"All"? Not Safari yet (knock on wood). Which is a big change from back in the day when it was usually pwned first in this contest. Or are you saying it's not a major browser?
I personally consider it not major but significant, not just due to market share but also because it's the default browser (and shares its inner components with applications leveraging WebView) on a certain platform. Therefore it's a prime target for establishing a foothold on that platform.
Everyone is sitting on a java 0day now. They have lost a lot of value in the market since there is literally as much supply as demand. I keep reading CVEs waiting for the one I have to be discovered by someone.
I have a friend who tells me that good (windows) zero days, with remote execution, are worth about $50K on the market that transacts these things, with a contract to increase that value if their is no open disclosure. I.E. If your zero day remains a zero day for another six months, there is an opportunity to see further reward.
I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.
I also don't understand why people give good zero days away for free, if is really the case that there is a market in these types of properties. Anybody have actual insight into this?
Maybe because they don't want people's computers to be abused by people with lots of cash to spare? One can only assume they're getting more than $50k worth of value from the zero day, so something pretty dodgy must be going on
>I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.
According to this article: 3rd party middlemen, small security firms and large defense contractors are the ones paying for 0-days. There's also has a nice price list for Chrome, IOS, etc.
$50k sounds like a lot, but if you can weather the current storm of every firm and researcher digging into Java and finding all the low hanging fruit, it could be worth $300k+ when nobody else has an undisclosed Java vulnerability.
Usually the way it works is 6 monthly payments, so you get a wire for $8,500 every month that it is not disclosed.
You're assuming that they have to make their living 'hacking'. If instead they have an oil well in the back yard providing a steady paycheck (I live in Texas, and know people just like this), they have plenty time for non-profit endeavors.
"I also don't understand why people give good zero days away for free..."
Quite some hackers are a really special (in a good way) kind of people who are in it only for the intellectual challenge.
Now food for thoughts:
Rudyard Kipling once warned students against an over-concern for money, position or glory, he said: “Some day you will meet a man who cares for none of these things. Then you will know how poor you are..."
We've seen Java bugs in the news lately for use in co-ordinated attacks against large companies.
A nameless firm (not the one I'm working with now) that happens to be one of Europes largest banks has insainly locked down versions windows, everything disabled, some custom thing that has hooked NT kernel functiosn to check which image is being loaded to be executed.
And then it has Java. A very old, un-patched version running a vendor risk system (yes it is that french one your thinking of).
This means that despite the frankly anoying parinoid security there, you can pwn any of the machines easily. As we see more targeted attacking, remember that Java is heavily used by a lot of rich, often inept due to size, firms.
IIRC, the instances in the news were attacks on the Java applet, not necessarily the runtime. Even if it was against the runtime, without the applet, it would have to be a trojan.
The federal government agency i deal with has similarly locked down computers but, as you say, java, old versions of browsers, and many unsigned applets.
Do these "insanely locked down" Windows have a browser and does that browser enable Java applets?
The 0-days affecting Java lately have all been using Java applets and drive-by exploits. I'm not saying it's not pathetic and lame for Java's security track records but it's not either as if your company was vulnerable to remote exploits in the case Java applets are not allowed in browsers.
I'm running Java webapp servers and I've been really pissed off that I needed to patch to remote Denial of Service exploits (the hashmap / URL query parameters degenerating to O(n) instead of O(1) SNAFU and the "endless loop" while parsing a certain floating-point number) in late 2011 / early 2012 IIRC but basically that's it.
The JVM is still incredibly secure on the server side (and can be installed on Unx systems in a user account, without needing to be root -- meaning that you can then lock down like mad that user account and have an even more secure setup).
Now to be honest if your company was truly paranoid they wouldn't be using old version of Windows with in-house brittle hacks supposedly bringing "more security".
I know that all too well (at Dexxia for example): some people somewhere decide on a shitty technology (Dexxia was at one point using shitty Java applets to allow clients to do online banking) and then says "We're going to have the most secure system ever".
