Out of the browsers attacked at last week’s CanSecWest security conference in Vancouver, Canada, only Chrome survived. The conference’s Pwn2Own competition awarded substantial cash prizes for every browser vulnerability competitors could exploit. The easiest? Anything running on a Mac. The first browser compromised was Apple’s Safari, “an easy target," according to Charlie Miller, one of the contest winners. Part of the problem is the Mac OS itself, says Miller, stating that Firefox is much easier to hack on a Mac than on a system running Windows. Safari’s fall was followed by Internet Explorer 8 and Firefox, both exploited by 25-year-old computer science student ‘Nils,’ who was using the contest to showcase his skills to potential employers. Nils also compromised Safari, making the browser a double loser.
One of the flaws discovered could be used on Chrome, but currently there is no known exploit for it.
“There are bugs in Chrome but they’re very hard to exploit,” said Miller.
“I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of,” Miller said.
Chrome’s sandbox isolates the browser from the OS, which is what makes using the browser to attack the system so difficult.
Mobile browsers proved much more secure than their PC brethren during Pwn2Own. Browsers for Windows Mobile, Blackberry, Android and iPhone went untouched.
Their relative newness, limited memory and processing power make it more difficult to find exploits. For now.
“If history can tell us anything here,” wrote Terri Forslof of TippingPoint, the contest’s sponsor, “it's that by this time next year, the community will have turned what we now believe upside down, and more than likely wow us with a new generation of techniques that I will affectionately dub “Micro Exploits” that are able to function predictably on the mobile platform."