Many browsers patched prior to hacking event

Susan bradley By Susan Bradley

One of the top draws at CanSecWest, the highly regarded Canadian security conference, is the break-the-browser contest known as Pwn2Own.

So can it be coincidence that Apple, Google, and Mozilla updated their browsers just days before the contest?

Yesterday was the start of CanSecWest 2010 in Vancouver, British Columbia. This year, a U.S. $10,000 prize sponsored by TippingPoint’s Zero Day Initiative (more info) goes to each white-hat hacker who’s the first to bring down Microsoft’s Internet Explorer 8, Mozilla’s Firefox 3, Google’s Chrome 4, or Apple’s Safari 4. Smartphones are targeted in the competition, too.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



At this writing, environments that failed the test included Apple’s iPhone and three different browsers: Safari, Firefox, and IE 8 (with the attacker able to circumvent IE’s vaunted Data Execution Prevention), according to the ZDI Twitter feed.

The benefits for us from the contest should be more-secure browsers — before the conference and, probably, soon after.

Zero-day threat in Firefox is now fixed

Mozilla pushed out an update to Firefox on March 22, earlier than the March 30 date originally promised.

The release notes for version 3.6.2 state that the update fixes several security issues, including a zero-day bug described in a Mozilla security advisory — an exploit that could allow a hacker to take control of your system.

For Firefox 3.6 users, this should be a high-priority patch. If you stayed back on versions 3.5 or 3.0, you are not vulnerable to this particular bug — thus proving once again that sometimes waiting on an application upgrade is for the best.

Safari browser gets fixes before its big test

Historically, Apple’s Safari browser has been one of the first to fail in the CanSecWest contest, usually with an unreleased exploit coded by Safari vulnerability expert Charlie Miller.

So it’s perhaps no surprise that Apple’s March 15 Safari 4.0.5 patch, detailed in bulletin HT4070, includes several security updates.

However, TippingPoint lists several still-unpatched security holes in Apple’s browser, so I would not bet on Safari getting through this upcoming contest unscathed.

Google’s Chrome gets a bit more privacy

Just as outgoing U.S. Federal Trade Commissioner Pamela Jones Harbour took Google to task in recent FTC roundtable remarks for privacy violations, Google reported new enhancements to its Chrome browser.

A March 17 Chrome blog noted that more-fine-grained cookie settings were added to the current versions of Chrome. This includes the capability to allow or block cookies from specific sites. So if you’d like more control over the information about you a site keeps, do the following:
  • Click on the tool icon in the upper-right corner and scroll down to Options.
  • Click on the Under the Hood tab and then Content settings.
  • Under the Cookies tab, you can block all third-party cookies, allow certain Web sites to set cookies, and use even-more-granular controls.
The Cookies tab also has a link to the Adobe Flash Player storage settings site, where you change privacy settings for the version of Flash used in Chrome. (See Figure 1.)

When I launched the Flash Player manager, it listed the Web sites I’d visited — such as British car-show site TopGear. It’s a reminder that these programs know a lot about your habits — merely by noting the sites you visit.

Adobe flash player setting manager
Figure 1. The application for changing Chrome’s Flash Player cookie settings is on Adobe’s site.

Have more info on this subject? Post your tip in the WS Columns forum.

WS contributing editor Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2010-03-25:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.