Two days into the Pwn2Own hacking challenge, only a few still remain.
So far, hackers have not been able to exploit Mozilla Firefox 3.6, Google Chrome, and the mobile Android OS.
Victims of the contest include Internet Explorer 8, Apple Safari 5, iOS 4 and BlackBerry.
All the security researchers who manage to exploit the browsers or operating systems take home a cash prize of $15,000 and a laptop. If Chrome gets beaten, the researcher takes home $20,000.
Charlie Miller beat the iPhone 4 with iOS and has taken home the prize in 2007, 2009, 2010 and this year.
Firefox fixed 10 security flaws the day before the contest started, and Google fixed 9. Chrome has yet to be defeated since its launch in 2008, while Firefox was beaten in 2009 and 2010.
Security researchers from VUPEN beat Safari 5, rather easily: “We pwned Apple Safari on Mac OS X (x64) at Pwn2Own in 5 seconds.”
Result for: internet explorer
After originally pledging to support both H.264 and WebM content, Google has decided it will ditch the H.264 video codec from Chrome and go with its WebM format instead.
H.264 video is widely used, currently being the de facto industry standard for encoding digital video. It is used with Blu-ray disc and is supported by a wide variety of consumer electronics devices. However, H.264 technology is patented and adopters pay royalties to the MPEG-LA group.
Google acquired On2 Technologies in 2009 to gain access to the VP8 codec. It opened op the VP8 codec and created a new royalty-free media format called WebM. WebM gained support in the Firefox, Opera and Chrome browsers, but Apple and Microsoft declined to officially support WebM (although WebM support can technically be added to Internet Explorer).
The growing split on the Internet between H.264 and now it’s growing royalty-free competitor WebM is likely to cause problems for content producers looking to use HTML5 to display video content on the Internet.
It is unclear how Google’s removal of H.264 from Chrome will affect Google’s other web services, particularly YouTube.
Result for: internet explorer
Microsoft has offered a temporary “Fix It” workaround for a bug in Internet Explorer 6, 7 and 8 that is being exploited on some websites.
The vulnerability involves the way the browser handles cascading style sheets (CSS), triggered by recursive CSS pages where the style sheets include their own address. The flaw was confirmed by Microsoft in December, and it has updated its advisory to include a workaround due to reports of attacks that target the vulnerability.
The workaround comes in the form of a “Fix It” solution from Microsoft. To be effective, the browser needs to have all the existing security updates installed. The fix basically forces Internet Explorer to avoid importing a CSS style sheet if it has the same URL as the CSS style sheet from which it is being loaded.
Using the Fix It solution will cause a slight performance hit, adding about 150 milliseconds to the browser’s start-up time, so it should be removed after Microsoft releases a proper security update for the flaw.
