Pwn2Own 2017 - Chrome unhackable whilst Firefox too easy.

Interesting. Says Firefox was "too easy" last year though, this year it was second best (after Chrome but ahead of Safari and Edge).

Still thankfully only a small number of exploits exist per software.
 
Yup, nothing about Firefox being too easy for this year.

Should be interesting next year though as parts of Firefox will be replaced with Servo, which should be more secure than the current old Gecko engine.
 
+1 Fake news thread title ..

lol : No browser was left unscathed. Security researchers poked holes in fully patched browsers at this year's Pwn2Own hacking challenge.
"Contestants showed up to claim all the prizes offered at Pwn2Own, and given the expense of travel to the conference, it is not surprising they have working exploits before coming," Veditz said. "Computers are very fast, and it is not surprising that a well-crafted exploit written in advance would not take much execution time."
 
..yes .. I do not get your point
that article (if you follow links through ) explains how this event was performed in 2015, and there is no indication
that 'rules' have changed.
The 'company' probably has some virtues, but the event was just an exercise in memorizing an algorithm/technique .
If you look at their web-site can you find a summary of comparative weaknesses found across browsers during whole year .. I could not.
 
You called it fake news, and then linked to an article from 2015.

What's fake about the OP's post?
 
What's fake about the OP's post?

"Chrome unhackable" - unwarranted assumption based on a single hacking attempt which ran out of time.

"Firefox too easy" - last year's news as clearly stated in the article, either a reading fail by the OP or deliberate misrepresentation.

"Edge laughable" - maybe, but it was particularly targeted by the hacking groups in contrast to FF and Chrome which received just two and one attempts respectively, and the results should be seen in that context.
 
It's not 'unhackable'. Nothing is 'unhackable'. But of the browsers tested the hacking teams wanting to earn the most money choose not to target Chrome as much as the others in order to maximize their profits.

Most likely because to target chrome would be not to make as much money as targeting other browsers as it would take up more of their time as it's more secure.

Article.

I think the fact that money is involved really incentives people to hack some thing. If there was money to be made out of hacking Chrome, these guys would have been right on it.
 
I've used Chrome as my default browser since version 3 or 4 and I'll keep using it for the time being. I do use Firefox and Edge though for various tasks and they seem like OK browsers but syncing bookmarks and add ons just works the best on Chrome so that is why I use it.

Firefox is very useful for running Selenium automated browser testing tasks when developing websites though so I always use Firefox for that. I should probably add Chromium and Opera as well though so I can test on multiple browsers though.
 
cmiiw - chrome and edge are not open source (yet), unlike ff;
so details of existing bug fixes maybe less easy to discover, so that other similar means of attack can be explored, which maybe to their advantage ?

Did see another article which listed discovery monies payed by google/chrome directly
so it maybe just that google pays more for bugs than pwn ?? (for which nonetheless, per earlier reference, security weaknesses have been discovered before the conference)
 
Could be a point.

The competition is about exposing weaknesses publicly. If people are being paid off for bug reports before then it makes the competition less embarrassing for that company.
 
IMO its a bit deceptive - Firefox out the box isn't too bad but beaten by some browsers but a few security scripts, etc. (which in many cases don't exist, etc. for other browsers) and its largely about as secure as you get.

What is increasingly letting Firefox down these days is its memory footprint, multithreading capabilities (or lack of) and background housekeeping tasks which seem to actually make the browser slower the longer you are in a session than speed it up as they seem to spend more and more time doing things like pointlessly sorting bookmark/history data.

The more interesting things is that the Windows 10 kernel is pretty laughable even after all the focus on making it more secure than before, etc.
 
cmiiw - chrome and edge are not open source (yet), unlike ff;
so details of existing bug fixes maybe less easy to discover, so that other similar means of attack can be explored, which maybe to their advantage ?

This isn't really a problem. Most programmers looking for an exploit will run the program through a debugger looking for issues. This can be done even if you don't have access to the source code. You just need a good understanding of assembly and I think high end professional debuggers, dissemblers and other such tools actually make the process reasonably easy. Look up IDA Pro for instance.
 
That's the point tho in the bug bounty program. It means Google are encouraging people to ethically hack the browser then tell Google so they can patch it. At least they are ethical hackers rather than black hat hackers looking to exploit the vulnerabilities in the browser.

Which is why it seems to be more secure because a lot of the vulnerabilities which we know about TODAY are already covered.

Although Firefox is open source (so is Chrome to an extent as it's based on Chromium) it doesn't seem to have this level of exposure amongst the ethical hacking community simply because there isn't enough money being made available.

It's about incentives.

On top of that Chrome has architectural advantages over Firefox, due to it's multi threaded sand boxed nature.

---

No software is secure ever. Tomorrow someone might make a huge discovery that we simply didn't understand yesterday and it makes Chrome look like it has more holes than Swiss cheese. But this is why there is this bug bounty program. There is a monetary incentive for people to hack the browser, making it penetration and battle tested.
 
we need some estimates of the lost man hours (or average $$ lost from bank accounts) caused by breaches, to enable browser comparison ?
(but maybe there is a different demographic of users for different browsers ;) )

(so is Chrome to an extent as it's based on Chromium)
indeed the recent chrome patches seem to be all chromium and there are links into the open source code,
a comment suggests if there were this many patches for other vendors users would be up in arms (but yes, number of bugs does not necesarily equate to prizes)
 
Back
Top Bottom