Browser vendors often make strong claims about their responsiveness to vulnerability reports and their ability to preemptively prevent exploits. Security is becoming one of the most significant fronts in the new round of browser wars, but it's also arguably one of the hardest aspects of software to measure or quantify.
A recent contest at CanSecWest, an event that brings together some of the most skilled experts in the security community, has demonstrated that the three most popular browser are susceptible to security bugs despite the vigilance and engineering prowess of their creators.
Firefox, Safari, and Internet Explorer were all exploited during the Pwn2Own competition that took place at the conference. Google's Chrome browser, however, was the only one left standing—a victory that security researchers attribute to its innovative sandbox feature.
The contest awards security researchers with hardware and cash prizes for finding efficient ways to trick browsers into executing arbitrary code. During the first day of the competition, the contestants are required to do this in default browser installations without plugins such as Flash or Java, which are commonly used as vectors for attacks. Researchers typically prepare for the event far in advance by finding zero-day exploits ahead of time.
Early this month, prior champion Charlie Miller told reporters that he would be attempting to exploit a Safari vulnerability on Mac OS X. Safari, he said, would be the first to succumb to the contestants. As he promised, Safari went down first: he was able to execute his prepared hack in only a matter of seconds. Another security expert known only as Nils took longer, but was able to successfully exploit all three of the most popular browsers.
These contests contribute to the growing culture of commercialism that surrounds the art of exploitation. In an interview with ZDNet, Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year. This is part of his new philosophy, he says, which is that bugs shouldn't be disclosed to vendors for free.
"I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller told ZDNet. "Apple pays people to do the same job so we know there's value to this work."
Miller also told reporters that he targeted Safari on Mac OS X because he believes that it is the easiest to exploit. Windows, on the other hand, he claims is tougher because of its address randomization feature and other security measures. As for Chrome, he says that he has identified a security bug in Google's browser but has been unable to exploit it because the browser's sandboxing feature and the operating system's security measures together pose a formidable challenge.
The game isn't over yet. During the second day of the event, the focus will turn towards Chrome. Nils, who demonstrated impressive skill during the first day by conquering the three most popular browsers, might have a few more tricks up his sleeve. According to the official rules, the participants will be permitted to use plugins during the second day.
