You may have heard about this year’s Pwn2Own contest results. In this hacking contest at the CanSecWest security conference in Vancouver, it took two minutes for the winner to bust into IE8 on Windows 7, according to Computerworld. The article, written by Gregg Keizer, stated:
Both Peter Vreugdenhil of the Netherlands and a German researcher who would only identify himself by the first name Nils found ways to disable DEP (data execution prevention) and ASLR (address space layout randomization), which are two of Windows 7’s most vaunted anti-exploit features. Each contestant faced down the fully-patched 64-bit version of Windows 7 and came out a winner.
However, users of other browsers shouldn’t feel smug or confident. The article goes on to say:
A half-hour later, Nils bypassed the same defensive mechanisms to exploit Mozilla’s Firefox 3.6.
In addition, according to an article on Times Newsline, Safari was hacked into using a MacBook Pro and two participants were able to break into iPhone codes during the contest. Only Google Chrome managed to escape, mostly likely due to 11 vulnerabilities being patched in the days before the contest and the fact that it wasn’t targeted by the contestants.
I’ve had discussions — often rather heated — about which browser platform is “safer” or “more secure.” Once again, this contest shows that nothing is as safe as you think it is, and that no matter what browser you are using within your organization, good security practices and up-to-date antivirus and antimalware protection are essential.