Contestants participating in the Pwn2Own 2011 hacking contest at the CanSecWest cybersecurity conference this week in Vancouver, British Columbia, cracked into Safari 5.0.3 and Internet Explorer 8, the latest, most protected versions of Apple's and Microsoft's Web browsers.
No one even bothered to attempt to hack Google's Chrome browser, even with the search giant offering a $20,000 prize.
Technology Live interviewed HD Moore, Chief Security Officer at vulnerability management and penetration testing firm Rapid7, about the contest. Moore is an iconic good-guy hacker. He founded the Metasploit Project in the summer of 2003 to discover -- and push out as fast as possible -- information about zero-day vulnerabilities in popular software.

TL: So what is the point of this competition? 
Moore: The pwn2own contest makes it clear that given enough time and incentive, most of the software we use on a daily basis can be compromised. It's a yearly reality check on how well the vendors are doing and which ones are actually improving. Apple, via Safari, has been consistently compromised, and there is little OS-level focus on exploit mitigations. By comparison, Microsoft is actually improving, since more than one exploit was required to fully compromise the target system.
TL: No one tried to hack Chrome, really? How come?
Moore: Given the options available, Chrome was likely the most difficult target due to the extensive sandboxing. Even if you find a flaw and can reliably exploit it, escaping the sandbox is much more difficult than evading protected mode on Internet Explorer. Most folks don't apply to pwn2own unless they are reasonably certain they can succeed. If the Chrome bounty was raised to $50,000, the results may have been different.
TL: So were there any useful lessons learned?
Moore: The successful compromise of IE8 by Stephen Fewer is a great example of why local vulnerabilities, those that are not remotely exploitable on their own, are becoming more important every day. The vendor can try as they might to reduce permissions and otherwise limit the execution environment of the browser, but given an exploitable vulnerability in the operating system itself, these efforts are ineffective.