CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.
However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.
The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:
- Google Chrome on Windows 7 = $100,000
- IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.
- Mozilla Firefox on Windows 7 = $60,000
- Apple Safari on Mac OS X Mountain Lion = $65,000
- Adobe Reader XI and Flash Player = $70,000
- Oracle Java = $20,000
It was assuredly a blast at the competition, no doubt about it.
DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!
(Where’s Safari, right? It survived!)
The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.
Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”
In addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.
The only other exploit was by Nils & Jon, where both successfully exploited Chrome.
The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).
“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.
Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.
DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!
Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.
Who’re the overall prize winners?
- James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000
- VUPEN Security for IE10 + Firefox + Java + Flash – $250,000
- Nils & Jon for Google Chrome – $100,000
- George Hotz for Adobe Reader – $70,000
Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.
Now in its eighth year, Pwn2Own contest had $480,000 in payouts, a record year. Amazing!
Got any vibe on this issue? Post comment below! 🙂
News from December 23-26, 2012: ZeroAccess new variant, Google Chrome changes, Fake YouTube notifications
The following is the latest list of updates in the computer security industry:
- For those that know how much of a pain ZeroAccess can be, a new variant was released lately that hides module paths, most of them showing descendants of malware infected porn files (particularly about animal sex or erotica).
- It will now be impossible to silently install extensions into Google’s Chrome browser. With version 25, the option is no longer allowed.
- People are being scammed by spam and other notifications for pharmaceutical ads promoting on YouTube. These spammers commonly operate in affiliate networks, pushing fake drugs and other false pharmaceuticals.
That is all the latest news, which we missed because of Christmas holiday. Kudos to everyone!
Google released a new update for the stable version of Chrome, now at version 23.0.1271.97. All of the supported platforms have an update: Windows, Mac, Linux, and Chrome Frame.
One the issues fixes is involved with a website settings popup having texts trimmed under certain conditions. Another problem fixed involves a Linux bug and consists of <input> selection rendering white text on a white background making the string invisible. Also, repaired is the issue with plugins such as Google Voice and Unity Player that would stop working. This revision also includes the latest version of Adobe Flash.
Check for the latest Chrome download on www.google.com/chrome or in the Chrome browser, hit the settings button on the top right, select About Google Chrome. Usually, Google Chrome updates are automatically applied using Google Updater.
Two major vulnerabilities were identified in Google Chrome that could allow an attacker to execute malicious code, and take control of the computer. These vulnerabilities were affecting Windows and Mac. Google’s release of the latest Chrome version, now at 23.0.1271.95 should fix these vulnerabilities.
According to ThreatPost, a researcher named Pinkie Pie discovered one of these bugs:
-  High CVE-2012-5138: Incorrect file path handling. Credit to Google Chrome Security Team (Jüri Aedla).
- [$7331]  High CVE-2012-5137: Use-after-free in media source handling. Credit to Pinkie Pie.
More information can be accessed on the Google Chrome Releases Blog
Prevent vulnerabilities with products from Kaspersky Lab:
Election Day brings Adobe’s critical updates for Flash and AIR, so update today to fix seven (7) vulnerabilities.
Updates are currently available as follows:
- Windows & Mac – 11.5.502.110
- Linux – 184.108.40.206
- Android 4.* – 220.127.116.11
- Android 3.* & 2.* – 18.104.22.168
- Google Chrome automatically updates the Flash version built in.
- Windows, Mac, SDK for iOS and Android – 22.214.171.1240
Be sure to download the Flash updates for both Internet Explorer, and then for Firefox/Safari/Opera/Other browsers.
Also, note Windows Update will help install the updates in Windows 8/IE 10, reference here
Say you are on the Gmail login page and the web browser, as always, has auto-filled the username and passwords fields for you.
This is convenient because you can sign-in to your account with a click but because you have not been typing these saved passwords for a while now, you don’t even remember the Gmail password anymore.
All web browsers, for security reasons, mask the password fields in login forms behind asterisk characters thus making it impossible for passersby to see your secret string.
