Slashdot Mirror

That is an interesting shocker. Because usually pwn2own, the Mac goes first (because beating it got you a nice MacBook Pro), followed by Windows (normally some nice Sony laptop), and then Linux (some generic Dell).

Linux has never been hacked in pwn2own.

I don't think Linux is one of the hacking categories at Pwn2Own. http://dvlabs.tippingpoint.com/Pwn2OwnContestRules.html

But to say it's about to have the same level of infections as Windows?

Lets look at this year's Pwn2Own. Oh look, Safari and OSX hacked with the ability to run arbitrary code off of a website (which could include fetching a shellscript and running it). What about previous years?

Really, where the heck do you mac users get this sense of assurance from? For years, people have been telling you that the platform is no protection from 3rd party security vulnerabilities (java, acrobat, flash); and for years we've been saying that no platform is bug free; and for years we've watched as Mac after Mac falls in Pwn2Own to exploits which "just work".

We've also been saying that "once Mac gets a big enough market share, malware vendors will set their sights on Apple". And guess what, its starting now. Why are you so sure that they wont start using those no-click exploits commercially? And the real question of the day, what security features are you so confident in from OSX that you think Windows 7 and Vista dont have?

And actually, as it turns out, we're both wrong. I looked into pwn2own's rules for 2011. You sign up for 30 minute time slots, and you win the prize for a successful hacking, not for which order the systems go down in.

I've been going on second-hand information before, and it always made sense (I assumed it was a set of boxen all set up and whichever got hacked first one first place, and so on, which in hindsight does seem more Hollywood than reality).

Anyway, full details direct from the source: TippingPoint - Pwn2Own 2011

The exploited system wasn't running Windows 7, it was running Snow Leopard. See the official blog for more info: http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011

"Chrome 10 also addresses 23 security vulnerabilities in the WebKit-based browser (easily more than Google has ever fixed before): 15 rated as High, three rated as Medium, and five rated as Low."

pwn2own: 9th, 10th, and 11th of March, 2011

According to this link, Pwn2Own was about cracking browsers, not operating systems. Seems to me that there is a difference.

"Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone in the first time slot. They exploited a Safari vulnerability with a payload which retrieved the text messages from the device. Charlie Miller (Twitter: 0xcharlie) competed successfully for the third year in a row, taking home the MacBook Pro via a Safari exploit which delivered a full command shell payload." In case you missed it " for the third year in a row"!!! Before blaming all the evils on the internets on Flash some companies got some hole plugin' to do :P http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010

I don't like MS, though the truth is that with this last Windows, they are really more secure than others SO's, if you guys pay attention in the hacker championship, that one the gives a prize for the fastest hacker that invade one system, the fast invasion happens into Mac OS X, then Linux and Windows for last.

Oh, you mean Pwn2Own? 2010? Nope, Linux not tested. 2009? Nope, not tested. 2008? Can't be, the Sony Vaio running Ubuntu was never cracked.

Anybody got results from 2007 or earlier? I can't find them.

What makes the choice of OS X over Win 7 even odder is that Safari was the first browser to fall at last March's pwn2own.

They've had so many security holes over the past few years I hated installing Flash or Reader on anything.

According to Symantec, Flash and Acrobat are actually more secure than your browser: the two combined had fewer vulnerabilities than Safari, or Chrome, Firefox, or IE. Also fewer than QuickTime or Java.

There were times it took Adobe months to release critical security fixes and the only reason they didn't do it sooner was because they were too fat and lazy.

Care to cite a source? I don't remember reading any reports recently about Flash zero-day exploits. Which is less than you can say for most browsers.

(And as an aside: the Symantec report above also says that Apple took on average 13x longer than other browser vendors to patch their security holes...)

Point is, any computer exposed to the Internet is at risk, and no vendor can claim the high ground here.

Closed source might not be any better but if you are buying from a company that has a reputation and a monetary stake in the matter then you at least have some leverage and some recourse if something goes wrong.

And get what for my troubles, some coupons and free downloads for more crap? I think I'll stick with what I have now.

it at least lends credence to my argument:

Well, here's something that lends some credence to mine. I'll quote the relevant bit to save you the trouble.

So at the end of the last day of the contest, only the Sony VAIO laptop running Ubuntu was left standing.

