The Pwn2Own event is an annual event that pits security researchers against current software security (basic application security). During the event “contestants” use various exploits to try and execute arbitrary code on a system. Although there are many different events the one we are concerned with for this article is the browser hacks. Here the target is still a system, but the vector needs to be through the browser in some format. As we mentioned above Mozilla’s FireFox, often hailed as being the most secure browser, was hit by a total of four different exploits that allows execution of arbitrary code on the target system. This made it the browser with the most working zero-day exploits.
One of the problems with Firefox is that there is still no real Sandbox to prevent malicious code from exiting the browser and getting into the OS. This does not mean that having a sandbox will protect you though, Safari, Chrome and even IE have them and they were hacked as well. Just recently Microsoft’s own mitigation tools were “P0wned” when a security research firm used existing DLLs to get around… well all of them.
It is pretty sad for Mozilla to get taken like this (four separate Zero-Day exploits is a lot) considering they have campaigned as the “better” alternative to Internet Explorer for so long. Still all of the exploits used were handed over to Mozilla so they can fix them. Perhaps we will see an improved browser from them in the near term with better security. This would be the best thing for all, but it is still important to remember that there is no such thing as a secure web browser, ALL of them can and have been hacked and exploited.
Tell us what you think in our Forum