Linked by Thom Holwerda on Fri 9th Mar 2012 09:43 UTC, submitted by bowkota
Google "As day one of the annual Pwn2Own hacker contest wound down on Wednesday, no browser suffered more abuse than Google Chrome, which was felled by an attack exploiting a previously unknown vulnerability in the most up-to-date version. Combined with a separate contest Google sponsored a few feet away, it was the second zero-day attack visited on Chrome in a span of a few hours." Google fixed the issue within 24 hours.
Order by: Score:
Not too bad
by gan17 on Fri 9th Mar 2012 12:04 UTC
gan17
Member since:
2008-06-03

To date, there are no known reports of a zero-day attack ever hitting Chrome in the wild, and at the previous three years' contests, Chrome escaped unscathed...


1 discovered vulnerability in 4 years is a pretty decent record, me thinks. Props to them.

Reply Score: 3

RE: Not too bad
by No it isnt on Fri 9th Mar 2012 14:06 UTC in reply to "Not too bad"
No it isnt Member since:
2005-11-14

It's had a few vulnerabilities, but no 0-day exploits. Which is still a good record, of course.

Edit: And it's not like IE9, although improving, has fared any better at this year's pwn2own: http://www.zdnet.com/blog/security/pwn2own-2012-ie-9-hacked-with-tw...
Now, what about mobile?

Edited 2012-03-09 14:08 UTC

Reply Score: 2

RE: Not too bad - patched within 24 hours
by jabbotts on Mon 12th Mar 2012 14:51 UTC in reply to "Not too bad"
jabbotts Member since:
2007-09-06

I'm not shocked to find out Google Chrome had an exploitable bug. For me, the more important metric is how long it took for a patch to be delivered. Vuln reported to vendor yesterday, patch available today.. can't. They can have fifty bug reports a day and I'm still happy if that means fifty patched bugs the next day.

Reply Score: 2

Comment by mantrik00
by mantrik00 on Fri 9th Mar 2012 14:46 UTC
mantrik00
Member since:
2011-07-06

The Chrome hack video (http://youtu.be/c8cQ0yU89sk) from Vupen (quoted in Ars Technica) showed Chrome browser version as v11. The hack may be only theoretical (meant for sensational headlines). Chrome's auto-update policy would have ensured that all its users would be running the current version ,ie, Chrome v17 or v18 (with that hole plugged).

Unless I missed something, only Sergey Glaznov's exploit demonstrated in Google's contest pertained to the latest version of the browser.

Reply Score: 2

RE: Comment by mantrik00
by geleto on Fri 9th Mar 2012 16:09 UTC in reply to "Comment by mantrik00"
geleto Member since:
2005-07-06

The competition also involves on the spot writing of exploits for previously patched vulnerabilities . That should explain why Chrome v11 is used.

Reply Score: 1

RE: Comment by mantrik00
by Erunno on Fri 9th Mar 2012 17:05 UTC in reply to "Comment by mantrik00"
Erunno Member since:
2007-06-22

Chrome's auto-update policy would have ensured that all its users would be running the current version ,ie, Chrome v17 or v18 (with that hole plugged).


For unknown reasons (at least to me) Chrome has a growing long tail of users who are not updated to the latest version.

Reply Score: 2

RE[2]: Comment by mantrik00
by bassbeast on Sat 10th Mar 2012 00:11 UTC in reply to "RE: Comment by mantrik00"
bassbeast Member since:
2007-11-11

Probably because they have run into a website that the new one is incompatible with, or their OS don't like the new one? I've run into that myself with Dragon (Chromium based) with one customer who has a little website she likes to go to that simply hangs on anything newer than Dragon 12, and i myself have stopped at Dragon 14 for awhile because anything over that doesn't seem to like the shell i have for XP.

I'm backing up my user folder now to try the latest release but if it doesn't load the websites i use correctly or hangs I'll be going back to 14 as its not worth changing the OS or jumping through hoops just to have the latest and greatest on an old nettop.

