Which Browser Is Secure? None Of Them (and a rant about conspiracy theorists, with a se curity insight)

Well, Safari hasn’t been hacked at this year’s Pwn2Own — yet. But it’s had enough issues in the past that I would be surprised if it survives this round..

Anyway, the French security and “who cares about the common good when you can make money” firm Vupen has so far showed off hacks against Java, Adobe Flash, Mozilla Firefox, and Internet Explorer at this year’s Pwn2Own. Other researchers have pwned Google Chrome as well.

At least notorious security-hole-that-shows-movies Adobe Flash is starting to get a little respect from the people poking holes in it…

“Flash is a different thing and it’s getting updated all the time and Adobe did a very good job securing it,” Bekrar said. “It’s more expensive to create a Flash exploit than a Java one.”

Background: Pwn2Own is security contest with some very high-paying prizes. It initially started as a game of “if you can hack this computer, you can take it home.”

Conspiracy theory rant:
Right, so reading stuff on the Internet, I managed to find a review of “Cabin in the Woods” that devolved into something about Beyonce, conspiracies, and strange symbols and mass spectacle. As someone who’s studied the subtleties of visual media, this kind of thing is as annoying as it is innaccurate.

First of all, there are no “dark gods” to be appeased by anyone.

What passed for “witchcraft” in a bygone age we now know to be methods of hacking the subconscious and other forms of advanced cognition, only translated into words & concepts the people of those times could understand.

The “symbols” and “rituals” are ways of representing & phrasing concepts such that they resonate with the mind (particularly the subconscious) in certain ways. That they still work — or might even elevate a song to the top of the charts — is not a testament to the power of “magic” but rather to the power of the mind. (Specifically, the minds witnessing the spectacle… not the minds architecting it.)

This is not to say, of course, that the mind isn’t capable of things we don’t fully understand. In light of the most modern research, we could just as easily rephrase an old saying to read, “sufficiently advanced psychology is indistinguishable from magic.”

What gets me about the “conspiracy” approach is that it assumes a fixed library of “ancient symbols” that are capable of these effects, and therefore confer the ability to conjure them up only to people who know about them.

This approach is useful in as much as certain symbols have been imbued with meaning by other people over the years and centuries, yes. Communication on this level is extremely low-bandwith and the “code book” approach is indeed handy.

However, this mindset completely ignores the fact that if the underlying principles are understood, it’s possible to compose your own sentences in the language of this kind of communication.

Totally confused? Take a moment and study a real conspiracy, architected by one of the best media manipulators of the century: http://www.businessinsider.com/birth-of-consumer-culture-2013-2?op=1

Goebbels had Bernays on his bookshelf for a reason. Bernays single-handedly set off the marketing equivalent of the quantum physics revolution when he realized that it was possible to bind popular associations to everyday products. From there, it was just a short jump to designing product packaging and propaganda in the same way old civilizations designed temples — with careful attention to the shapes, colors, and forms that resonated with the mind.

Security insight:

If we consider the subconscious mind as much more sensitive to details in the environment than we realize, this presents an important defensive security tool. By paying attention to our own reactions and instincts, we can spot adversaries and manipulations that would otherwise go unnoticed.

Being able to spot dangers through meta-cognition is useful for a particular type of threat: the one that has a subconscious effect but which for one reason or another can be regulated away by conscious control.


“Finding and exploiting new vulnerabilities in the major browsers has become a difficult exercise for security researchers, thanks to the exploit mitigations, sandboxes and other protections that Microsoft, Google and Mozilla have added in the last few years. The same has become true of Adobe Flash, but difficult is not the same as impossible, as the contestants at the Pwn2Own contest here have shown.

On Thursday, the team from French security firm VUPEN jumped through a series of hoops, chained together three separate zero-day vulnerabilities and successfully compromised the latest patched version of Flash as part of the contest. That feat won the company another $70,000, on top of the $180,000 it had won on Wednesday for successfully attacking Firefox and Internet Explorer 10.

Chaouki Bekrar said that compromising Flash has become much more difficult in recent years, thanks to the advances Adobe has made in protecting the plug-in.[…]

“Flash is a different thing and it’s getting updated all the time and Adobe did a very good job securing it,” Bekrar said. “It’s more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they’re killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure.”

Other competitors also have had luck in this year’s contest, with a team from MWR Labs compromising Google Chrome on a Windows laptop on Wednesday. That team used a series of exploits and vulnerabilities in order to bypass the various memory protections in Windows, including ASLR and DEP, and used a separate kernel vulnerability to gain elevated privileges.”

%d bloggers like this: