What Pwn2Own Tells Us About Browser Security

Safari fell in the blink of an eye, while Chrome emerged unscathed from its third consecutive Pwn2Own hacking contest. At face value, it seems that we should simply avoid using Apple’s Web browser, and everyone should use Google Chrome. But, it’s not quite that simple, and there are some other lessons to be learned from what was hacked–and what wasn’t–at the annual security event.

Apple just updated the Safari Web browser to patch any known bugs and issues before teams of hackers took a crack at it. It didn’t do much good. A team was able to exploit Safari to exploit a MacBook Air in five seconds. Yes, five seconds–like less time than it takes most people just to type “Safari got hacked in less than five seconds”.

Meanwhile, nobody even attempted to take the record $20,000 prize offered by Google for a successful hack of the Chrome browser. There were two teams registered to give it a shot, but one no-showed and the other chose to skip the Chrome contest to focus on its efforts to hack the BlackBerry OS. So–Chrome remains unhacked, apparently devoid of exploitable security holes.

So…the obvious message is never use Safari, and make the switch to Google Chrome, right? Well, no. Not really. I mean–sort of, but it’s not that simple. The trap is falling for the illusion that Chrome is somehow invulnerable. It is important to keep things in perspective, though. Surviving Pwn2Own doesn’t mean that Google’s browser can’t be hacked–just that none of the security researchers participating in the event are aware of an exploitable security hole.

The success of Chrome at Pwn2Own could lead users to a false sense of security. There is no such thing as unhackable software–only software that hasn’t been hacked yet. Professional malware developers keep exploits secret so they can be used in attacks and remain undetected.

The Safari hack illustrates the reality that there are security holes even in browsers that are fully patched and updated. The Pwn2Own hack of Internet Explorer demonstrates that attackers can even bypass or circumvent security controls in the underlying operating system.

It certainly makes sense to use the software that appears not to have exploitable security holes, and seems to be inherently more secure. Your software may not be impenetrable, but you should at least choose the software that makes malicious developers work harder to exploit it. From that perspective, I would recommend dropping Safari and embracing Chrome.

Just remember not to let your guard down or mistakenly assume you are secure by default just because Chrome survived Pwn2Own.