GOOGLE'S CHROME browser is not only the world's most popular web browser, it's also the least hackable, or so it would appear after the 10th annual Pwn2Own event at Vancouver's CanSecWest conference.
The annual event which challenges hackers to exploit vulnerabilities in a range of browsers and other programs in exchange for cash prizes. It's essentially a bug-bounty-athon organised by the Zero Day Initiative
Over three days, Microsoft Edge, which has already been highlighted for its flaws recently, cost $300,000 in bounties for five vulnerabilities, putting it bottom of the list. Safari was hacked three times, plus once more by an exploit that already had a fix in beta, but with one of those hacks resulting in elevation of privileges, by usually secure Apple standards, that's a drubbing.
Firefox was attacked twice, once successfully, in part down to its use of sandboxing. The browser is making further additions to its security this year.
But Google Chrome made it through more or less unscathed, with the only attack not being completed in time.
It's worth pointing out that the "pwn" attempts were at the whimsy of the teams taking part and therefore the decision to go after Edge may well be based on the knowledge that it would give them the most leverage to score points in the competition.
But then, it follows therefore that if they went for the most hackable browser, because they knew it was the most hackable browser, then surely it's the most hackable browser, right?
Edge's other big folly is youth. The code base for the other browsers taking part goes back years, whereas Edge was built from scratch for Windows 10, so it has only had 18 months to air the bugs out.
For the first time this year, a "pwn" on a virtual machine was accomplished with an exploit for VMWare.
The winning team incidentally was from 360 Security, who scored 63 points. All the hacks have been "bought" by the sponsors, who then liaise directly with vendors to get them patched. µ
But we probably won't see it until next year
Why stick a finger in a dyke when you can ram the entire boy in the hole, eh?
Reminds us that we're supposed to be able to trust them
'Exclusive' model starts shipping on 29 June