“As day one of the annual Pwn2Own hacker contest wound down on Wednesday, no browser suffered more abuse than Google Chrome, which was felled by an attack exploiting a previously unknown vulnerability in the most up-to-date version. Combined with a separate contest Google sponsored a few feet away, it was the second zero-day attack visited on Chrome in a span of a few hours.” Google fixed the issue within 24 hours.
1 discovered vulnerability in 4 years is a pretty decent record, me thinks. Props to them.
It’s had a few vulnerabilities, but no 0-day exploits. Which is still a good record, of course.
Edit: And it’s not like IE9, although improving, has fared any better at this year’s pwn2own: http://www.zdnet.com/blog/security/pwn2own-2012-ie-9-hacked-with-tw…
Now, what about mobile?
Edited 2012-03-09 14:08 UTC
I’m not shocked to find out Google Chrome had an exploitable bug. For me, the more important metric is how long it took for a patch to be delivered. Vuln reported to vendor yesterday, patch available today.. can’t. They can have fifty bug reports a day and I’m still happy if that means fifty patched bugs the next day.
The Chrome hack video (http://youtu.be/c8cQ0yU89sk) from Vupen (quoted in Ars Technica) showed Chrome browser version as v11. The hack may be only theoretical (meant for sensational headlines). Chrome’s auto-update policy would have ensured that all its users would be running the current version ,ie, Chrome v17 or v18 (with that hole plugged).
Unless I missed something, only Sergey Glaznov’s exploit demonstrated in Google’s contest pertained to the latest version of the browser.
The competition also involves on the spot writing of exploits for previously patched vulnerabilities . That should explain why Chrome v11 is used.
For unknown reasons (at least to me) Chrome has a growing long tail of users who are not updated to the latest version.
Probably because they have run into a website that the new one is incompatible with, or their OS don’t like the new one? I’ve run into that myself with Dragon (Chromium based) with one customer who has a little website she likes to go to that simply hangs on anything newer than Dragon 12, and i myself have stopped at Dragon 14 for awhile because anything over that doesn’t seem to like the shell i have for XP.
I’m backing up my user folder now to try the latest release but if it doesn’t load the websites i use correctly or hangs I’ll be going back to 14 as its not worth changing the OS or jumping through hoops just to have the latest and greatest on an old nettop.
I suppose the update process could be also simply failing for various reasons, which would accumulate on more and more machines, over time – for example, starting with simple lack of enough free space on C (yeah, you’d think that’s unheard of; but, I can imagine small portion of people somehow mostly filling it up, after Chrome installation, then just moving to other drives for their “usual” storage …while Chrome – relatively hungry for free space during updates – languishes)
MS has to regression test everything against all of the dependencies in Windows and a host of third part solutions that depend on IE.
Chrome, being not part of any operating system anyone really cares about ( sorry Chrome OS), doesn’t have to do that much and can roll out the updates and bugfixes much faster.
I always said Microsoft’s ploy of integrating IE into Windows would hamper evolution of the browser.
Certainly goes against their argument that it was a “requirement” and “natural evolution” of Windows rather than a under-handed anti-competitive action.
–The loon
Well, to be fair to Microsoft, they weren’t very good at modularizing their code in the 90’s. They were in the processes of spagetti-izing the kernel, so it probably seemed natural to sprinkle the parmesan cheese of IE in there as well.
Well to be fair at the time we are speaking of even a single MP3 could have taken a couple of hours thanks to the crappy dialup speeds and by integrating MSHTML.DLL they were able to allow companies to completely abandon their old help file systems for simple HTML pages that shaved several Mb off of software.
Honestly the only thing I’d argue that should have gotten them busted under antitrust was the same thing that Intel should be busted for, and that’s the backroom deals with OEMs. We can see what a negative affect it had on the market in the Intel case, simply by looking at any retail shop and seeing how many AMD machines there are now where before there were none, but part of the reason you can’t see the same with MSFT is that nobody dared try with the OEM deals. BeOS was PPC up until it was too late, Linux was (I’d argue still is) too CLI heavy, and Apple never cared for the low end markets.
