Pwn2Own 2010: Google Chrome is the last man standing

[Night Owl]

Pwn2Own 2010 is under way, and after day one of the annual security showdown the results are darn near an exact replica of last year's. Safari was the first to fall, followed by Internet Explorer 8 on Windows 7. Firefox on Windows 7 x64 was also taken down, as was the iPhone's mobile Safari. Google Chrome, however, has yet to succumb.

Once again, it's Chrome's sandbox which is making things difficult. At last year's Pwn2Own, Charlie Miller had this to say:

"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."

Miller successfully targeted Safari on OS X using one of 20 exploits he had at the ready -- exploits which he uncovered using a simple 5-line Python script. "Tomorrow, I'm going to describe exactly how I found them, so hopefully that means Apple will replicate what I did and they'll find my 20 [bugs] and probably a lot more," Miller stated.

The mobile Safari attack was particularly impressive, since running code on the iPhone requires a valid digital signature. By rearranging bits of pre-signed code, Halvar Flake of Zynamics was able to deliver a malicious payload via Safari and force the iPhone to cough up its complete SMS database. Contacts and messages were laid bare -- including deleted ones.

While most (if not all) of these exploits aren't being used in the wild, it's still an indication of just how scary the landscape of the Internet is right now. How do you stay safe? Google Chrome looks like a good choice, obviously, but there's another option: Opera.

As one participant put it, "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for Opera."

Gotta love security by obscurity -- am I right, Apple fans?

Source

[rysmen1]

So the reason why they didn't try Opera was because it is rarely used?

I was kinda hoping to see how opera would stack up there, guess not.