By Sebastian Anthony on March 17, 2014 at 9:09 am
At Pwn2Own 2014, an annual
computer hackfest in Vancouver, Mozilla’s Firefox has proven yet again
that it’s the least secure major web browser. While all four major web
browsers — Chrome, Internet Explorer, Firefox, and Safari — were
successfully exploited, for a grand total of $850,000 in prize money
awarded to successful security researchers, Firefox was by far the least
secure browser, racking up no less than four zero-day vulnerabilities.
These vulnerabilities, if they were in the wild, would allow a hacker to
do just about anything with your computer if you visited a specially
crafted website.
Firefox has never had a great record at Pwn2Own.
While the format of the contest has generally changed every year since
its inauguration in 2007 (different platforms, different rules,
different attack vectors), Firefox has been involved in some way or
another since 2009. While Chrome went unhacked in 2009, 2010, and 2011,
the only year that Firefox wasn’t hacked was 2011. Since 2012, however,
as security researchers have grown ever more wiley, every major browser
has fallen to at least one zero-day vulnerability. That four separate vulnerabilities were found in Firefox at Pwn2Own 2014, however, is impressive. (Read: The death of Firefox.)
Firefox’s
weaker security is generally attributed to its lack of a sandbox — a
shell or firewall around a piece of software that keeps it segregated
from the rest of the operating system. In theory, the sandbox should
prevent the browser from running other programs, reading the contents of
your RAM, or opening other files. Chrome, Safari, and Internet Explorer
(newer versions) all have a sandbox, while Firefox does not. In short,
if someone finds a big enough vulnerability in Firefox, there’s nothing
preventing them from gaining complete access to your computer. It is
slightly disconcerting that security researchers found four such
vulnerabilities in just three days at Pwn2Own. (Read: How to surf safely: From LastPass to tin foil hats, and everything in between.)
Somewhat
fortunately for us, since Pwn2Own 2013, all of the vulnerabilities are
reported to the web browser makers so that they can be fixed in a timely
fashion. Still, it is a good reminder that Firefox might not be the
best choice of browser if security is one of your primary concerns when
surfing the web. As for why Firefox doesn’t have a sandbox, it’s most
likely because it was conceived in an era when security on the web was
still a nascent and naive topic. Chrome, which was developed a few years
later, was intentionally designed from the outset to be very fast and
secure. Likewise, Microsoft went through a complete overhaul between IE8
an IE9, adding a sandbox and other modern features so that it could
actually stand next to its peers without being snickered at. Mozilla
would like to add sandboxing to Firefox, it’s very hard to add
sandboxing to a program that wasn’t originally designed for it. (For
technical people: It’s closely linked to the Electrolysis project, which
will eventually give Firefox per-tab processes.)
A grand total of
$850,00 in prize money was given out to security researchers at Pwn2Own
2014. Much like 2012 and 2013, French security firm Vupen had a very
strong showing, taking home $400,000 for a total of 11 zero-day
vulnerabilities, covering Chrome, Firefox, IE, and Adobe Flash and
Reader. George Hotz (yes, Geohot of PlayStation and iOS hacking fame)
took home $50,000 for a Firefox exploit. The prize money is awarded by
the Zero-Day Initiative (owned by TippingPoint, which was acquired by
HP), which actually buys the vulnerabilities from the hackers, so that they can improve the security of TippingPoint/HP products.
Link: http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own