Pwn2Own hack topples Firefox on Windows

[Computer Hope Admin]

The first day of the CanSecWest Pwn2Own hacker challenge wrapped up here today with a familiar face going after a familiar target.

And, for the second year in a row, a German hacker known simply as “Nils” exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine.

Link

[BC_Programmer]

It's interesting to note here that it would appear that the "weak link" in exploiting firefox was firefox itself- simply because firefox was not taking full advantage of some of the features of windows. Could one surmise that this very same technique could work on Firefox running on other platforms?

[Computer Hope Admin]

It's possible but since no details were posted hard to say. I'd assume that because he went after Safari on MacOS that it may not be the case, however he could of just went for Safari because it's the default browser. I know one thing for sure if I was Microsoft I'd be paying any amount imaginable to get this guy on my staff and make Windows more secure by just having him find holes.

[Quantos]

I know one thing for sure if I was Microsoft I'd be paying any amount imaginable to get this guy on my staff and make Windows more secure by just having him find holes.

Second.

[BC_Programmer]

They already have a lot of security analysts that are at least as good as him, actually. Many of them have blogs.

However it's important to note that the vulnerability is largely firefox's, not Windows; after all, as stated in the article, the biggest stumbling block was in fact mitigating the built in windows protections to prevent exactly what he was trying to do; as well as how ill-fit Firefox is in using those technologies explicitly (relying on Windows' default behaviour, I imagine).

[Computer Hope Admin]

Yeah that's true. He didn't come through Internet Explorer, and that's saying a lot.

[patio]

Umm IE8 got creamed as well...
It's always bigger news when it's the Fox...

Story

[Computer Hope Admin]

I stand corrected.

[BC_Programmer]

Umm IE8 got creamed as well...
It's always bigger news when it's the Fox...

Story

True, but specifically I was referring to the fact that it was the application(firefox), not the platform(Windows) that had the security problem.

I gave up on Security in IE long ago. It's usable and they certainly are doing better but I think their security analysts must be working elsewhere.

[Hdthree]

This is interesting the only other hacking conference I know of is Defcon are there many others?

[Computer Hope Admin]

Another big one is HOPE

http://thenexthope.org/

[rthompson80819]

This is the story you never hear about, although it happens a lot,  hacking Apple products.

http://blogs.zdnet.com/security/?p=5846&tag=col1;post-5855

[Salmon Trout]

could of just went

[rant]

Could have just gone, please!!!

[/rant]

[mr-bisquit]

When they can hack through a secured firefox on a hardened BSD system, let me know.

[BC_Programmer]

When they can hack through a secured firefox on a hardened BSD system, let me know.

When FreeBSD is used by people without something to prove let me know.