|
Pwn2Own 2014 resultsThe second and final day of Pwn2Own ended with $450,000 paid to researchers. » www.pwn2own.com/2014/03/ ··· day-two/ |
|
1 recommendation |
Breaking out of these sandboxes has become such a trivial matter. The industry needs to move out of the sandboxes and into the tarpits. |
|
|
to Velnias
Every company which puts out a browser should hire at least one hacker and agree to pay him/her more money for more flaws that they discover in the company's product (so that they are motivated to do their best regarding finding these flaws).
Each time that the "internal hacker" discovers how to break in, the company management should speak to the software development team and tell them "We know that you have been working very hard, but the code you have produced isn't secure enough- try again". |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to Velnias
Prepare to Surf the Wave of Updates quote: Last week at the CanSecWest convention (covered extensively by my comrade Jerome Segura) the annual Pwn2Own competition took place, where hundreds of thousands of dollars were up for grabs by security teams who were willing to discover new zero-day exploits in common software.
» blog.malwarebytes.org/se ··· updates/ |
|
|
to Velnias
Ultimately the problem is that the browser attack surface is growing faster then security can keep up and no doubt this trend will continue for some time.
All of these companies have 'hackers' working for them and they do find lots of issues which are fixed, but given the growth requirements, resources etc, your not going to find everything and fix it. Ultimately this is why the NSA doesn't need a built in backdoor as there are lots within the code naturally.
But another good Pwn2Own is in the books.
Blake |
|
1 edit |
I wish humankind ONE browser without programming errors. God, please ( devil Bill Gates in me says that "Hello, World" can be hacked countless ways and forever ). |
|
|
A surprising number of vulnerabilities aren't programming errors, they are design errors, often the result of conflicting features.
Blake |
|
|
Agree. Just generalization, because updates do solve design and features problems. Still no safe internet browser in near future. |
|
EUSKill cancer Premium Member join:2002-09-10 canada |
EUS to Velnias
Premium Member
2014-Mar-19 10:13 am
to Velnias
Code execution on which OS? Linux? Windows? |
|
|
Sorry, what are you about? |
|
EUSKill cancer Premium Member join:2002-09-10 canada |
EUS
Premium Member
2014-Mar-20 9:20 am
said by Velnias:Sorry, what are you about? About 5'9", you? |
|
|
Lol, thanks for the laugh this morning EUS! |
|
|
|
to EUS
OS's used and fell victim to code executions were OS X Mavericks and Windows 8.1. I'm not sure Linux has the ability (or perhaps the desire) to put up the prize money these hackers expect for giving away a zero day at Pwn2Own.
Blake |
|
EUSKill cancer Premium Member join:2002-09-10 canada |
EUS
Premium Member
2014-Mar-20 12:32 pm
Thank you, I presumed Apple due to the browser, but when I went to the site, no official mention of any OS used. |
|
|
Chromebook was hacked at Pwnium which is the 'other hacking contest at CanSecWest', gets a little confusing sometimes for sure. |
|
Hitron CDA3 (Software) OpenBSD + pf
1 recommendation |
to EUS
I might be mistaken but I think these were the offerings:
Safari on OS X Mavericks - $65k Chrome on Win 8.1 x64 - $100k Firefox on Win 8.1 x64 - $50k MSIE 11 on Win 8.1 x64 - $100k
Plugins Java running in MSIE 11 on Win 8.1 x64 - $30k Adobe Reader in MSIE 11 on Win 8.1 x64 - $75k Adobe Flash in MSIE 11 on Win 8.1 x64 - $75k
And the Unicorn hack - MSIE 11 64 on Win 8.1 x64 with EMET running, sys level code execution - $150k |
|