Forgot your password?
typodupeerror
Firefox Chrome Internet Explorer Safari Security

Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014 207

Posted by Soulskill
from the foxes-provide-the-best-sport dept.
darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."
This discussion has been archived. No new comments can be posted.

Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014

Comments Filter:
  • by Anonymous Coward

    Oh, wait...

    • by lexman098 (1983842) on Saturday March 15, 2014 @07:37PM (#46495713)
      It can actually be pretty fast if tweaked a bit [palemoon.org].
    • by Jane Q. Public (1010737) on Sunday March 16, 2014 @05:10AM (#46497409)

      "Yeah, but it's fast and it's not bloated"

      On my Mac, the Chrome app is 6 times the size of Firefox, and far slower. Just sayin'.

      I keep them updated. I don't use Chrome except when I have to because it's too slow (with NO bookmarks or plugins) versus my Firefox (with a shitload of bookmarks and lots of plugins).

      I use these things in my daily work. Or rather, I use Firefox in my daily work because Chrome and Safari are so slow. But I have to check compatibility with them so I keep them around and do use them sometimes.

      That's on my Mac. YMMV on your computer or on Windows.

      • by lemur3 (997863)

        you might want to open up the package for the .app on your mac to see if it has all of the previous versions inside of it..

        some people report that when chrome updates itself it leaves the old version inside of the .app

        http://hints.macworld.com/arti... [macworld.com]

      • by Pope (17780)

        On my Mac, the Chrome app is 6 times the size of Firefox, and far slower. Just sayin'.

        So what? If the whole thing isn't loaded into memory, why would the file size matter? The biggest parts of GraphicConverter.app are the embedded PDF manuals; if you don't open them, they're never loaded into RAM.

    • by jbn-o (555068) <mail@digitalcitizen.info> on Sunday March 16, 2014 @01:03PM (#46499547) Homepage

      At least Firefox can be altered to become what you want it to be because Firefox respect's a users software freedom. Far more important than vagaries like "fast" and "not bloated" is how a program treats its users. Proprietary browsers leave users no opportunity for improving the program. Thus security issues in proprietary programs go unfixed and are exploited for years. This, in turn, allows others to invade people's computers and leaves users helpless. This is exactly what happened with Apple's iTunes for over 3 years [telegraph.co.uk]. I would not be surprised to learn that software proprietors including Microsoft, Google, and Apple are doing similar things with proprietary web browser programs as well.

      So while I like trustworthy programs like other computer users, I know that I can't ascertain the trustworthiness of proprietary programs like Microsoft's Internet Explorer, Apple's Safari, and Google's Chrome. The extent to which any of them are built from software that respects my software freedom is irrelevant because proprietary programs and their updates are essentially black boxes. I can't possibly inspect or fix all of the software I use, but I can put myself in a position where I stand to benefit from the improvements a lot of programmers make by exclusively running software that respects my freedom to run, inspect, share, and modify—free software [gnu.org]—freedoms I value in their own right.

  • by Anonymous Coward

    Or not that I saw. I wonder if, like usual, they depend on running malicious code from the attacking site, rather than being sensible and turning off javascript, running ghostery, and the like.

    Once you start running code from attackers, you're just asking to be pwned.

    • Check the bugzilla and the security update the next day for full details on Firefox.

    • by Anonymous Coward

      Or not that I saw. I wonder if, like usual, they depend on running malicious code from the attacking site, rather than being sensible and turning off javascript, running ghostery, and the like.

      Once you start running code from attackers, you're just asking to be pwned.

      Turning off Javascript breaks so much of websites and online services that it isn't really an option for most users. And when you start to whitelist sites and scripts, how do you know that these scripts/sites are not compromised, do you code review all scripts each time before enabling?

      And isn't Ghostery bought by an ad company?

  • I do my browsing in an untrusted or disposable Qubes domain, which is about as strong security as you can get for a functional desktop system. Still, it would be awesome if pwn2own made it one of their target OS's... now for *that* I would get out the popcorn!

  • I am using Firefox for lack of a better option. I

    IE is out of the question because it is too clunky, and Chrome has Google intruding into extension use and so on. I had to ditch it the day I discovered that they can remotely disable locally installed extensions. Firefox and Mozilla in general seem hell bent of making everything they make as horrible and cartoony looking as possible (Austalis(-hit)) .