Reply Score: 1

RE[2]: Comment by mantrik00
by zima on Fri 16th Mar 2012 23:26 UTC in reply to "RE: Comment by mantrik00"
zima Member since:
2005-07-06

I suppose the update process could be also simply failing for various reasons, which would accumulate on more and more machines, over time - for example, starting with simple lack of enough free space on C (yeah, you'd think that's unheard of; but, I can imagine small portion of people somehow mostly filling it up, after Chrome installation, then just moving to other drives for their "usual" storage ...while Chrome - relatively hungry for free space during updates - languishes)

Reply Score: 2

Bill Shooter of Bul
Member since:
2006-07-14

MS has to regression test everything against all of the dependencies in Windows and a host of third part solutions that depend on IE.

Chrome, being not part of any operating system anyone really cares about ( sorry Chrome OS), doesn't have to do that much and can roll out the updates and bugfixes much faster.

Reply Score: 3

looncraz Member since:
2005-07-24

I always said Microsoft's ploy of integrating IE into Windows would hamper evolution of the browser.

Certainly goes against their argument that it was a "requirement" and "natural evolution" of Windows rather than a under-handed anti-competitive action.

--The loon

Reply Score: 5

Bill Shooter of Bul Member since:
2006-07-14

Well, to be fair to Microsoft, they weren't very good at modularizing their code in the 90's. They were in the processes of spagetti-izing the kernel, so it probably seemed natural to sprinkle the parmesan cheese of IE in there as well.

Reply Score: 3

bassbeast Member since:
2007-11-11

Well to be fair at the time we are speaking of even a single MP3 could have taken a couple of hours thanks to the crappy dialup speeds and by integrating MSHTML.DLL they were able to allow companies to completely abandon their old help file systems for simple HTML pages that shaved several Mb off of software.

Honestly the only thing I'd argue that should have gotten them busted under antitrust was the same thing that Intel should be busted for, and that's the backroom deals with OEMs. We can see what a negative affect it had on the market in the Intel case, simply by looking at any retail shop and seeing how many AMD machines there are now where before there were none, but part of the reason you can't see the same with MSFT is that nobody dared try with the OEM deals. BeOS was PPC up until it was too late, Linux was (I'd argue still is) too CLI heavy, and Apple never cared for the low end markets.

But if you think it was MSFT bundling IE that killed Netscape then obviously you were never a users of their product, particularly Netscape 4. Here is my impression of NS 4 on Win9X: "Oh good, its installed. Now I'll just go to my favorite web.../browser crashed/..huh. Well maybe it just don't like that site. No matter i have the whole web at my fingertips I'll just go to one of the.../browser hangs/...huh. Well if at first you don't succeed, I'll just check my webmail and then.../browser BSODs entire system/ *&^%*&^*^%!"

IE won not because of bundling, or that it was better, or even because it was good, but because the other browser company decided to release a version that was the equivalent to a punch in the face, yes it was THAT bad. Heck how do you think MS Office came to dominate? it was because the old king of the hill WordPerfect released a badly ported DOS version as their Windows version that was more likely to corrupt files or hang the system than it was to actually run. Honestly most of MSFT's fortune came from others being idiots, Kildall blowing off IBM, JLG sticking BeOS with the more expensive PPC CPU, the Pepsi guy at Apple letting the OS fall behind while releasing a ton of overpriced overlapping models so nobody knew what was what, idiots all.

Reply Score: 2

Alfman Member since:
2011-01-28

bassbeast,

Legend has it that microsoft had used one API for the pre-Win95 launch, but was working on another secretly and switched them at the last moment to make Wordperfect buggy, which is allegedly why Novel didn't have their '95 version ready until 1996.

It might just be novel whining about their failure, but given what we know about microsoft's conduct I certainly wouldn't put it past them. Of course it's useless history now, but the courts did debate this topic in the antitrust case.

http://www.zdnet.com/news/microsoft-vs-doj-its-all-in-the-apis/9612...
http://www.stuff.co.nz/technology/6012175/Gates-testifies-in-US-1B-...

