back clean.

seekermeister said:

I will admit that I didn't read it in detail, but perhaps one of you that feel so safe with Chrome can explain this for me:

PSI says Chrome 10.0.648.127 is insecure. - Programs - Forum - Community

From what I gather from that, it was fixed when PSI was updated.

malexous said:

There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now you’r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.

Questions for Pwn2Own hacker Charlie Miller | ZDNet (2009)

That explains Chrome's Sandbox quite well. Maybe if you took the time to read things liek that, Tepid, you'd understand more and not just call BS at everything.