At this year’s Pwn2Own hacking contest, no target escaped unscathed. The hacking teams found 21 vulnerabilities in Windows, Mac OS X, Flash, Safari, Edge and Chrome, for which they were awarded a total of $460,000.
The two main sponsors of the event were Hewlett Packard Enterprise and Trend Micro. HPE will be selling the TippingPoint security division to Trend Micro for $300 million, which is why Trend Micro will remain the main sponsor in the future, but this year the two companies collaborated.
Windows Still Easiest to Hack
Although it’s not fair to compare an operating system to a browser in terms of how many vulnerabilities each has, because an operating system has a much larger attack surface, those vulnerabilities can be used to attack the browsers. This is why the Pwn2Own browser hacking contest allows operating system attacks, as well.
The hackers found six vulnerabilities in Windows 10 - the most found for a single target at the competition. However, Apple’s Mac OS X wasn’t too far behind, as they found five vulnerabilities in it.
Edge, Safari Successfully Attacked
Safari was attacked three times, and all were successful. Microsoft’s new Edge browser proved more difficult to attack compared to Microsoft’s previous browsers, but it was still successfully attacked on both attempts.
With Edge, Microsoft ditched most of the legacy code found in Internet Explorer, so it should be expected that it’s more secure. However, it also looks like the hackers may have not focused as much on it, possibly because they believed that it would be hard to break. We’re going to have to see if Edge can be consistently more secure than most other browsers at the next Pwn2Own competitions.
Chrome Still Security King
Chrome was built with security in mind from day one, and over the years it has proven to be the overall most secure browser. The sandboxing system, which has often been criticized for using too much memory, the large development team, and most of the browser being open source have all played a role in strengthening Chrome’s security.
The hackers attacked Chrome twice. One attack failed, and the other was deemed a partial success. The vulnerability had already been independently disclosed to Google, and the point of Pwn2Own is for software vendors to discover zero-day vulnerabilities.
At this year’s Pwn2Own, we noticed that Firefox was missing. Apparently, the sponsors thought Firefox was too easy of a target, and it hasn’t added major security improvements over the past year.
Firefox was supposed to add the ever-delayed Electrolysis partial-sandboxing architecture to Firefox 43, but then it was delayed until version 45. However, we’re now at Firefox 45, and Electrolysis is still not enabled by default in the browser. Firefox remains one of the last major browsers not to have a sandboxing system, which exposes it to more security vulnerabilities compared to its competitors.
However, even when Firefox finally adopts Electrolysis by default, it won’t be a full sandbox for each tab as we see in Chrome or Edge, but only a partial one. It will enable a single “content process” (with content from all tabs) to be isolated from the rest of the browser. This sandboxing system is now expected to arrive sometime in the middle of the year.
The biggest hurdle in adopting a full sandboxing system for Firefox is the old add-on model. Until most Firefox add-ons have been converted to Chrome-like extensions, Firefox will likely not get a full sandboxing architecture.
This is as much Mozilla’s fault for not pushing for a more modern architecture more aggressively as it is Firefox users’ fault who don’t want to compromise on the add-on functionality for better security. As long as there's strong backlash against any major change that breaks the old add-on models, Firefox will likely remain one of the least secure browsers out there.
That’s why Mozilla’s best bet is probably to launch a new browser, written from scratch in Rust, the memory-safe language Mozilla created. The new browser would have the benefit of starting things over in a much more secure way, without worrying about legacy code and architectures. It would eliminate entire classes of vulnerabilities such as buffer overflows, and it would also be much faster due to the language’s multi-core optimizations.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.