    It is sad that for all importance browsers have today, there are basically only 2-3 options to choose from.

    • by afgam28 (48611)

      15 years ago, Internet Explorer had just won the browser wars, and all we had on Linux was an old version of Netscape Navigator that barely worked. Even Netscape had abandoned it and no one had any idea if and when Mozilla would ever be ready.

      Compared to that I think 2-3 options is pretty good, especially when all of the browser vendors respect web standards (even Microsoft), Firefox is completely open source and so is nearly all of Chrome and a large chunk of Safari too.

    • by Billly Gates (198444) on Saturday March 15, 2014 @10:37PM (#46496387) Journal

      I left firefox after 4.0 debuncle. Yes it was the first release to really support HTML 5 but it was freaking HORRIBLE. Bad UI, sloooow, and on older hardware it was unusable. IE 9 won rewards on tomshardware.com which was released march 2011. I held my nose and gave it a try. It supported hardware acceleration, html5 (I admit it was more limited at the time), and was great on my 6 core system as it has per process tab. Since 2001 it ran circles on gecko web engines??!

      Many slashdotters said ewww no thanks based on IE 6 memories.

      I then played with Chrome. Yes it is spyware somewhat but it too has important features and has less hardware acceleration but it is more secure and frankly a much better browser than Firefox.

      My father got hacked with Firefox. It is a shitty browser with no lowrights mode. It is frome the XP era and has no concept of %appdate and uses the filesystem and has access rights to some processes and threads. Bad security wise but that is what XP era software did.

      Chrome and IE 9+ have separate code bases for this with XP vs Windows 7 and greater with sandbox support. Many here use Comodo Dragon which is based off of Chrome but has no privacy issues. However, be warned it based off the previous version of Chromium with some security holes.

      Switch my friend!

      Until Firefox goes to a processing model and supports lowrights mode I will not go back. This may change hopefully as Firefox is improving with performance and ram requirements since 2011 but on a 6 core system it is stupid not to multitask!

      • Now everyone uses Windows, hence Linux and OS X users aren't exactly in a position to switch to IE, regardless of its technical merits. This is no longer a Windows-only world, even if it's still the majority.

        Besides, IE lacks the useful extensions I rely on in Firefox. Don't tell me said extensions are pointless or useless - I find use in them, so clearly they have worth. Going to IE would mean giving up said extensions or having to do things in a less smooth or capable fashion. Firefox is still the best br

    • by Frankie70 (803801)

      IE is out of the question because it is too clunky,

      What version of IE did you last use? I use IE as my secondary browser. There are reasons why it's not my primary browser, but clunkiness is not one of them. I find it far less clunky & far more stable than Firefox.

    • by smash (1351)
      IE9 onwards is an entirely different beast to previous versions. If you haven't used IE since version 9 came out, it is worth at least testing (if you're on windows at least). There isn't really a major browser out there at the moment which doesn't suck in various ways, but in terms of suckage recent versions of IE aren't actually bad.
  • Had the same problems with FF crashing, switched to Opera next, works great for me.
  • by Billly Gates (198444) on Saturday March 15, 2014 @10:28PM (#46496337) Journal

    Both Chrome and IE (yes slashdotters I did say IE) support lowrights mode.

    This means it has no access to the file system at all, no access to processes or threads and %appdata is its prison ... assuming you are on Windows 7 or greater on Windows. XP users will get hacked regardless of browser because the OS does not support kernel level sandboxing.

    I left Firefox for IE 9 in 2011 after it won rewards on tomshardware.com. Then switched to Chrome. Firefox like Netscape before it is a sad shell of its former self. I do admit the later firefox releases are much more lenient on ram usage and have improved drastically.

    But I have an older Phenom II x6. Nice 6 core with virtualization support for VMWare .. but it is 2.6 ghz and is showing its age at only 2.6 ghz. My machine needs multi processing/threading apps to run close to modern and they provide greater security. One tab does not interfere with another and can be assigned for each core.

    To prevent my fan from going high and causing high usage both IE 10+ and Chrome utilize my system fine and still display pages as fast as those reading this on an icore5 or later. But Firefox puts +20 tabs on one cpu with no lowrights mode and as you can image when firebug is on it slows down all the tabs and it is a security risk.