Bill Gates himself was quoted in an email in '94:

"I have decided that we should not publish these extensions. We should wait until we have away to do a high level of integration that will be harder for likes of Notes, WordPerfect to achieve, and which will give Office a real advantage . . . We can't compete with Lotus and WordPerfect/Novell without this."

Edited 2012-03-10 10:04 UTC

Reply Score: 3

moondevil Member since:
2005-07-08

Life has taught me that you're going to find similar emails in any big corporation, even Google, the now beloved geek corporation.

Reply Score: 3

Brunis Member since:
2005-11-01

MS has to regression test everything against all of the dependencies in Windows and a host of third part solutions that depend on IE.

Chrome, being not part of any operating system anyone really cares about ( sorry Chrome OS), doesn't have to do that much and can roll out the updates and bugfixes much faster.


Amazing how you made it sound so easy to support multiple platforms and oh soo difficult to test on only 1 platform! And the tech ignorant quickly gave you plusses! ;)

Congrats!

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

Windows is not a single platform, and the interactions with the rest of the system are more complex because its built in, and its easy for them to screw up a big customer with a bug fix. Its happened in the past, wouldn't be surprised if it happens again.

I would assume that Chome's tests are less dependant on the other pieces of software installed, and less likely to cause problems for other pieces of software.

Reply Score: 2

Soulbender Member since:
2005-08-18

and the interactions with the rest of the system are more complex because its built in, and its easy for them to screw up a big customer with a bug fix.


Making bad design decisions isn't a good excuse.

Reply Score: 3

moondevil Member since:
2005-07-08

No, but sadly very common in big companies.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

Developers can make terrible decisions and assumptions when they write code. And often management doesn't help.

My first job was like beating my head against the wall, with a boss that kept directing me to do stupid things with the software out of paranoia of pirating. Keep in mind the software was never actually sold to anyone, ever. But we pretended to sell it in order for sales guys to use it as a baraning chip when selling some of our hardware. Really, anyone could call up our support and get it shipped free of charge to them, no questions asked. But, we had to put crazy half baked ant theft stuff in there to reinforce the "deal" the customers were getting. It being half baked usually just killed the customers data at a whim, due to a crazy assumption that was built in to the requirements.

Reply Score: 2

Safer languages are required
by moondevil on Fri 9th Mar 2012 22:27 UTC
moondevil
Member since:
2005-07-08

I always think that if the Pascal family of languages had become what C and C++ are nowadays these type of exploits would be not so common.

Surely one can manipulate the assembly code, but still many exploits won't be that easy to exploit as it is still the case.

Luckily compiler technology advances like what Clang is doing, are helping to make static analysis mainstream, and help minimize exploits.

Reply Score: 3

Still missing the point.
by jefro on Sat 10th Mar 2012 03:39 UTC
jefro
Member since:
2007-04-13

The problem is all these systems are being hacked in minutes each and every year.

That isn't a good sign at all!

It should be hard to hack an up-to-date system.

Reply Score: 1

RE: Still missing the point.
by moondevil on Sat 10th Mar 2012 10:41 UTC in reply to "Still missing the point."
moondevil Member since:
2005-07-08

The main problem is that the foundations of today's systems are still built in sand.

Until we are using safer systems programming languages and better OS sandboxes, the situation will only get worse.

Actually, what Apple is doing in Mountain Lion, might somehow help, even if we as geeks don't like it.

Reply Score: 2

RE: Still missing the point.
by bert64 on Sat 10th Mar 2012 11:21 UTC in reply to "Still missing the point."
bert64 Member since:
2007-04-23

They are not being hacked in minutes, the researchers took several weeks if not months to develop their exploits... It's actually running the exploits that takes minutes, but finding the bugs and writing the exploits is quite time consuming.

Reply Score: 3

24 hours, big whoop
by theosib on Mon 12th Mar 2012 16:24 UTC
theosib
Member since:
2006-03-02

The reason they fixed it so quickly was because it came out during a high-profile contest. Meanwhile, countless other bugs go ignored in their database, and Chrome devs spend more time arguing with people reporting bugs than actually fixing things. Chrome devs are particularly bad about usability bugs, mostly because they're not very good at usability.

Reply Score: 2