How is Microsoft's response here not them trying desperately to spin their way past the latest Pwn2Own results from CanSecWest? Safari, Firefox and IE8 all went down pretty quickly. Chrome wasn't even attempted. Nobody there had a way to take it down. Money was left on the table.
( http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 )

Microsoft's response?

First claim that Windows 7 isn't really meant to prevent you from hacking into it.
( http://www.computerworld.com/s/article/9174309/Microsoft_defends_Windows_7_security_after_Pwn2Own_hacks )

Then try to convince people Chrome is somehow worse.

Seem's like that makes your choice to either accept that a company like Google knows what information you're looking for [turn off the option, heck even use a different browser. I'm sure they can figure it out anyway.] or letting random anyhacker access ALL the data on your system.

I'll take option A thanks.

I did not know the rules of the Pwn2Own contest, so came up with some things that sounded reasonable:
- first hack counts for more than later hacks.
- new exploits count for more than old ones.
- teams succeeding on a given target (be it OS, service, whatever) split a pool of points; the more teams that target a system, the lower the value overall would be.

Looking at Tipping Point's Pwn2Own 2010 page, I find that they took on most of that:
- (it looks like) first hack on a platform gets all the marbles; no counter-weighting appears to have been done for multiple successes against the same target.
- platforms are weighted, presumably (but not necessarily) in difficulty.

As to "Linux vs Windows", I suppose you might count OS X in that category, as well as Android. I don't personally know if any of the other phones are Linux based. But the only general purpose computer + browser platforms in the browser category were windows and mac.

Opera was not one of the targeted browsers. Check out this page for info and updates on pwn2own.

remember that pwn2own contest where Vista was the last one to be hacked, and the explanation of the guy who did it

The one I remember had Ubuntu going unhacked and Vista going down second following Mac OS. Could you give me a link to the contest you are talking about?

Are you kidding? A determined user, willing to spend enough resources to learn how to defend themselves, can protect their Ubuntu laptop--regardless of the attacker.

Source: http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

That's an interesting proposition.

Can you back it up with sources?

I had to search for a while to find something I could use as a credible source, and I'm not sure I've got it nailed, but it looks like this Ubuntu laptop did the impossible: 100% of malware blocked.

Now, you'll say, "but the user could click and download a trojan!" But I'll respond with: they modified the contest rules on Day 3 so that the attackers could request installs be done on the laptop to give them attack surfaces. Not exactly the same, but pretty close. And the Ubuntu laptop survived that.

So, it is quite amazing that humanity has effectively wiped out small pox and there are efforts to wipe out polio, yet there's some supreme denial that we could ever hope to have a computer ecosystem that approaches that sort of environment with malware presuming just reasonable efforts.

Small pox and polio were arguably a survival of the species threat. A compromised machine sending out v1gr14 spam doesn't evoke the same, "Oh crap, we're going to DIE if we don't get this taken care of." level of response.

As others have pointed out, the issue with security and OS design comes down to cost. It involves a VERY LARGE number of production systems. Microsoft can't pull an Apple and just yank the plug on their 3% of the market and then release OSX and force everyone to buy their applications over again. Instead the best that we can hope for are incremental upgrades, and in the absence of upgrades, alternatives and better ways of doing things (in the form of Linux or what have you). Take a look at IE8 running on Win7 with DEP and ASLR. Will someone eventually break that combination of technology? Of course they will. But you can see the improvement. TFA this discussion is part of is about IE on XP. We might as well be crying about Netscape on Win95. Stop the presses! "Glitch found in 8 year old OS running legacy, depreciated browser!" It just re-enforces my statement about malware targeting. They go for the low hanging fruit. They go for the most widely adopted technologies. There are way more XP and IE6/7 boxes than there are Win7/IE8 boxes.

http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure

The last time I personally saw a compromised Windows server in the real world was in 2004. It was a NT 4.0 SP6a machine. A client, despite being told not to, setup an unsecured wireless access point. They were next door to a Starbucks. It lasted a little more than a week before some exploit code blue screened it. On the workstation front, I haven't seen a workstation that I was responsible for compromised in four or five years at this point. However having spoken to friends and colleagues, I know that Windows boxes are getting owned through no real fault of their users. I don't hold users responsible for not being able to cough up the cash for real, external to the box itself, security products.

