Actually, I’d like to say that the CanSecWest contest proves again that Stuxnet was not a major engineering effort. But I’ll skip dragging up that controversy again and instead point to the obvious. Researchers have demonstrated that a browser running with superuser rights and no other controls/protections may have a vulnerability.

So make sure you use more controls than just the default browser and OS settings…the usual advice. Yes, it’s still true, software can have a security flaw that takes not much effort for a single engineer to find using fuzzing, debugging and memory analysis. Do not depend on it alone for security.

…it took him about two weeks to find the bug and set out to exploit it.

[…]

Wednesday’s event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google’s Chrome browser was also up for grabs, but no one stepped forward to try hacking it.

Fully patched, but that’s all.

Wonder if Google is worried about what this says about market share and software adoption. Will they be able to stay above 10%? Recent data suggests IE6 dropped 10% in the past year but is still more common than Chrome.

Attackers used to ignore Apple when it was a small player in the market. Then it rocketed into target territory with several hugely popular products. Google must be frustrated to not have anyone step forward to want to attack them. Even their $20,000 add-on bonus was not enough to gather interest.