United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Pwn2Own '09: No web browser is safe

19 Mar 09 -- A student/hacker calling himself Nils has been busy at this year's Pwn2Own contest. For those that don't remember it from last year (subscription required), Pwn2Own is a hacking contest that goes on during a Vancouver security conference called CanSecWest. Many a browser vulnerability has premiered during this contest, and this year is no exception.

According to a Threatpost blog entry, Nils was able to pwn (compromise) pretty much every popular web browser. Specifically, he demonstrated zero day exploits against Internet Explorer (IE) 8 running on a Windows 7 system, the latest version of Safari running on a Macbook Air, and even the latest version of Firefox. Another security researcher, Charlie Miller, demonstrated an additional Safari vulnerability that supposedly hijacked a Macbook with one click, in under ten seconds. For their efforts, these hackers won $5000 per zero day exploit, and in some cases, the laptops they pwned.

This contest perfectly illustrates a fact that most security professionals have always known - no single browser or operating system can really be considered more secure than another. While they all may have security features or design benefits that help, they can all suffer from security flaws. So regardless of what applications or OS you use, make sure to patch.

The TippingPoint’s Zero Day Initiative has bought exclusive rights to these zero day vulnerabilities, so I don't know the technical details about any of them yet. In fact, I hope that no one else learns the technical details about these flaws until the vendors involved release their patches. That said, I'm guessing that a few of the flaws somehow rely on Javascript. While I don't really consider Firefox inherently more secure than any other browser, I do think that using Firefox with the NoScript extension can protect you against most web-based malware. Until we get patches for these mysterious zero day browser flaws, I recommend you use something like NoScript to prevent Javascript from running in your browser by default.

As an aside, Microsoft has recently released IE 8. While Pwn2Own has already proven that IE 8 isn't invulnerable, it does have some new security features not available in IE 7. You may want to consider upgrading to receive these new security benefits. -- Corey Nachreiner, CISSP

 

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.