Soldato
- Joined
- 18 May 2010
- Posts
- 23,609
- Location
- London
Pwn2Own 2017 - Chrome unhackable whilst Firefox too easy.
- Thread starter opethdisciple
- Start date
Associate
- Joined
- 17 Sep 2008
- Posts
- 1,757
+1 Fake news thread title ..
lol : No browser was left unscathed. Security researchers poked holes in fully patched browsers at this year's Pwn2Own hacking challenge.
lol : No browser was left unscathed. Security researchers poked holes in fully patched browsers at this year's Pwn2Own hacking challenge.
And mozilla patched it up pretty quickly:
https://twitter.com/thezdi/status/843899974085689346
https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/
https://twitter.com/thezdi/status/843899974085689346
https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/
March 20, 2015
..yes .. I do not get your point
that article (if you follow links through ) explains how this event was performed in 2015, and there is no indication
that 'rules' have changed.
The 'company' probably has some virtues, but the event was just an exercise in memorizing an algorithm/technique .
If you look at their web-site can you find a summary of comparative weaknesses found across browsers during whole year .. I could not.
that article (if you follow links through ) explains how this event was performed in 2015, and there is no indication
that 'rules' have changed.
The 'company' probably has some virtues, but the event was just an exercise in memorizing an algorithm/technique .
If you look at their web-site can you find a summary of comparative weaknesses found across browsers during whole year .. I could not.
Associate
- Joined
- 17 Sep 2008
- Posts
- 1,757
"Chrome unhackable" - unwarranted assumption based on a single hacking attempt which ran out of time.
"Firefox too easy" - last year's news as clearly stated in the article, either a reading fail by the OP or deliberate misrepresentation.
"Edge laughable" - maybe, but it was particularly targeted by the hacking groups in contrast to FF and Chrome which received just two and one attempts respectively, and the results should be seen in that context.
- Joined
- 18 May 2010
- Posts
- 23,609
- Location
- London
It's not 'unhackable'. Nothing is 'unhackable'. But of the browsers tested the hacking teams wanting to earn the most money choose not to target Chrome as much as the others in order to maximize their profits.
Most likely because to target chrome would be not to make as much money as targeting other browsers as it would take up more of their time as it's more secure.
Article.
I think the fact that money is involved really incentives people to hack some thing. If there was money to be made out of hacking Chrome, these guys would have been right on it.
Most likely because to target chrome would be not to make as much money as targeting other browsers as it would take up more of their time as it's more secure.
Article.
I think the fact that money is involved really incentives people to hack some thing. If there was money to be made out of hacking Chrome, these guys would have been right on it.
I've used Chrome as my default browser since version 3 or 4 and I'll keep using it for the time being. I do use Firefox and Edge though for various tasks and they seem like OK browsers but syncing bookmarks and add ons just works the best on Chrome so that is why I use it.
Firefox is very useful for running Selenium automated browser testing tasks when developing websites though so I always use Firefox for that. I should probably add Chromium and Opera as well though so I can test on multiple browsers though.
Firefox is very useful for running Selenium automated browser testing tasks when developing websites though so I always use Firefox for that. I should probably add Chromium and Opera as well though so I can test on multiple browsers though.
cmiiw - chrome and edge are not open source (yet), unlike ff;
so details of existing bug fixes maybe less easy to discover, so that other similar means of attack can be explored, which maybe to their advantage ?
Did see another article which listed discovery monies payed by google/chrome directly
so it maybe just that google pays more for bugs than pwn ?? (for which nonetheless, per earlier reference, security weaknesses have been discovered before the conference)
so details of existing bug fixes maybe less easy to discover, so that other similar means of attack can be explored, which maybe to their advantage ?
Did see another article which listed discovery monies payed by google/chrome directly
so it maybe just that google pays more for bugs than pwn ?? (for which nonetheless, per earlier reference, security weaknesses have been discovered before the conference)
QED - 25-awesome-bug-bounty-programs-earning-pocket-money
google-chrome-57-browser-update-patches-high-severity-flaws
are you sure chrome is the right horse ?
google-chrome-57-browser-update-patches-high-severity-flaws
are you sure chrome is the right horse ?
IMO its a bit deceptive - Firefox out the box isn't too bad but beaten by some browsers but a few security scripts, etc. (which in many cases don't exist, etc. for other browsers) and its largely about as secure as you get.
What is increasingly letting Firefox down these days is its memory footprint, multithreading capabilities (or lack of) and background housekeeping tasks which seem to actually make the browser slower the longer you are in a session than speed it up as they seem to spend more and more time doing things like pointlessly sorting bookmark/history data.
The more interesting things is that the Windows 10 kernel is pretty laughable even after all the focus on making it more secure than before, etc.
What is increasingly letting Firefox down these days is its memory footprint, multithreading capabilities (or lack of) and background housekeeping tasks which seem to actually make the browser slower the longer you are in a session than speed it up as they seem to spend more and more time doing things like pointlessly sorting bookmark/history data.
The more interesting things is that the Windows 10 kernel is pretty laughable even after all the focus on making it more secure than before, etc.
This isn't really a problem. Most programmers looking for an exploit will run the program through a debugger looking for issues. This can be done even if you don't have access to the source code. You just need a good understanding of assembly and I think high end professional debuggers, dissemblers and other such tools actually make the process reasonably easy. Look up IDA Pro for instance.
- Joined
- 18 May 2010
- Posts
- 23,609
- Location
- London
That's the point tho in the bug bounty program. It means Google are encouraging people to ethically hack the browser then tell Google so they can patch it. At least they are ethical hackers rather than black hat hackers looking to exploit the vulnerabilities in the browser.
Which is why it seems to be more secure because a lot of the vulnerabilities which we know about TODAY are already covered.
Although Firefox is open source (so is Chrome to an extent as it's based on Chromium) it doesn't seem to have this level of exposure amongst the ethical hacking community simply because there isn't enough money being made available.
It's about incentives.
On top of that Chrome has architectural advantages over Firefox, due to it's multi threaded sand boxed nature.
---
No software is secure ever. Tomorrow someone might make a huge discovery that we simply didn't understand yesterday and it makes Chrome look like it has more holes than Swiss cheese. But this is why there is this bug bounty program. There is a monetary incentive for people to hack the browser, making it penetration and battle tested.
Which is why it seems to be more secure because a lot of the vulnerabilities which we know about TODAY are already covered.
Although Firefox is open source (so is Chrome to an extent as it's based on Chromium) it doesn't seem to have this level of exposure amongst the ethical hacking community simply because there isn't enough money being made available.
It's about incentives.
On top of that Chrome has architectural advantages over Firefox, due to it's multi threaded sand boxed nature.
---
No software is secure ever. Tomorrow someone might make a huge discovery that we simply didn't understand yesterday and it makes Chrome look like it has more holes than Swiss cheese. But this is why there is this bug bounty program. There is a monetary incentive for people to hack the browser, making it penetration and battle tested.
1 million USD paid out in 2016.
https://security.googleblog.com/2017/01/vulnerability-rewards-program-2016-year.html
we need some estimates of the lost man hours (or average $$ lost from bank accounts) caused by breaches, to enable browser comparison ?
(but maybe there is a different demographic of users for different browsers
)
a comment suggests if there were this many patches for other vendors users would be up in arms (but yes, number of bugs does not necesarily equate to prizes)
(but maybe there is a different demographic of users for different browsers
)indeed the recent chrome patches seem to be all chromium and there are links into the open source code,
a comment suggests if there were this many patches for other vendors users would be up in arms (but yes, number of bugs does not necesarily equate to prizes)