Google's investment in security
experts to find weaknesses in its Chrome browser has apparently reaped dividends at a prominent hacking contest.
Mozilla's Firefox also survived the Pwn2Own contest unscathed. Both companies sent out updates in recent weeks and offered cash prizes for anyone who found bugs, with Mountain View, Calif.-Google reportedly shelling out $14,000 for the tips.
The fifth annual contest coincides with the CanSecWest security conference held by HP TippingPoint and challenges security experts to take on patched versions of the latest browsers and operating systems for both desktop and mobile computers (with codes "frozen" two weeks earlier).
It is the third straight year that Google's Chrome has gone unhacked at the event and this year the search giant offered $10,000 -- in addition to the contest prize cash and the computer used in the contest -- to the first team to discover a weakness. Although two teams registered to do so, one didn't show up and the other reportedly decided to attack Research in Motion's BlackBerry software instead.
Among the losers were Microsoft 's Internet Explorer 8, which was found to have three unpatched vulnerabilities by a British independent researcher, Stephen Fewer, ComputerWorld reported. Fewer said he spent six weeks developing an attack on Explorer's sandbox, which is designed to keep malicious code out.
Apple's Safari, just updated for bugs, also fell, in a mere five seconds to a French team who exploited a weakness in the open-source browser rendering engine, Webkit, according to ZDNet, which said the team from the testing firm Vupen won $15,000 and an Apple MacBook Air.
The hackers attacked the browsers one at a time, rather than go head to head to see which fell first.
"Looks like Google scared off the hackers with its security updates," said Ed Skoudis, an instructor at the SANS cybersecurity institute in Bethesda, Md.
According to a report in The Guardian, an attempt to hack Google's Android mobile operating system was canceled after Google patched the hole he had planned to exploit.
Skoudis said Explorer and Safari were seen as the "easy pickings" in the contest.
"Google has done some good things with Chrome over the past two years," he said. "When it first came out, its security was rocky, but they've rapidly gotten better. I think Apple has been lulled into complacency with Safari, given that its low market share means that attackers don't spread exploits for it as often as for other browsers. I believe strongly that it is more vulnerable, but less exploited.
But that may not last long.
"As its market share increases, especially with mobile Safari on iPhones and iPads) I think that equation will turn against Apple," said Skoudis. "They will have to get much more serious about security."
Posted: 2011-03-11 @ 5:12pm PT
I'm not sure about this title. It's pretty biased, especially for an article posted on the first day of the event.
"Chrome collects dust in corner" might be more accurate.
Posted: 2011-03-10 @ 5:30pm PT
"When it first came out, it's security was rocky, but they've rapidly gotten better."
It should be ITS not IT'S.
Ed. note: Yes, fixed it, thanks!