There seems to be a little bit of confusion of what it means when a browser does or does not get exploited at Pwn2Own that I think warrants some clarification.
First, the people winning at Pwn2Own are professionals, extremely talented and dedicated professionals. They have the time and the smarts to find and exploit holes in probably any Internet connected software. They're not amateurs. They get paid for this difficult work.
Because the work is often time-consuming, difficult, and takes a very specific set of expertise, they don't go after every hole and every exploit in every piece of Internet connected software. They work in a marketplace that prioritizes, through personal and company fame, and through cold hard cash, which exploits are most valuable.
In practice, that means that some exploits are worth a lot more than others. A really good IE exploit can fetch tens of thousands of dollars. A Firefox exploit is also worth a lot but probably somewhat less than an IE exploit. A Safari exploit is certainly worth less and it's hard to know if a Chrome or Opera exploit is worth any cash at all.
So, if you're a security researcher and you're picking a target you're going to weight the difficulty of the task and the cash payout (or in the case of Pwn2Own, the marketing/promotional value as well.)
Second, finding and exploiting security holes in browsers is not childsplay. It takes a lot of hard work by some very very talented people.
If, for example, there's no money to be had from Opera, OmniWeb, Epiphany, or Netscape exploits in the exploit marketplace, these skilled researchers won't be spending any time learning those browsers and trying to come up with exploits. (And the Pwn2Own contest doesn't even offer prizes for those browsers.)
So, Opera for example might be really really secure or really really insecure or somewhere in the middle and we just can't tell from the number of known exploits or from this contest because none of those people care about Opera.
Third, if they want to win, these security researchers don't come to the contest armed with only their wits. They bring exploits that they've already discovered and perfected and that they're willing to "give up" for the prize machine, the money and/or fame.
This all means that whether or not a browser "falls" in the Pwn2Own contest is really not a test of the browser's comparative security. There are a lot of factors at play and reducing something as complex as user safety online to the results of a contest like Pwn2Own or the number of disclosed flaws would be a huge disservice people who are already having a difficult time understanding online security.
update: I'm not singling out Ryan at Ars, I actually think he wrote a fine article. It's a lot of the surrounding posts and commentary that's most confused and or confusing.
Posted by: testboy | March 21, 2009 3:27 PM
Yeah, it's the same argument FF users used to scream about, and IE users would say, "Well that's because you have like a 3% market share." Also applies to Windows vs. OS X.
Posted by: Kyle | March 21, 2009 6:47 PM
When I claimed Firefox wasn't as insecure as IE back when we had 3% market share, the security researchers agreed and it had nothing to do with market share. Firefox was more secure, not just less attacked, but fundamentally more secure. And those same experts agree today that Firefox is more secure.
Still, the world is a completely different place than it was 4 or 5 years ago.
There wasn't the huge and thriving market attached to browser security (both the good guys and the bad guys) that there is today.
But yes, market share does play a role and I've never claimed that it didn't. It isn't the only factor either.
Today (and today is not last year or the year before or the year before, etc.) if you can get $50K for a good IE exploit or $20K for a Firefox exploit or $5K for a Safari exploit and next to nothing for a Chrome, Opera, or Netscape exploit, which one are you going to target? Well, considering that Safari on Mac is a much easier target (according to the security researchers participating in Pwn2Own this year) maybe you try for several exploits there rather than one exploit in the more difficult to attack Firefox or IE. Maybe not. But economics plays a role and if there's no or little economic incentive today to attack a particular browser, that browser probably won't be hit as hard.
Posted by: Asa Dotzler | March 21, 2009 7:27 PM
Asa, I agree with you on all points BUT it really sounds the general tone of your article is saying that's not that important. I think you are wrong here.
Let me summarize : these people are pros, they are paid for that, it's considerably difficult work that require extreme skills and they target only mainstream browsers.
There can be only two conclusions : (1) these security holes should not exist (2) HIRE THEM ?
Posted by: Daniel Glazman | March 22, 2009 12:11 AM
Asa, not sure you have seen this interview with Charlie Miller: http://blogs.zdnet.com/security/?p=2941
While I agree that the results of Pwn2Own contest aren't all that meaningful, this interview is certainly interesting.
Posted by: Wladimir Palant | March 22, 2009 2:11 AM
Apart from the prize money in this contest, in what other ways do security researchers actually make money from an IE or FF exploit?
Posted by: anon | March 22, 2009 5:41 AM
Zombie computers in botnets are a valuable commodity to people who want to do Bad Things (R).
Posted by: RyanVM | March 22, 2009 9:29 AM
In my opinion. This is almost politics. Rehash old words to make them socially acceptable.
Firefox used to be "more secure" at some point its "not as secure" even though its been developed and patched and overhauled several times over.
Soo.. has everybody that has claimed that something that is more popular is inherently less secure... been wrong?
Is this whole security thing just marketing and nothing more?
Maybe security should be stated as "time between a discovery and a actual patch delivered in a final product"
I never understood firefox or even seamonkey before it in claiming something was patched. when it was in a milestone build or a beta or a RC.. and NOT in a available downloaded product.. or now. in a auto update.
Posted by: larffy | March 22, 2009 11:24 PM
Hi,
Sorry can't help to add one more message one the same topic. At the beginning of a browser, people says :"Look we have much less vulnerabilities than our competitors, we are therefore more secure".
Then the former challenger became more famous, more used and end-up in the same category and the previous foes.
When anew challenger comes around, with approximately the same marketing line, then the guys says: "hey we already have used this marketing trick! go away."
quite funny :)
Posted by: steve | March 23, 2009 11:20 AM
Steve, I think you and many others are mis-remembering your history. I've never said Mozilla or Firefox were more secure because there were fewer known vulnerabilities. I've said over and over that we were more secure because we had a better architecture, more people reviewing our code, and a much more responsive fix and deploy updates strategy.
Read my posts on security. Really. I encourage you do go back and see what I've said. I've said that time to fix matters. I've said that time to deploy fixes (updates) matter. I've said that bug counting was stupid, even if it favored us. I've said that open source reviews matter. I've said that architectural decisions and well thought out web standards matter.
Go read what I wrote. Otherwise you're just making up arguments and putting words in my mouth.
- A
Posted by: Asa Dotzler | March 23, 2009 11:25 AM
Not knowing the exploit used on Firefox, I wonder if it would have been successful had NoScript been installed.
Posted by: Corrine | March 24, 2009 5:10 PM
It is like there are more recipes which uses chocolate for dessert compared to ice cream that those culinary chefs came up with.
Both of 'em are alluring though ;)
Posted by: mistake | March 25, 2009 9:16 AM
I was wondering the same thing about NoScript. From all I've read, I have the impression that Firefox is safer than IE 7, which is safer than IE 6, but FF is still not totally safe. With NoScript, though, it's almost totally safe. Like, for example:
chance of getting infected:
IE6 ___ 90%
IE7 ___ 30%
FF3 ____ 3%
FF3NS __ 0.3%
Posted by: Q Neville Ryder | March 25, 2009 11:59 AM
I guess I should explicitly state that I made up those numbers to illustrate my impression. They are just what I've put together in my head from reading hundreds or thousands of posts and articles, not any particular survey or report. The original question was "how much safer does NoScript make Firefox?"
Posted by: Q Neville Ryder | March 25, 2009 12:37 PM
Isn't that the argument we heard for years why IE just appears more insecure vis-a-vis Firefox, while allegedly not being in fact less secure but just more popular?