There are mitigation measures available to address most of the security concerns, and for most people and organizations, those measures are good enough. It is a cost of doing business that Microsoft passes onto their customers. The customers eat the cost because they need the apps. Customers are faced with spending money one way or the other. They either spend on security products and software updates, or they spend on development resources and build their own applications. Microsoft isn't the only vendor that pushes security updates. It seems like my Java VM updates itself once a month or so. Apple is pushing updates. Adobe is pushing updates. My Ubuntu box runs apt on a cron job to get updates. Software needs to be kept up to date.

As I've said before, if I were a developer, I wouldn't be using Microsoft technology because I've seen first hand what happens when you expect a customer to cough up thousands of dollars for Windows Server and SQL licenses ON TOP OF the cost of your application. The hosted in house on a Microsoft server market is rapidly shrinking. There is a reason Microsoft offers SQL Server MSDE. It is hard to compete with free. But this is getting off on a tangent, and flying far afield of the original point about small pox and computer security.

To use the health analogy, there are vaccines available. There are IDS and IPS products. There are proxy security products. There are AV products. If you're a responsible parent, you innoculate your children.

Not really. pwn2own requires private exploits that no one knows about, with Windows every known exploit is used as soon as possible.

That's a great argument against Security Through Obscurity, which happens to be Apple's MO. Security Through Obsucurity works so poorly that even Microsoft has given up on it.

That sort of contest doesn't indicate security in general,

Demonstrating how quickly a zero day exploit can be created and deployed has nothing to do with security in general.

unless you're so retarded you think that because an OS didn't get bothered with during the contest that it must therefore be secure.

Unless you're so retarded that you think an OS didn't get attacked.

The Mac laptop went down first on day two to a Safari exploit. Note that day two is before any additional plugins like Flash and Java are installed. The Vista laptop went on the night of the third day due to an Adobe Flash exploit. The Ubuntu laptop survived the entire ordeal. So realistically Vista/IE7 and Ubuntu/Firefox survived where OSX/Safari didn't because it was easier to find an exploit for Safari.

In reality Apple is not attacked because there is no money in it. There's just not enough Mac machines around to make an effective botnet nor are they as powerful as Linux servers so they make poor spam hosts. Windows is the low hanging fruit and has the numbers on the desktop, Linux has the numbers in high powered computing, OSX is simply not big enough to bother with, this does not make OSX more secure.

Not really. pwn2own requires private exploits that no one knows about, with Windows every known exploit is used as soon as possible.

That's a great argument against Security Through Obscurity, which happens to be Apple's MO. Security Through Obsucurity works so poorly that even Microsoft has given up on it.

That sort of contest doesn't indicate security in general,

Demonstrating how quickly a zero day exploit can be created and deployed has nothing to do with security in general.

unless you're so retarded you think that because an OS didn't get bothered with during the contest that it must therefore be secure.

Unless you're so retarded that you think an OS didn't get attacked.

The Mac laptop went down first on day two to a Safari exploit. Note that day two is before any additional plugins like Flash and Java are installed. The Vista laptop went on the night of the third day due to an Adobe Flash exploit. The Ubuntu laptop survived the entire ordeal. So realistically Vista/IE7 and Ubuntu/Firefox survived where OSX/Safari didn't because it was easier to find an exploit for Safari.

In reality Apple is not attacked because there is no money in it. There's just not enough Mac machines around to make an effective botnet nor are they as powerful as Linux servers so they make poor spam hosts. Windows is the low hanging fruit and has the numbers on the desktop, Linux has the numbers in high powered computing, OSX is simply not big enough to bother with, this does not make OSX more secure.

Microsoft's does appear to be much better, but hardly perfect...

The pwn2own article mentions the Win7/IE8 ASLR/DEP vulnerability that was patched before the final version of IE8 was released http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure . Evidently the hack still works if launched from an intranet.

It would be quite an accomplishment to introduce a remote exploit directly in the kernel.

Here you go : that's not that hard to achieve (well, it is, but that's not impossible) : http://dvlabs.tippingpoint.com/advisory/TPTI-06-02 (Driver BO will run on kernel-mode obviously), so remote BO's on kernel side are not that never heard of.

