Browser security: Pwn2Own topples all but Chrome
How safe is the browser you're using to read this?
Unless you're running or squinting at these words on a mobile device, the answer could surprise you. And pipe down, Firefox fanboys 鈥 we're talking to you, too.
The Pwn2Own browser security competition, held this week at the conference in Vancouver, Canada, saw Internet Explorer, Firefox, and Safari all fall to exploits. But don't panic. Your browser's not suddenly in jeopardy: the vulnerabilities identified are never made public. In fact, the event affords companies and programmers a chance to fix holes in their software before hackers can use them to inflict real-world damage.
Why would a hacker bring an exploit to the conference instead of wreaking havoc with it? This year's winners took home $5,000 per hack and the slick machines on which they executed them.
Safari was compromised in seconds, victim to that "allows a remote attacker to gain control of a machine by having a user click on a single malicious URL." Safari running on a Mac was the most-attacked browser at this year's conference this year, because "," according to last year's overall winner.
Internet Explorer, the world's most popular browser, fell next. Even with the latest security patches, Microsoft's IE yielded to a 25-year-old computer science student.
For those still wedded to IE, NetworkWorld's Bill Brenner asked conference attendees what a normal user can do to make it more safe and came up with his "." It's worth a read.
Firefox, which has long enjoyed a place as the geek browser of choice, was next to crack. ZDNet's Adrian Kingsley-Hughes asks whether the open-source web browser isn't period: "One complaint I find that鈥檚 directed at Firefox often is that the browser has shifted too far away from the early ideals of 'fast and secure' and has become bloated," he writes.
The notable survivors were Google's Chrome and mobile browsers for Windows Mobile, BlackBerry, and iPhone. Mobile browsers held up because they're relatively new to the scene, and their closed ecosystems for hackers. Chrome escaped unscathed because, according to Pwn2Own hacker Charlie Miller, it's :
There are bugs in Chrome, but they鈥檙e very hard to exploit. I have a Chrome vulnerability right now but I don鈥檛 know how to exploit it. It鈥檚 really hard. They鈥檝e got that sandbox model that鈥檚 hard to get out of. With Chrome, it鈥檚 a combination of things 鈥 you can鈥檛 execute on the heap, the OS protections in Windows and the Sandbox.
In other words, with so many unsecured browsers out there (Safari was called "low-hanging fruit" by more than one competitor) it's not worth it to a hacker to struggle through Chrome's multiple levels of security.
Choosing a secure browser is a lot like locking up a bike. You don't necessarily have to shell out for the most expensive impenetrable 眉ber-lock 鈥 just make sure to park next to someone whose bike is less securely locked than yours. With web browsing, that means use Google Chrome or stick to mobile browsing.
