CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.
However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.
The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:
- Google Chrome on Windows 7 = $100,000
- IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.
- Mozilla Firefox on Windows 7 = $60,000
- Apple Safari on Mac OS X Mountain Lion = $65,000
- Adobe Reader XI and Flash Player = $70,000
- Oracle Java = $20,000
It was assuredly a blast at the competition, no doubt about it.
DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!
(Where’s Safari, right? It survived!)
The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.
Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”
In addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.
The only other exploit was by Nils & Jon, where both successfully exploited Chrome.
The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).
“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.
Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.
DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!
Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.
Who’re the overall prize winners?
- James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000
- VUPEN Security for IE10 + Firefox + Java + Flash – $250,000
- Nils & Jon for Google Chrome – $100,000
- George Hotz for Adobe Reader – $70,000
Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.
Now in its eighth year, Pwn2Own contest had $480,000 in payouts, a record year. Amazing!
Got any vibe on this issue? Post comment below! 🙂
Firefox 19 now has a PDF viewer (Yay, bells and whistles)! Time to kick Adobe Reader, you know, because of all the exploits.
Technically, the tool has been in Firefox for many versions, but you had to manually enable it. The whole point of the built-in PDF viewer is to avoid having to use plugins with proprietary closed source code “that could potentially expose users to security vulnerabilities.””
The new PDF viewer doesn’t even require a secondary plugin or anything! It has its own ability to draw images and text.
A little more explained:
“Firefox for Windows, Mac and Linux introduces a built-in browser PDF viewer that allows you to read PDFs directly within the browser, making reading PDFs easier because you don’t have to download the content or read it in a plugin like Reader. For example, you can use the PDF viewer to check out a menu from your favorite restaurant, view and print concert tickets or read reports without having to interrupt your browsing experience with extra clicks or downloads,” Mozilla said.
In addition to that exciting news, Firefox 19 also fixes an HTTPS phishing flaw, which was reported by Michal Zalewski, Google security researcher. It details an issue with a proxy’s 407 response, where if a user canceled the proxy’s authentication prompt, the browser continues to display the address bar. This can be spoofed by attackers, by telling them to enter credentials. Read more in the Mozilla advisory about this.
In Firefox, if you’re not automatically prompted to update, then do so as soon as possible by clicking the Firefox tab at the top left corner of the browser, hovering over Help >, click on About Firefox. You may also have to click Check for updates in the window that pops up. You should be patched.
Security never takes a holiday, unlike most other industries in the world. Proof is from spam email, vulnerability updates, etc. right on the same week of the holidays. Thankfully, most of us will have some time with our families. But, the point here is, is that Firefox 17.0 has been officially released, right on schedule!
The technical side of things, or the biggest change in this version is HTTPS enforcement as described:
Mozilla has engineered new “rules” to enforce HTTPS for certain websites. Mozilla calls the new technology, to be included in Firefox 17 (currently in BETA), HTTP Strict Transport Security (HSTS). It is a technology mechanism that shall force certain websites to engage HTTPS connection with the browser, as long as it matches the security certificate presented.
In other words, it gives the ability to Firefox to read SSL certificates, and check to be sure they are legitimate. Once it’s verified, and matched, it will force the site loaded to be in HTTPS, even if the browser receives a HTTP request.
“When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security,” Mozilla claims.
Now, there are also a ton of bugs that were fixed in this release. Mozilla patched 2365 bugs in this version…16 bundles involving things like the normal memory corruption or buffer overflow, CSS to HTML inject for Style Inspector, and various image rendering issues (security-wise).
Firefox should automatically prompt you, install the update and then prompt you, or you can check for the update via Firefox tab > Help > About Firefox > Check for updates. If a manual download and install it needed, simply go to http://www.getfirefox.com
Once you install Firefox, it will ask to restart your browser. Please allow it to do so, in order for it to finish updating and get you secure and well on your way in the dangers of the Internet. Especially safety is a concern as we head in to the holiday shopping day, Cyber Monday, next week. Get updated now!
Image courtesy of Mozilla, shown in About Firefox.
Say you are on the Gmail login page and the web browser, as always, has auto-filled the username and passwords fields for you.
This is convenient because you can sign-in to your account with a click but because you have not been typing these saved passwords for a while now, you don’t even remember the Gmail password anymore.
All web browsers, for security reasons, mask the password fields in login forms behind asterisk characters thus making it impossible for passersby to see your secret string.
There’s however an easy workaround that will let you convert those asterisks into the actual password and you don’t need any external utilities or bookmarklets for this. Here’s how:
As we reported yesterday, users were told to downgrade to Firefox 15.0.1 from version 16, because of a vulnerability. Now, that vulnerability has been fixed, and Firefox 16.0.1 is now available.
To get the newest version of Firefox now (if it hasn’t already prompted you), click the Orange Firefox button, select Help > hit About Firefox > Check for Updates.
On the same blog post pointed to yesterday, Mozilla developer(s) placed an update:
- An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
- A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Issue:Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.Impact:The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.Status:
Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.
Reference: Mozilla Blog
How to downgrade the easy way?
If you’re using version 16, it is highly recommended to downgrade now. If you want to downgrade the easy way for Firefox, go to http://getfirefox.com and download the installer for 15.0.1.
Once you have downloaded the installer, run or double-click it to run, and allow it to “Upgrade” the install, which technically the installer would not recognize that it’s truly downgrading Firefox.
Once that’s done, start up Firefox again, and it shall be back to 15.0.1, and vulnerability free!
When it comes to browser security, it is best to always keep in mind the different issues with malware exploitation. In other words, the possibility for viruses/malware to install itself on your computer without your permission is more apparent depending on your web browser.
The problem that is faced in current popular web browsers is that it does not warn the user if a download is coming from a third-party domain. This is found in Google Chrome, Mozilla Firefox, and Windows Internet Explorer.
Also, a vulnerability exists in HTML5 that allows widgets, sandboxed frames, etc. to download data from a thid-party. If a user browses a malicious widget inadvertently, like on a popular website, viruses/malware can be installed on the user’s computer. This is mainly if they don’t have good antivirus protection, which can block these types of incidents.
The only one that seems to be serious about it, per speculation, are Google. Microsoft may be thinking about a fix for the issues in future versions of IE. Mozilla may not be addressing the issue anytime soon!
Browser security needs to improve as soon as possible, and if the above vulnerabilities are fixed, issues should resolve from inadvertent downloading.