Of the four browsers that were targeted in this year’s Pwn2Own contest at CanSecWest, only Google Chrome wasn’t successfully hacked despite the $5000 reward offered:

The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques. I’m sure they’ll get it fixed up just the same.

logos

According to an interview with ZDnet, this isn’t just a coincidence or Chrome being a less interesting interesting target; it appears as though the sandbox model really deters hackers:

There are bugs in Chrome but they’re very hard to exploit.  I have a Chrome vulnerability right now but I don’t know how to exploit it.  It’s really hard.  The’ve got that sandbox model that’s hard to get out of.  With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

Hopefully other browsers will copy this model; it means a hacker needs both a bug in the browser itself and in the sandbox to exploit it. A more worrying thing is that most major browsers appear to be full of holes, and there are not enough incentives for “white hat” hackers to publish their findings if they find one of them. Charlie Miller used a year-old exploit to collect $5000 now, instead of publishing it the moment he found it.

It’s even said that the bug found in Internet Explorer 8 might have been worth more than $50.000 if sold to the right (or rather: wrong) person. If CanSecWest made one thing clear, it’s that we need a new model for rewarding security researchers.

Most of them find bugs to make a living; so either their employer or the company that makes the software containing the bug pays them. But what happens if the bug is found in open source software? Sure, the Mozilla project has enough cash, but there are other projects that aren’t that lucky. On the other hand, a black market for vulnerabilities has developed. We need a good alternative for that, and we need it soon.