IE and Safari out at Pwn2Own on day 1

I never said it would be easy.

But flat out assuming certain things, such as,,, "chrome is safe, cause no one is testing it" is an absurd argument.

Try making that claim on anything else. It just doesn't work that way.

Google patched 25 vulnerabilities in Chrome today in one last update before the Pwn2Own hacking contest starts Wednesday in Canada.

I wonder why no one is taking on the challenge then. And 25, is considered safe?
In other words, there is a reason no one is touching it, but it's has ZERO to do with it being safe.
It has more to do with the fact that they plugged a bunch of holes and that's it.

So, it's a facade.

Just cause no one is testing it does not mean it is safest browser.
It just means no one has either had time, nor spent time on finding other holes that did not get discovered and patched yet a day before the event.

Claiming they survive day one (cause again, no one tested it) is a good thing is a fallacy due to that very fact.

malexous said:

This year, the software was frozen last week, preventing the use of last-minute patches to avoid exploitation. Successful exploits of the week-old configuration win the hardware, and if the exploit still exists in the latest software, money is also paid out for the flaw.

Pwn2Own day 2: iPhone, BlackBerry beaten; Chrome, Firefox no-shows

Hmmmm,,,, Are you sure about that?

Google issues last-minute Chrome fixes before Pwn2Own - Computerworld - March 8, 2011 04:09 PM ET


Google issues last-minute Chrome fixes before Pwn2Own | ITworld - March 9, 2011, 11:30 AM

Google issues last-minute Chrome fixes - Bing

Everyone knows the vulnerabilities are there, that's no secret - it's finding a way to exploit these vulnerabilities, and write the exploit, that's the problem because of Chrome's sandbox.

Tepid said:

malexous said:

This year, the software was frozen last week, preventing the use of last-minute patches to avoid exploitation. Successful exploits of the week-old configuration win the hardware, and if the exploit still exists in the latest software, money is also paid out for the flaw.

Pwn2Own day 2: iPhone, BlackBerry beaten; Chrome, Firefox no-shows

Hmmmm,,,, Are you sure about that?

Yes, pretty sure about that. If you read what malexous posted above, he says exactly the same thing that I am going to explain in a few more words below.

If you followed the past, Pwn20wn competitions, the requirement was to test against the latest version of the software under attack...even if it was released the morning of the show.

This year, the software was frozen the week prior, preventing the use of new patches to avoid exploitation. If you beat the frozen version, you win the hardware prizes of the competition. If you beat the browser on the latest version as of day of the show, you win the money.

As you can see from this link, Apple too included new patches resolving 60 vulnerabilities right before the start of the conference;
Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches | ZDNet

And this article explains that while Microsoft also had the opportunity to patch IE8 before the show, they elected not to;
Microsoft Releases Zero IE8 Security Updates Before "Pwn2Own" Browser Hacking Contest | News & Opinion | PCMag.com

So, it's not like Google tried to sneak a fast one past everybody. They played by the same rules as everybody else. Everybody else had the same opportunity. And even with patches being allowed, other browsers allowed machine ownership, and some did not.

Everlong said:

Everyone knows the vulnerabilities are there, that's no secret - it's finding a way to exploit these vulnerabilities, and write the exploit, that's the problem because of Chrome's sandbox.

Thank you, that is exactly correct. Nobody is saying that Chrome is perfect, but in a competition with money on the line, the hackers dropped Safari and IE8 and gained full access to the machines. They didn't do the same with Firefox and Chrome.

Using three different vulnerabilities and clever exploitation techniques, Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win this year’s CanSecWest hacker challenge.

Fewer (right), a Metasploit developer who specializes in writing Windows exploits, used two different zero-day bugs in IE to get reliable code execution and then chained a third vulnerability to jump out of the IE Protected Mode sandbox.

Source

A Guy