Web Browsers Crushed in ‘Pwn2Own’ Contest
Whether it was Internet Explorer on WIndows 7, Safari on OS X, Firefox on Windows or Mobile Safari on the iPhone, just about every browser on the market proved compromisable in some way.
Perhaps the most notable of the hacks is the iPhone exploit, in which a hacker managed to download the entire SMS database of a fully patched (non-jailbroken) iPhone 3GS, grabbing the complete list of contacts and any stored messages.
As in the real world, the Pwn2Own exploit code was delivered via specially-crafted, malicious websites which target a specific flaw in your browser.
Safari, Firefox and Internet Explorer were all compromised, but there is one notable exception — Google’s Chrome browser.
One of the key aspects of Chrome that has — thus far — stopped the Pwn2Own hackers is its tightly sandboxed code, which makes it very difficult to exploit. Which isn’t to say there aren’t bugs in Chrome, just that exploiting them to do dirty work outside of Chrome, and thus compromise Windows, Linux or OS X, is much more difficult than it is with other browsers.
For users of IE, Firefox, Safari and Mobile Safari, the only real solution for any security woes is to wait for software updates patching the flaws. Microsoft, which is a CanSecWest sponsor, says it’s already investigating the flaws in Internet Explorer.
Given that one contestant arrived at Pwn2Own with some 20 working exploits for OS X, we’re hoping Apple does the same, but sadly, the company is notorious lax when it comes to patching security flaws in its software.
If you’d like more information about the specific exploits used on each browser, see CNet’s coverage of the nitty-gritty Pwn2Own details.