So these guys think* they're paranoid but they're using: a) Windows and b) Java applets.
And at this point you have to wonder if you should laugh or cry at their definition of "paranoid".
People really paranoid about security ain't letting Windows in (unless they like NSA backdoors and consider patch-tuesday to be a reliable way to execute) and ain't letting Java applets in.
However I really don't want to go too far into a former clients site details, just to say it was a laughably big gaping hole, that is really quite common in a lot of large enterprises. It was also completely seperate from my domain there)
Are any vendors offering no questions asked X$/0day rewards all year long instead of dedicated events? Seems like it would be a decent move. If the going rate is really in the 50k ballpark why can't say Google offer 10-20k per Chrome exploit?
Their engineers don't make peanuts and the attacks on the software happen regardless. After a year or two you'd probably have a pretty secure system for a reasonable cost.
I don't think there's much negative press involved either if you spin it a la "we have the best security experts in the world attack our software and fix it asap".
+You might pull off a decent talent grab or two as long as you understand how the people would like to work (probably not from a google office)
Google's bug bounty is $3,133.70 (elite). The black market can pay $80k-200k+[1]. Why doesn't Google pay more? Well, like you said, "attacks on the software happen regardless". Their objective is to maximize shareholder value. People adopt browsers for other reasons besides maximum security. You hear about critical vulnerabilities all the time, to the point where you get desensitized to it. I don't think there's been a bug out there that caused people to dump a browser en masse.
The bug bounty is for a security bug with no exploit. That makes it a lot less work for the security researcher. See the release notes on the Google Chrome blog for details of bounties paid.
Google also sponsors Pwn2Own and Pwnium with bigger prizes for bugs with working exploits.
Few silly questions:
1) I got the feeling from this discussion and some other sources that there are a couple of known Windows kernel vulnerabilities that are making these exploitation easier. What about Microsoft? They don't care or are they fixing those bugs?
2) How secure is let's say Firefox + Ubuntu/Fedora, latest updates, default settings. I haven't seen that many exploits for Linux in general. Is it because no one cares about linux or because it is harder and thus more valuable than windows exploits so no one share linux ones?
I don't really understand the competiton. Do people come to these with just the intention of finding exploits, or do they come with the exploit ready, waiting to collect a reward?
Invariably all the researchers / organisations competing have developed their exploits well ahead of the event. The exploits are now pretty involved.
I've linked to a blog post from the Chrome developers that details the exploit that won late 2011 [1]. 'Pinkie Pie', the pseudonym of the person who won it, is pretty infamous in those circles.
AFAIK most have exploits ready before the event, and demonstrate them publicly (for the first time) at the event.
In general, skilled crackers/reverse engineers/security experts will look for new bugs -- and when found, can either a) Tell the vendor, b) Tell the world, c) Sell the exploit to the highest bidder, or d) Use the exploit for nefarious purposes themselves.
In general some combination of a) and b) or c) is the most common -- these events is a way to compensate people to do a) and b) -- and provide some incentive to avoid c) (and d)).
They have the exploits ready to go, the challenge is whether they can exploit the target system (which is fully patched) within their time slot.
It's a useful excercise, I think, in that it demonstrates that even the most hardened of codebases still has security bugs and it also serves as a cautionary tale for people who think they don't need multiple layers of defence..
"...it demonstrates that even the most hardened of codebases still has security bugs"
Browsers the most hardened codebase? I nearly spilled my coffee ; )
Every single browsers out there (including Chrome) was designed with security as an after-thought.
As for me I browse the Web from Linux, using a throwaway user account which doesn't have Java installed. And that user account is itself "hardened" (e.g. no login shell, specific per user-id firewalling rules, etc.). At this point seen the state of insecurity the Web is in I'll probably go back to the VM route (a browser in a locked down separate user account, but itself running inside a KVM VM).
My definition of an hardened codebase would be something like OpenBSD or OpenSSH or esL4 (in esL4 the code has been verified (using formal provers) to be free of buffer overrun/overflow and whatnots).
