No browser was safe at Pwn2Own, but Firefox had the most exploits delivered.
CanSecWest wrapped up on Friday in Vancouver, and while there was a minor controversy over self-censorship of a talk said to be a “blueprint for terrorists”, the most watched part of the event once again proved to be the Pwn2Own hacking competition.
Pwn2Own offered some serious cash incentives for teams to develop exploits for Chrome, Internet Explorer, Firefox and Safari. During the competition no browser proved invulnerable, but Firefox had the most security shortcomings with four separate exploits being developed for Mozilla’s browser. In comparison Internet Explorer, Chrome and Safari were all exploited only once.
Mozilla was quick to downplay the idea that this was a fundamental problem with the Firefox browser.
“Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers’ decision to wait until now to share their work and help protect Firefox users,” Sid Stamm, a senior engineering manager of security and privacy at Mozilla, said to EWeek. “We are working quickly to address each of these bugs and expect to deliver fixes next week.”
Firefox has the smallest prize for exploits coming in at $50,000 compared to the $100,000 offered for both Chrome and Internet Explorer.
Historically Firefox has always been the most pwned browser at Pwn2Own. This has been largely attributed to Firefox not having a “sandbox” — a memory space that creates a virtual firewall between the browser and the rest of the computer’s memory. Usually sandboxes have two components: Address space layout randomization (ASLR) and Data Execution Prevention (DEP). These prevent malicious code from accessing the computer’s RAM and running code in executable memory space, respectively.
At Pwn2Own 2012, Chaouki Bekrar, CEO and research chief of the controversial security consultancy VUPEN, said that Firefox is the least secure browser on the market and Chrome is the most secure.
“Firefox lacks however a sandbox which makes it easier to exploit compared to other browsers,” he is quoted as saying. “Google has set up the most regular security updating process for its Chrome browser which leads to fixing a large number of vulnerabilities very often. Firefox, Internet Explorer and Safari are usually updated each quarter which is definitely not enough.”
More on Pwn2Own and Cyber security: