March 25, 2010, 6:21 PM — As usual at Pwn2Own, the contest to see who can hack 'secure' programs and systems the fastest at the CanSecWest security conference, the big loser was Microsoft, which saw IE 8 on a fully-patched Windows 7 system get cracked in less than two minutes. That said, everyone's Web browsers were being cracked open left and right at the show ... except for Google Chrome.
While Firefox and Safari may be better than IE, these Web browsers didn't last very long either. As for Google's own Web browser, at this point, it's seemed no one's even tried to bust Chrome according to the group sponsoring the contest, the TippingPoint's ZDI (Zero Day Initiative).
Why not? After all, everyone who hacks a browser gets a cool $10,000 for their efforts. The reason was predicted by Aaron Portnoy, TippingPoint's Security Research Team Lead, to be that while Chrome is often affected by vulnerabilities due to its inclusion of the WebKit library, I predict the browser will remain untouched throughout Pwn2Own. This is due to the difficulty in producing an impactful exploit that can break out of the security sandbox."
You see Chrome makes sure that any process that starts from within the browser is granted very limited privileges, thus, it's said to be kept in the sandbox. It's not that Chrome is adding anything new to security. It's not. It's just making sure that any Web-based application gets only enough access to do its job and not one bit more. The upshot is that while you might be able to break from the browser into the sandbox, you're still stuck in the sandbox and you can't actually do anything.
This bodes well for Chrome as the Web browser of choice for people who want a very secure Internet experience. Chrome is also blazingly fast and just an overall excellent Web browser.
That said, I should also note that Pwn2Own didn't offer prizes for anyone beating up on other popular Web browsers such as Opera or the Linux operating system. The sponsors claim that neither is popular enough. That seems a little silly to me. While I have my own concerns about Opera's security, it should have been in the competition as well. And, as for Linux, what can I say, except maybe they didn't want to show up Windows and Mac OS X's comparatively poorer security.