But if you think it was MSFT bundling IE that killed Netscape then obviously you were never a users of their product, particularly Netscape 4. Here is my impression of NS 4 on Win9X: “Oh good, its installed. Now I’ll just go to my favorite web…/browser crashed/..huh. Well maybe it just don’t like that site. No matter i have the whole web at my fingertips I’ll just go to one of the…/browser hangs/…huh. Well if at first you don’t succeed, I’ll just check my webmail and then…/browser BSODs entire system/ *&^%*&^*^%!”
IE won not because of bundling, or that it was better, or even because it was good, but because the other browser company decided to release a version that was the equivalent to a punch in the face, yes it was THAT bad. Heck how do you think MS Office came to dominate? it was because the old king of the hill WordPerfect released a badly ported DOS version as their Windows version that was more likely to corrupt files or hang the system than it was to actually run. Honestly most of MSFT’s fortune came from others being idiots, Kildall blowing off IBM, JLG sticking BeOS with the more expensive PPC CPU, the Pepsi guy at Apple letting the OS fall behind while releasing a ton of overpriced overlapping models so nobody knew what was what, idiots all.
bassbeast,
Legend has it that microsoft had used one API for the pre-Win95 launch, but was working on another secretly and switched them at the last moment to make Wordperfect buggy, which is allegedly why Novel didn’t have their ’95 version ready until 1996.
It might just be novel whining about their failure, but given what we know about microsoft’s conduct I certainly wouldn’t put it past them. Of course it’s useless history now, but the courts did debate this topic in the antitrust case.
http://www.zdnet.com/news/microsoft-vs-doj-its-all-in-the-apis/9612…
http://www.stuff.co.nz/technology/6012175/Gates-testifies-in-US-1B-…
Bill Gates himself was quoted in an email in ’94:
“I have decided that we should not publish these extensions. We should wait until we have away to do a high level of integration that will be harder for likes of Notes, WordPerfect to achieve, and which will give Office a real advantage . . . We can’t compete with Lotus and WordPerfect/Novell without this.”
Edited 2012-03-10 10:04 UTC
Life has taught me that you’re going to find similar emails in any big corporation, even Google, the now beloved geek corporation.
Amazing how you made it sound so easy to support multiple platforms and oh soo difficult to test on only 1 platform! And the tech ignorant quickly gave you plusses!
Congrats!
Windows is not a single platform, and the interactions with the rest of the system are more complex because its built in, and its easy for them to screw up a big customer with a bug fix. Its happened in the past, wouldn’t be surprised if it happens again.
I would assume that Chome’s tests are less dependant on the other pieces of software installed, and less likely to cause problems for other pieces of software.
Making bad design decisions isn’t a good excuse.
No, but sadly very common in big companies.
Developers can make terrible decisions and assumptions when they write code. And often management doesn’t help.
My first job was like beating my head against the wall, with a boss that kept directing me to do stupid things with the software out of paranoia of pirating. Keep in mind the software was never actually sold to anyone, ever. But we pretended to sell it in order for sales guys to use it as a baraning chip when selling some of our hardware. Really, anyone could call up our support and get it shipped free of charge to them, no questions asked. But, we had to put crazy half baked ant theft stuff in there to reinforce the “deal” the customers were getting. It being half baked usually just killed the customers data at a whim, due to a crazy assumption that was built in to the requirements.
I always think that if the Pascal family of languages had become what C and C++ are nowadays these type of exploits would be not so common.
Surely one can manipulate the assembly code, but still many exploits won’t be that easy to exploit as it is still the case.
Luckily compiler technology advances like what Clang is doing, are helping to make static analysis mainstream, and help minimize exploits.
The problem is all these systems are being hacked in minutes each and every year.
That isn’t a good sign at all!
It should be hard to hack an up-to-date system.
The main problem is that the foundations of today’s systems are still built in sand.
Until we are using safer systems programming languages and better OS sandboxes, the situation will only get worse.
Actually, what Apple is doing in Mountain Lion, might somehow help, even if we as geeks don’t like it.
They are not being hacked in minutes, the researchers took several weeks if not months to develop their exploits… It’s actually running the exploits that takes minutes, but finding the bugs and writing the exploits is quite time consuming.
The reason they fixed it so quickly was because it came out during a high-profile contest. Meanwhile, countless other bugs go ignored in their database, and Chrome devs spend more time arguing with people reporting bugs than actually fixing things. Chrome devs are particularly bad about usability bugs, mostly because they’re not very good at usability.