but perhaps the internets should be affraid of you?

hm, no Opera? Two possibilities: 1. It's too difficult, they knew no one could hack it in this time frame -> not interesting -> no Opera in this contest. 2. hackers think that only a few users use Opera, maybe only users who know their system, so it's not interesting again.
In the end this means, Opera is the best browser, because no hacker cares about Opera or no one is able to hack, or it's just too difficult, it at the moment.
Regardless of these facts is Opera the best browser in my opinion and now even the safest, just great. :p

I am sure Opera being the one out is going to take this to the EU...

Opera probably came from Soviet Russia.

Hey, it's not over till the fat lady sings.

Frank, that is horribly flawed logic

@ frank

Apparently, opera doesn't have the best spelling or grammar check...

@Frank

What about the possibility that the organisers thought Opera's security was a total joke, and couldn't afford to pay out on all the exploits?

I'm just saying, that would also explain Opera's absence. But your logic works, too. Feel free to believe yourself invincible.

Suggested further reading -> http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009 You will note the discussion surrounding Opera's not being there by the organizers down in the comments section. Was that so hard?

Opera is an exellent browser as far as security is concerned, the only thing is you cannot invite all the browsers to this kind of competition, so they only pick he ones with the higher market share.
As it is an american thing, they consider the American market as a good image of the world's market (which is obviously not true) so they didn't pick Opera, whereas it has around 5% market share in europe for exemple (where safari has less than 3%).

opera is pretty popular here too... well im in Canada, and almost everyone in my school either uses opera, or has it installed on their computer just in case their firefox craps them out. then again i go to a tech school. dont the compnay's have to pay the organizers too because they want to find out exploits so that they can patch them? maybe opera couldnt afford the bill.

I think you meant crotch, you silly boy.

It's his nametag, geesh

Serious troll is serious?

It was an attempt at humor you silly people.

No, I think you were right the first time when you said 'crutch'

It explains why his right hand is in such an akward position, and why his right leg seems blurry.

ZOMG CONSPIRACY.

Plus 1 to you Sir.

It came out of Beta today!!! It's released.

That's engadget for you, they don't say how IE8 was breached probably because it was harder than the breach in Safari on OSX that was first to fall.

A Malicious link is all it took to bring down glorious Apple programming.

You're on a news blog, why would it be required to be unbiased?

Also, there's no such thing as an unbiased news source, not even close.

WinMo? Pluuuhleeeez. Isn't WinMo an exploit by definition?

It's only biased if the article doesn't mention that Safari was compromised within seconds and was the first to be targetted by all the hackers. Oh. I see what you mean.

+1 would love to see if the vuln applied to the RTM'd IE 8 on a fully patched vista machine! would also love to see the user clicking yes to a bunch of Active X warnings etc or did they have to put it into the trusted sites?

Mark's right. Safari was breached in less than a second. All it took was a click on a button and it was over. A beta browser on a beta OS took longer to hack and lets not forget that Safari was pwned just as quickly last year. But hey, why ruin a good story with the sorts of details that could ruin a great sponsorship deal. Tell me Engadget, how can I whiten my yellow teeth?

What does it mean that it was "breached within a second"? Don't you think these guys, eh, _prepared_ their hacks beforehand? Mac was probably the first target because it's the most interesting - will generate the most news etc.

It's not surprising it was compromised either because QuickTime alone has the potential for a few thousand more exploits. Unless Apple sandboxes Safari, it's not going to be secure.

What will be really interesting is whether the iPhone will be hacked. That's a different beast entirely, and all iPhone apps are sandboxed. Sandboxing means you can't compromise the system via a single app - not even mobile Safari. It's the only security concept that can work, and the iPhone is the only OS / device that has it.

They prepared beforehand for everything, not just for Safari.

It may be beta, but IE final was just announced, so it can't be that far from final code. They don't rush around patching holes as the last things they do before they slap the RTM sticker on it. They've branched long before that.