There’s however an easy workaround that will let you convert those asterisks into the actual password and you don’t need any external utilities or bookmarklets for this. Here’s how:
160 vulnerabilities are being fixed with a new release from Apple for iTunes 10.
The newest version number is 10.7. Update now!
Most of the fixes rolled out are involved with WebKit. WebKit is a layout engine from Apple, which allows webpages to be rendered in a browser. Therefore, the main problems faced in iTunes 10 are with the Store site. WebKit is also used in Safari browser by Apple and Chrome browser by Google. Google apparently helped get the fixes for Apple’s iTunes program.
Many of the vulnerabilities in WebKit are from bug reports in 2011. Just now fixing these flaws shows how low this is on the priority list with the Apple development team concerning iTunes. These same vulnerabilities were apparently fixed long ago in Safari and Chrome. So, what’s the excuse?
Users can get the security fixes by updating iTunes directly in the application.
Apple’s statement on the security update page:
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.
Protect your computer now from ANY vulnerability by getting a second opinion malware removal scanner and protection program:
Google Chrome development team has released the newest version of Chrome today, version 21. You can get this update installed now as such:
- Hit the Wrench Icon in the top right corner of the browser.
- Select About Google Chrome.
- It will automatically check for and install the update.
- Once done, it will ask the relaunch the browser. Please do so to make sure it finishes installing.
When you check the About Google Chrome again, you should see that it’s updated as such:
This update fixes three critical security updates. According to Naked Security by Sophos:
The first, CVE-2012-2866, fixes a problem in which Chrome failed to properly perform a cast of an unspecified variable during handling of run-in elements. If left unpatched, it could allow attackers to cause a denial of service (or worse) on a vulnerable Chrome instance using a specially-crafted document.
The second security hole rated “high,” fixes a fault, CVE-2012-2869, in which Chrome improperly loaded URLs which could allow remote attackers to create a denial of service or, possibly, take additional actions on a vulnerable system.
The third vulnerability with a “high” rating, CVE-2012-2871, fixes a problem with libxml2 2.9.0-rc1 and earlier, a standard Google Chrome component. Earlier versions of that library don’t properly support a cast of an unspecified variable during XSL transforms – a process in which webpage style sheets are rendered when a page is loaded.
When Google began its bounty programs for bug finding, a flood of new security vulnerabilities have occurred. It’s now getting easier for software testers to make some extra cash.
Ad: Spyware Doctor delivers powerful protection against spyware and adware threats. Click Here
New releases of update from Adobe come a week after their recent release, which was critical. Having subsequent updates for critical flaws begs the question of whether or not Flash Player is safe. Looks as if AIR was affected, as well. This patching closes six vulnerabilities, helping to safeguard against hackers.
These platforms are affected, and now have a patch available for download:
- Windows (New update: 11.4.402.265)
- Mac (New update: 11.4.402.265)
- Linux (New Update)
- Android (New Update)
The customized Google Chrome version (Pepper) should be automatically update to version 126.96.36.199 for PC and 11.4.402.265 for Mac.
For Windows and Mac users, bear in mind the new Adobe AIR 188.8.131.520, which you should include with your updates for Flash Player.
For this week’s update, it fixes the following, according to Adobe:
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
- These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).
- These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168).
When it comes to browser security, it is best to always keep in mind the different issues with malware exploitation. In other words, the possibility for viruses/malware to install itself on your computer without your permission is more apparent depending on your web browser.
The problem that is faced in current popular web browsers is that it does not warn the user if a download is coming from a third-party domain. This is found in Google Chrome, Mozilla Firefox, and Windows Internet Explorer.
Also, a vulnerability exists in HTML5 that allows widgets, sandboxed frames, etc. to download data from a thid-party. If a user browses a malicious widget inadvertently, like on a popular website, viruses/malware can be installed on the user’s computer. This is mainly if they don’t have good antivirus protection, which can block these types of incidents.
The only one that seems to be serious about it, per speculation, are Google. Microsoft may be thinking about a fix for the issues in future versions of IE. Mozilla may not be addressing the issue anytime soon!
Browser security needs to improve as soon as possible, and if the above vulnerabilities are fixed, issues should resolve from inadvertent downloading.