At the CanSecWest conference each year they conduct a hacking competition (pwn2own). Security professionals compete to get malware onto a machine faster than anyone else. The contestant can pick the browser that they wish to attack.
At this year’s conference, every major browser including IE8, Firefox, and Safari were all hacked over a 3 day period. The only browser which was not hacked was Chrome. One of the winners of the contest had some interesting things to say about why Chrome was not hacked.
Chrome’s “sandbox” is not an accident; it was designed for this case. Each web page runs in a renderer process, and that process has no privileges on the OS, so it cannot write to disk or talk to the network. With all of the browsers being hacked, it’s fair to assume that hackers will find flaws in any browser. Avoiding flaws is key, but the sandbox ensures that those flaws are contained to some degree. It is much harder to do persist damage to the machine after the flaw has been exploited because the process can’t touch the network or disk. While IE8 also uses multiple processes, it does not implement a sandbox, so it is vulnerable in similar ways to single process browsers. Don’t get me wrong, the sandbox is not perfect, I’m sure someone will find an exploit. But it does make Chrome harder to break into. Plugins will be a vulnerability, as they cannot yet operate in a sandboxed environment (Flash, for instance, requires access to the OS in order to run).
IE8, Firefox, Safari Owned by 0-Day Vulnerabilities, Chrome Survives Intact
Chrome last browser standing after day one of Pwn2Own
Internet Explorer 8 Gets Hacked, Already
IE8 shipped yesterday! If you use Microsoftâ€™s Internet Explorer, this browser is a must download. As this performance test from ZDnet shows, Microsoft has made fantastic progress between IE7 and IE8. IE8 is solidly 5 times faster than itâ€™s predecessor, and it is also much more compatible with rendering sites on the web.
â€œChrome 2 beats Safari 4 like a rented muleâ€
â€œThe upshot: Chrome wins both tests handily, with Firefox in second place on Sunspider and Safari in second place on the V8 benchmark.â€