Besides, we don't know what version of Safari was used. It might have been the Safari 4 beta.

@nikster: Actually, sand-boxing is present in most modern operating systems.

@nikster
Actually the man who actually did the breach said that his reasoning behind going after the mac first was that the others were too hard, he even thought they wouldn't be breached (even though they were)

nikster, of course Miller's hack was prepared. He publicly stated about a week ago that Safari was easier to crack than the other two and probably had a number of solutions that could do the job. What should really worry you is that Safari is such a joke from a security point of view that the same hacker who broke Apple last year can state he'll do it again a week before the event and then do exactly that with no attempted defense from Apple. At leasr IE and FF put up a fight.

Safari was hacked last year - after a whole day where they couldn't. And then they had to type in the Admin. password after they had relaxed the rules. And they had to have a physical connection to the computer. Couldn't do it from a remote computer. Oh yeah, that really shamed Apple. Uh huh.

The contest's credibility is suspect at best, or more likely crap. Did they even bother to have the original rules this year? Or would they get in the way of giving Safari, Firefox and IE8 a Nelson-like "ha ha." Let's not even talk about how clicking on a link the guys' had weeks and weeks to prepare is hardly hacking in a second.

I'll have to read up on how it actually went. Because lord knows we're not going to get all the facts that might be inconvenient in tell us exactly how IE 8, Safari and Firefox were ACTUALLY happened, and how it actually applies to how we use our browsers on a daily basis.

Why don't all you bozos casting aspersions without knowing the facts admit you don't really want the facts that makes such an event way more boring than frightening.

@Eric: where did you buy your tinfoil hat?

ok safari has a *feature* that executes a file after it has been downloaded without user intervention. It has been a problem for a while and it allows for a computer to be compromised provided that a user clicks on a link. Of course there is a mechanism that asks you if you really want to run the application that you downloaded from the Internet but you can usually trick a used to click in both cases. This is hardly a security fault thought. This is a feature that can be exploited and can easily be turned off if you chose to do so. I would recommend that every Mac user turns off that feature and manually run applications when he/she really needs to. Why Apple chose to keep is as the default behavior is beyond me. As far as IE 8 goes it is hardly a bias review since Balmer has a really huge mouth and it's only fair to judge the software in the same manner as it gets advertised. So the bottom line is that a moron with a browser can really shoot him/her self in the foot. But of course that is nothing new ...

Anyway this has absolutely nothing to do with OS security because it is the browser that ended up getting compromised and not really the OS. Oh and just because Windows 7 is still in beta stage does not mean that you shouldn't include it in tests. It's good to have an idea of what the future might hold for your computer.

@KarlW:
The exploited used to pwn the IE8 Beta actually DOESN'T work in the IE8 RTW on a fully patched Vista. There is an article on the Pwn2own website. So, in all actuality the exploit was already fully patched by the time anyone demonstrated it.

Yea, after all chrome is just based on webkit

But the contest isn't over it seems.

or maybe its because it new.. i imagine hackers will know the in's and out's of safari, ie and firefox as they been around so long...

Well with google making it's massive advertising all over the net, i think they paid off the hackers not to hack chrome..

In theory, an open source project is quite likely to have up-to-the-minute fixes, since so many people are constantly poring over the code trying to find problems.

Seeing as they have forever to prepare these exploits before the "contest" and get them working – hence everything falling the first day – then I guess noone cared about Chrome.

I'm not at all surprised. Look at last year's Pwn2Own, where the three major OS styles were on trials: Windows Vista, Mac OSX, and Ubuntu Linux. OSX was hacked in the first few minutes. Vista was also taken down, but the open-source Ubuntu was never taken down. I recall reading that one hacker said something along the lines of "we could have hacked it, but it wasn't worth the $10,000 prize," (I'm paraphrasing).
That says a lot for the potential in open source security, espeically considering Ubuntu is considered to be one of the relatively insecure Linux distributions.