What I don't like about your comment is that you consider the current situation to be "acceptable". You apparently do really believe current browsers are "hardened" and that there are people thinking like you is precisely part of the problem.
We can do much better than that.
For a start I'd love to read a rant from Theo de Raadt about what should be done to conceive more secure web browsers.
And yet that it persists brings to mind all the problems faced by large organizations. An inability to change processes, execute quickly on decisions, disconnect between customers and company operations. Which is why startups can disrupt them. Pretty much everything HP produces seems mediocre and of substandard quality including their printers, ink, devices, services such as their open stack cloud offerring.
You know, I've actually seen a pretty useful writeup on why HP urls are so crazy. I wish I knew where to find it, but there was some allegedly logical reason. I think it had to do with the site knowing which server to talk to? I wish I could remember more.
If you're trying to auth, and you get one subdomian vs. another - it's a pain in the ass for all users. That's why other big properties have unified to one domain and subroutes (e.g.: google.com - no more reader.google.com, but www.google.com/reader).
WebKit code execution against Chrome is also likely to work (in modified form, but same basic exploit) against desktop or mobile Safari. Desktop Safari sandbox escape is likely to be completely different from MobileSafari sandbox escape. And in all three cases, the sandbox escape is the harder part.
So that logic does not explain to me why people are going after Chrome but not Safari.
I honestly don't know why it is. In particular, I don't have specific reason to believe Mac Safari's sandbox is more bulletproof than Windows Chrome's, but I guess Safari has the advantage of not being exposed to Windows kernel bugs.
Yeah, the WebKit exploit will work effectively unmodified on Safari. And the sandbox escape used against Chrome on Windows was a kernel bug in surface that can't be turned of from user-space (or really at all on Win7). Also, they softened the target quite a bit by using 32-bit Win7 for the contest, rather than 64-bit Win8 (or even 64-bit Win7).
As for why no one's targeting Safari, I think it's simple market forces at play. The iOS exploit market is established and pays very well, while the core vulnerabilities, expertise, and techniques are all shared with Safari on Mac OSX. And since Safari isn't a soft target (in no small part due to Abhishek's mass slaughter of WebKit security bugs and our bounty program), $65k just doesn't compete with the real-world exploit market.
Getting sandbox escapes from Mac Safari and iOS Safari requires completely different exploits. The code execution stage of a complete exploit could be shared, but it could also be shared with Chrome. So you'd think the same argument of iOS Safari exploit market value would apply either way.
My theory is that not much research has been done yet on breaking the WebProcess sandbox. Which makes me sad.
>Getting sandbox escapes from Mac Safari and iOS Safari requires completely different exploits.
You're focusing too narrowly on the sandbox itself. You have to consider the whole stack, and all of the surface exposed from within the sandbox. Consider the Chrome sandbox escape from yesterday, which didn't use anything specific to Chrome. It targeted part of the Windows stack that's guaranteed to be exposed to every process on the system.
It's good to know it still got taken down, because I had a horrible fear they where going to try and advertise they were 100% safe because they weren't exploited.
There's no last minute patch. We push security and stability updates every 2-3 weeks. Just go look at our release history to verify. As for your other claim, it's so absurdly off base that it doesn't warrant an explicit response.
Which is fair enough, I'm in no way going to suggest having a reactive security update schedule is a bad thing.
However the time of the conference could easily give a vendor that had a compatable release cycle a slight edge.
When I read that story (before hearing the results) I was filled with a kind of dread, I am less than impressed about the claims for Chrome OS, in the UK where its advertised it strikes me as Apple during the bad days who simply advocated bad pratice with regards to security (you've bought us, don't worry) type thing.
If you feel that is at all unfair to you, I am sorry, but Google Chrome has been an agressively marketed product in London and I have general contempt for most of the adds (but then I'm not the target market).
I also think its really important to remind people just how unsafe browsers are (all of them) and how people need to be increasingly aware of the impact such security.
Side Note: If your one of the team, thanks, yours has been my favourite browser for years now :)