    Like netscape it was the lack of funding that killed it agaisn't IE 6 onslaught. I wonder if the same is true? I used Netscape 4.7 before succumbing to IE 6 and then Firefox 1.5 to IE 9 and later Chrome today.

    • by cbhacking (979169)

      Vista or greater; Mandatory Integrity Control was introduced with NT 6.0, not 6.1 (better known as Win7). IE7 on Vista was the first browser to use the Low Integrity Level sandbox.

      By default, Low IL actually does allow reading much of the file system and registry. It just can't do anything to any of it.

      For what it's worth, you can *kind of* get the same benefit on XP by running a browser as a very-low-rights user. That causes no end of problems for some use cases (like downloading files), though.

  • The tendency of Firefox to preserve its own DNS cach means I cannot use it when hopping from VPN to VPN with split DNS running. unless I configure and install my _own_ local DNS server to auto-reconfigure every time I activate a VPN. I'm afraid it's become unusable for me for real work and testing when switching from internal to external website access as I debug network and configuration issues: it's the only browser that fails this way.

    • by Anonymous Coward

      The tendency of Firefox to preserve its own DNS cach means I cannot use it when hopping from VPN to VPN with split DNS running. unless I configure and install my _own_ local DNS server to auto-reconfigure every time I activate a VPN. I'm afraid it's become unusable for me for real work and testing when switching from internal to external website access as I debug network and configuration issues: it's the only browser that fails this way.

      There are a ton of about:config settings related to dns. For what is worth, a look can't hurt, but I hate stupid design decisions causing more browser fragmentation. I have 3 browsers to keep mental bug lists for, and extensions for each are worlds apart even with the same names.
      Stylish's bgcolor css scripts don't work in the official chrome version. Adblock has confusing multiple versions on chrome that I can't verify are legit, and I heard the filtered content is still downloaded. But stability, multiproc

    • That is a scary security risk.

      What is to stop malware from insert records into the DNS for Russian banks etc? File system escalations are bad enough and at least Chrome and IE do not have any filesystem access and can only write to %appdata.

      But Firefox nope. I will make sure not to use it even if it does support threading like its competitors starting to do last decade.

      • I was not referring to the insertion of false data: I was referring to its insistence on doing a local cache, appartnely not part of the system DNS, _after_ switching DNS servers and potentially needing new DNS answers due to being in a different DNS "view". This is common enough practice with various proxy and load balancer configurations, to have a different DNS record on the internal network than on the external network.

        Inserting false DNS records is a whole _different_ security risk, one that is an ongo

        • Well the OS would be a better way to store DNS caches as it is updated with properly security often.

          I had a man in the middle attack before about 10 years ago when something didn't seem right. After flushing dns I re pinged and another ip address was shown. Ahh the joys of old XP pre-SP 2 :-)

          I do not trust Mozilla to have the resources that Apple, Redhat, or Microsoft have in this area frankly.

    • by mpe (36238)
      The tendency of Firefox to preserve its own DNS cach means I cannot use it when hopping from VPN to VPN with split DNS running. unless I configure and install my _own_ local DNS server to auto-reconfigure every time I activate a VPN. I'm afraid it's become unusable for me for real work and testing when switching from internal to external website access as I debug network and configuration issues: it's the only browser that fails this way.

      It's generally a bad idea for applications to be caching DNS at all.
  • I think the more concerning thing is that people were probably waiting with their exploits to cash in 50.000USD instead of 3.000 USD and thus lowering security over the bragging rights that Pwn2own is the bestest in finding vulnerabilities. Indirectly they did what closed source does and that was to tell the people NOT to give out their exploits, but instead wait.

    Indirectly is the word here. Now they are aware, they should NOT do it again, because then must take resposability. If you give people an incentiv

  • by Anonymous Coward

    someone forgot Opera? Just asking. www.opera.com

  • ... that open source is superior. owait...
  • I'd be more concerned about the severity of the exploit than the number of them.

  • Every can be broken into and some asshole can do arbitrary things on a users machine because...

    • Defensive programming is not uppermost in their minds, performance is and that is a problem.
    • Old code that should have been ripped out with extreme prejudice long ago still exists, eg: Driveby's

    And on top of those two things there is the ever changing HTML specification, the ever changing CSS specification, and the bit of garbage called DOM.

    And cracked by a "carefully constructed URL?!? What!?!?! Can these

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...