Open source software usually tend to be more secure...
The most secured OS in the world is OpenBSD which is Open source.

Open source software tend to be more secure because several (group of) people read the code from a different point of view whereas a team of devellopers working on a project all together will all see the code the same way.
Much better way to discover vulnerabilities.

Reading.Fucking.Comprehension.Fail!

From the title of the article: All three browsers hijacked and exploited on day one.
From the text of the article: All three browsers failed miserably, oh, and BTW, a few hours ago Balmer came out and made a wild statement that has just been proven wrong.

I know you need a daily anti-apple/anti-engadget/go-winmo rant a day, but lay off the meth and read the actual article instead of sounding like a complete paranoid tool...

Yes, I don't understand the complaint with the article. It simply pokes fun at Microsoft because this news coincides with statements made by Microsoft's CEO regarding IE8 that is being launched today. It seems fair enough to me. I mean, the author is hardly ignoring that an Apple product was compromised.

Take a breath and chill out. I mean, it's not like this is something important. If you want to get annoyed about something that actually matters, get annoyed at AIG.

In fairness it's also acknowledged that Safari has unrivaled security although in this case that means that everyone knows it's the worst one out there by miles.

Its also rude to constantly insult editors.

seriously, knock it off.

Sadd Rabia the Microsoft Evangelist, everybody let's give him a hand full of "-"

Really?

A couple of days ago he was talking about getting an iPhone, so he was a hero.

Now, not so much?

I agree with Saad: they were hacking IE 8 BETA, that's beta, not the gold version released today.

And to Thomas Ricker: I think you have problems with your logic: when Ballmer said "protection that no other browser can match", it doesn't mean zero vulnerabilities in IE, but he meant that IE is the most secure, even if it DOES HAVE vulnerabilities. And using biased phrases like "So much for "protection that no other browser can match," eh Mr. Ballmer?" just show the low level of your "professionalism".

Safe my friend. Safe.

it's good because people would do this anyways and this just gets them paid for what they do so they don't need to ruin the internets for fun.

The browser companies just buy the exploits and learn how to counteract them.

I think what you mean is that it is good that researchers get paid for their work but do you really think that an annual competition is the way to do it? I'd have thought that something like a $ per flaw system might be a better idea.

The exploits will be found by those who profit, it's up to Apple / MS to figure out a way how to compensate white hat hackers.

They could, for example, offer $5k for every bug found no matter when it was found and by who. That would probably encourage enough white hat hackers to find all the exploits, squeezing out the black hat hackers. Some black hats might actually turn white. Why don't they do it? I have no idea. Maybe because they don't really give a damn about security, unless the press makes a big stink.

@nikster

Right... Because:
1) 5K is a lot more than what black hats think they could potentially get out of hacking/cracking malicious intent
2) The said companies are eager to pony up the money, because they value the consumer's safety above profits margins, and satisfying their shareholders.
3) this approach is much cheaper than the current way they are doing things, i.e., patch exploits when they are critical/cause much bad PR, or are discovered internally

No offense, but I think it is unrealistic to expect companies to start doing this. Also, note that these exploits rely on the USER clicking on a malicious link, i.e., inadvertently execute the malicious code. This is the critical part imho. You can patch things/fix security holes all you want, but until the end user understands the intricacies of software security and raise better awareness on how to avoid these phishing attacks, a robust secure system is just an illusion

Just to note, in the context of this competition the time required to perform the hack is fairly immaterial since the code was already written and deployed in advance. What would be more interesting is to know how long it took to actually find the exploit and write code that would successfully take advantage of it.

Circle the wagons! Remember last year: if the Mac loses first, attack the premise of the competition.

Yeah, I read that blog just before coming here. Somehow I knew that the ZDNet title, "Pwn2Own 2009: Safari/MacBook falls in seconds" would NOT be reflected here.

