Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014 207
darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."
Conditions of instability: (Score:3, Informative)
Many crashes do not start the Crash Reporter.
See for yourself. Go to this URL:
https://crash-stats.mozilla.com/home/products/Firefox/versions/27.0#duration=14
(Mozilla does not allow links from Slashdot.)
Those are NOT ALL the crashes! Those are just the crashes that don't also crash the Crash Reporter.
The earlier version, 26.0 is crashy, also:
https://crash-stats.mozilla.com/home/products/Firefox/versions/26.0
Re:Firefox is the most unstable program in common (Score:5, Informative)
That's odd, I keep literally dozens of tabs open in it all the time and haven't had it crash on me for as long as I can remember.
Re:Conditions of instability: (Score:4, Informative)
I have ~350 tabs in my Nightly install and it's not unstable at all. Heck, I have 1400 tabs open in my main Firefox 3.6 install, and managed to get it to 2400 recently, and it's not crashy either. Admittedly it's a bit janky due to the garbage collector (which has improved massively since 3.6), but what do you expect with 2400 tabs open? Firefox does not appear to be inherently crashy with many tabs.
If you're seeing crashes, please post some of your own crash reports so we can see if there's any obvious common cause in them. The overall crashes per ADI reports don't tell us much about how crashy Firefox is compared to other software, without also having similar reports from other software to compare with.
Re:Yes. (Score:5, Informative)
Most people don't open a lot of windows and tabs at the same time.
Define many. I routiney have 10+ windows with 20+ tabs in most of them, and another 10+ windows with 1 or 2 tabs.
I do software development; not primarily web based, but it comes up both in web apps and web services, so I'm regularly loading and debugging sites that are rendering pretty broken stuff too.
I honestly can't recall the last time FF crashed on me for any reason.
The problem is much worse when many windows and tabs are open under the Windows OS and Windows is hibernated several times.
I haven't rebooted my Mac in ages -- last time I installed an update that needed a reboot. A few months easy.
My home office win 7 destkop gets rebooted around once a month for windows updates. Sleep/hibernate/wakeups the rest of the time.
I'm not disputing your experience. But I do wonder whether your crashes are tied to a particular plugin, or are linked to some other characteristic of your system. We use FF at the office as well, on dozens of computers -- stability is NOT problem there as well. Don't know what to tell you.
Re:Firefox is the most unstable program in common (Score:5, Informative)
I would recommend noscript. Firefox does have a glaring flaw in that all the tabs run in the same process so if one gets wonky, it's game over for everything. It's probably flash that's killing you. I use noscript which blocks everything (like flash) that I don't explicitly want running and it makes Firefox very stable. As a side benefit, it makes browsing much safer. I use Chrome a lot too but when I'm going to any questionable sites, I use firefox just because of noscript.
Re:No lowrights mode (not surprised) (Score:4, Informative)
You're an idiot as standard users still have access to threads, processes, and the file system. This means you can attach a rogue process or malware to an admin one which happens to run as a service. It can then be executed with full admin privileges.
Nope. A standard user (which even includes admins who have not elevated through UAC prompt yet) can only attach to processes running under *the same* account as itself, and then only to a process/thread within the same *session* as itself.
In Windows, all services are launched in a separate session from the shell - meaning that direct attachment is not possible from a user shell to a service - even if they are running as the same user.
Unlike *nix'es, Windows uses proper tokens. What a process is permitted to do is not limited by a user account - rather each process has its own fine-grained token. By default a process inherits the token from the process that spawned it - but it can be further limited. When you log in, the shell process is created with a token which has all administrator privileges stripped from it and which runs with medium integrity level. So even if you are an administrator you will still get a standard user token. Upon login another token was also created - one which has high integrity level and has not been stripped of administrative privileges you may hold.
When you launch a process where the manifest demands elevated rights, Windows will issue the UAC prompt. If you accept then you get to run the process with your "super" token. This prompt is running with "high" integrity level (and by default even on a separate desktop) to prevent malicious processes already running as you from "remote controlling" the prompt at click the ok button for you.
It is important to note that unlike on Unix where you elevate to "root" with sudo - and thus receive privileges far beyond what is called for - Windows UAC prompt *can not* grant you privileges you did not already hold (well - if *another* user authenticates at the prompt you can "borrow" that users privileges).
It is worth noting that while all browsers were successfully attacked, the "Unicorn" class challenge Windows 8.1 x64/IE11/EMET was *not* exploited - even though it would have netted the attacker a cool $150,000.