At Pwn2Own 2014, an annual computer hackfest in Vancouver, Mozilla’s Firefox has proven yet again that it’s the least secure major web browser. While all four major web browsers — Chrome, Internet Explorer, Firefox, and Safari — were successfully exploited, for a grand total of $850,000 in prize money awarded to successful security researchers, Firefox was by far the least secure browser, racking up no less than four zero-day vulnerabilities. These vulnerabilities, if they were in the wild, would allow a hacker to do just about anything with your computer if you visited a specially crafted website.

Firefox has never had a great record at Pwn2Own. While the format of the contest has generally changed every year since its inauguration in 2007 (different platforms, different rules, different attack vectors), Firefox has been involved in some way or another since 2009. While Chrome went unhacked in 2009, 2010, and 2011, the only year that Firefox wasn’t hacked was 2011. Since 2012, however, as security researchers have grown ever more wiley, every major browser has fallen to at least one zero-day vulnerability. That four separate vulnerabilities were found in Firefox at Pwn2Own 2014, however, is impressive. (Read: The death of Firefox.)

Firefox’s weaker security is generally attributed to its lack of a sandbox — a shell or firewall around a piece of software that keeps it segregated from the rest of the operating system. In theory, the sandbox should prevent the browser from running other programs, reading the contents of your RAM, or opening other files. Chrome, Safari, and Internet Explorer (newer versions) all have a sandbox, while Firefox does not. In short, if someone finds a big enough vulnerability in Firefox, there’s nothing preventing them from gaining complete access to your computer. It is slightly disconcerting that security researchers found four such vulnerabilities in just three days at Pwn2Own. (Read: How to surf safely: From LastPass to tin foil hats, and everything in between.)

Somewhat fortunately for us, since Pwn2Own 2013, all of the vulnerabilities are reported to the web browser makers so that they can be fixed in a timely fashion. Still, it is a good reminder that Firefox might not be the best choice of browser if security is one of your primary concerns when surfing the web. As for why Firefox doesn’t have a sandbox, it’s most likely because it was conceived in an era when security on the web was still a nascent and naive topic. Chrome, which was developed a few years later, was intentionally designed from the outset to be very fast and secure. Likewise, Microsoft went through a complete overhaul between IE8 an IE9, adding a sandbox and other modern features so that it could actually stand next to its peers without being snickered at. Mozilla would like to add sandboxing to Firefox, it’s very hard to add sandboxing to a program that wasn’t originally designed for it. (For technical people: It’s closely linked to the Electrolysis project, which will eventually give Firefox per-tab processes.)

A grand total of $850,00 in prize money was given out to security researchers at Pwn2Own 2014. Much like 2012 and 2013, French security firm Vupen had a very strong showing, taking home $400,000 for a total of 11 zero-day vulnerabilities, covering Chrome, Firefox, IE, and Adobe Flash and Reader. George Hotz (yes, Geohot of PlayStation and iOS hacking fame) took home $50,000 for a Firefox exploit. The prize money is awarded by the Zero-Day Initiative (owned by TippingPoint, which was acquired by HP), which actually buys the vulnerabilities from the hackers, so that they can improve the security of TippingPoint/HP products.

[Image credit: Gill Penney]