Engadget's title: "It was a hard day, eventually everyone went down, no one much quicker than any other. Oh, and Steve Ballmer said something stupid."

Regardless of the premise of the contest, yada yada yada, two (or it it three?) years in a row Apple went down first and very quickly. That is what happened, so it would seem noteworthy to me.

You guys crack me up - do you really think a vuln like this is worth a piddling $1-5K?! The amount of work involved to find such things makes $5K look like chicken feed and if it's found easily it can certainly be sold for more. These guys did this to get "known" and on the radar, perhaps because it was fun. Ask someone like Greg Hoglund, who has publicly stated he sells vulns for $100K, if he thinks these guys were ripped off. Sites like PacketStorm and Milw0rm used to have truly 0-day stuff being released, not so much anymore and it's not because they aren't still finding things.

As for vendors offering bounties - yeah right. The very LAST thing they want to encourage is people looking that closely at their code. Microsoft and Apple especially do not want to encourage anyone to point out that the emperor is frequently naked. Even if these were reported companies, Adobe, sit on bugs for ages before they do anything about them. Even Microsoft who has begun to take this more seriously isn't patching them all. Kripes Microsoft was one of the ones that shut down the freeflow of information on vulns with their programs that would only offer benefits to companies if they kept their mouths shut about what they found. This has turned into a business and not to the public's benefit either. Contests like this simply all the public a glimpse as to just how bad it is.

Good idea. Perhaps they can promise more money depending on how critical the exploit is, and require an NDA in exchange for the cash.

That might work for the closed source world, but I somehow doubt that the open source world will care as much. "Submit a patch", as they say.

Or they could do a payment per exploit and then a grand prize for the most at the end of the year, so the hackers keep trying to up their total to win the grand prize, maybe have the grand prize be x times the number of the highest number of exploits, If 10 was the most exploits then the prize amount is multiplied by 10.

Let me guess, you're using an iPhone and hate flash because besides all the videos, games, cartoons, and interactive web applications all flash is used for is advertisements some of the times. Then when Apple finaly anounces flash it will be like the second coming of Christ, and it shall be declared "The reason Apple is at the top is because they "get" what the consumer wants". Even though the consumer said flash was evil. Yes I do know flash is really horrible at a lot of the stuff people are trying to make it do these days but it's still an integral part of the interne. Also just because it crashes your browser all the time doesn't nescisarrily mean it's all flash's fault. I didn't blame it on flash when the first beta of Chrome would crash because of Google's poor implementation of flash.


Sent by an HTC Touch Pro with delicious delicious flash advertisements.

I feel the same way, man. (assuming you are in fact a man).
I'm a computer science major, but I never really got a chance to learn things like this, that are not only incredibly interesting, but matter in the real world today.
I wish I knew how to do this stuff too. I think I'd be good at it as well.

Well, given that their CEO was trumpeting IE8 security this morning it seems reasonable to make a point, do you not agree?

I think it's good to expose all of them. Face it ... the browser, if one is to have a certain amount of "out of the box" functionality, is exploitable. This will probably sadden fanboys on all sides, especially corporation-loving applets, but it's just a fact of life.

Well, given that the browser and the OS were both in beta at the time of the competition it seems unreasonable to claim that the final releases will be identical to what was hacked, do you not agree?

uhhhh. If that's the default install, that's what it is.

Day 1: Default install no additional plugins. User goes to link

Some people are missing that the Safari/Mac was hacked TWICE (different ways) on the same Day 1.

All operating system installations make the first user account an admin because they have to, but all of them have documentation recommending that a non-privileged account be created and used for normal use. Ideally, the installers should just ask for an admin password and then allow the user to create their own unprivileged account, but just because they don't (one good reason might be that the user may forget it by the time he or she needs to use it) is not an excuse for not following directions. If you just started running things off the default install like in this contest on any BSD, you'd be always running as root!

Or does that mean the security lies outside of the Webkit rendering engine?