A total of $442,000 paid in bounties to all contestants.
Well, it seems like no one was safe in this year’s Pwn2Own hacking competition as all 4 major web browsers have failed to protect the users.
The star of this contest however was Jung Hoon Lee (lokihardt) who has managed to reap $225,000 in rewards, breaking through Chrome’s security with a buffer overflow (which earned him $110,000) and then exploiting Microsoft’s Internet Explorer ($65,000 in rewards), followed by Apple’s Safari ($50,000 in rewards).
That should be enough to improve his life for good.
Now here’s something that should definitely concern you. According to the recent report, there is a way to reveal typed in passwords in the Internet Explorer 11 (on Windows Phone 8).
All you have to do is:
- Enable Cortana if not yet enabled
- Type the password
- Highlight the password (we’re talking about ******) and then hit the search button
- Congratulations, you are now seeing a supposedly hidden password
Apple tops the OS chart.
In the recently published study by GFI, which took a database of vulnerabilities that were published in 2014 and created a chart that makes sense, it looks like Microsoft‘s Internet Explorer still has a long way to go until it‘s no longer the most vulnerable web browser out there.
As you can see in the chart below, the top application by vulnerabilities reported in 2014 was indeed Internet Explorer (242), followed by Google Chrome (124) and Firefox (117).
If you have bought a Lenovo laptop this or last year and haven’t heard yet, one of the most successful PC makers has been caught installing adware on a number of machines with reports starting from mid-2014.
Basically, a software called Superfish is injecting third party ads on Google searches. Not only that, it also injects its own certificate, allowing to snoop on secure connections and decrypt them. Just take a look at this screenshot:
In an effort to protects its users and reduce the number of malicious add-ons, the open source organization has announced its plans to enforce extension signing, which means that starting from Q2, 2015, developers will have to get a signature verification from Mozilla. The extension signing warnings will first appear on Firefox 39.
Forms a new privacy initiative called Polaris.
In an effort to protect its user’s privacy, Mozilla has announced a new strategic initiative with the Center for Democracy & Technology (CDT) and the Tor Project, which they hope will support and advise Polaris projects that should benefit everyone.
As a result, two new experiments have been announced as well (under Polaris belt), focusing on anti-censorship technology, cross site tracking protection and anonymity. In addition to that, Mozilla will also start hosting Tor middle relays, which will make the whole Tor network more responsive.
BrowserStack, a paid service with over 25,000 customers (including eBay, Adobe and other giants) that allows you to test your web sites on more than 700 different web browser configurations, has been compromised.
The customers has since received the following email:
Back in April, everyone was talking about “that Heartbleed thing”, now, it looks like the search giant has found a new exploit in the now 18 year’s old SSL 3.0 protocol, which is still supported in a lot of web browser and can also be used as a fallback in case newer protocols fail to connect.
How to fix it? Well, the server administrators could disable SSL 3.0 completely but that’s unlikely to happen anytime soon. As far as other solutions go, Google says that it can’t be fixed and there are no reasonable workarounds.
On a slightly positive note, it was discovered (and not fully revealed) by Google so no one knows how widespread it exactly is. So here you have it folks, an exploit that can’t be fixed.
More money, more security.
After squashing more than 700 Chrome security bugs and paying a total of $1.25 in rewards, the search giant has decided to encourage hackers even more.
Starting from July 1, 2014 (yes, they are going backwards as a special treat even though they announced it recently), Google is upping the maximum reward range from $5000 to $15,000, which is triple of what they used to pay (although there were always few exceptions such as last month’s $30,000 pay for what they call to be “a very impressive report”.
Aims to block even more malware.
Back in 2013, Google has announced a Safe Browsing filter, which improves user experience by automatically blocking malicious downloads. Now, the search giant has announced additional steps to combat deceptive software.
Starting next week, Google Chrome will also protect users from programs that are disguised as a helpful download, for example: the ones that change your home page or adjust other web browser settings.