> Every year I've read about it, the order from first to last compromised has been Windows, Mac, and Linux.

Which year? And which pwn2own contest are you talking about?

In 2006, there was no pwn to own cansecwest contest.
In 2007, it was mac first, but only macs were prizes ;).

In 2008, it was mac first again (out of OSX, Ubuntu and Vista) on day 2 (nobody managed to pwn anything under the day one rules), and vista only on day 3 (due to adobe flash exploit).

http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture?info=EXLINK

Day 1 rules = remote exploit - no user interaction
Day 2 rules = default client apps
Day 3 rules = popular 3rd party apps.

In 2009, it was safari on OSX first again, on day 1, followed by IE8 on Win7, followed by safari on OSX again, followed by firefox on Win7 (however multiple platforms were actually vulnerable to nils' attack[1]). All in day 1.

http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
http://blogs.zdnet.com/security/?p=2917
http://blogs.zdnet.com/security/?p=2934

[1] http://www.securityfocus.com/bid/34235

Rules:
Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link

And Charlie Miller one of the pwners says OSX is easier:

http://blogs.zdnet.com/security/?p=2941

"It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows."

"For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac."

> Every year I've read about it, the order from first to last compromised has been Windows, Mac, and Linux.

Which year? And which pwn2own contest are you talking about?

In 2006, there was no pwn to own cansecwest contest.
In 2007, it was mac first, but only macs were prizes ;).

In 2008, it was mac first again (out of OSX, Ubuntu and Vista) on day 2 (nobody managed to pwn anything under the day one rules), and vista only on day 3 (due to adobe flash exploit).

http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture?info=EXLINK

Day 1 rules = remote exploit - no user interaction
Day 2 rules = default client apps
Day 3 rules = popular 3rd party apps.

In 2009, it was safari on OSX first again, on day 1, followed by IE8 on Win7, followed by safari on OSX again, followed by firefox on Win7 (however multiple platforms were actually vulnerable to nils' attack[1]). All in day 1.

http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
http://blogs.zdnet.com/security/?p=2917
http://blogs.zdnet.com/security/?p=2934

[1] http://www.securityfocus.com/bid/34235

Rules:
Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link

And Charlie Miller one of the pwners says OSX is easier:

http://blogs.zdnet.com/security/?p=2941

"It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows."

"For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac."

Here's a problem with ESET's Nod32 discussed on March 9, 2009: NOD32 was deleting very critical and required Windows files.

10 minute fix time (and then automated repair) seems quite good. My experience with Norton was way worse - but I haven't used them in a half-decade.

Yes yes, flame Microsoft all you want. I disagree with them charging for a solution to their own problem, but you seem overzealously hateful towards them, and not Apple.

Let me ask you - what is the primary way an OSX box gets hacked? Answer: Safari. Sound familiar? See: Microsoft + IE

What's got me worried is that the same guy keeps winning pwn2own with Safari exploits, year after year. He probably has a pile of exploits up his sleeve, as do other people. It's only a matter of time before Mac users get hosed by their browser, just like Windows users once did. (and probably still do)

No other browser employs this level of security. If a vulnerability in a plugin is exploited in Firefox on Linux that exploit can trash the user's profile. In IE8/Vista, at best it can read files but it can't do anything else.

Sorry to rain on your parade here, but we have already seen a IE8/Windows7 drive-by complete escalation exploit.

As we see every year when they tie Linux as the most secure system in pwn2own, they've got nothing to be upset about on the technical side of things.

Uhm, last year Vista SP1 fell. Ubuntu got out of the contest unscathed.

You're talking about an OS which allows the machine to be compromised, not through idiot users or social engineering, but by reading an email or looking at a website in many cases, and where the normal, expected means of installing new applications is to download and run untrusted executables from wherever. They have plenty to worry about on the technical side of things.

After two decades of exploit after exploit after exploit, it's amazing to me that anyone seriously tries to defend Windows security anymore.

Attempting (even facetiously) to blame SPAM on Windows is wrong. If every copy of Windows on the Internet somehow magically disappeared, the SPAM problem would not abate. Bot herders and spammers would simply shift their efforts to other platforms.

If your doubt this, consider what the winner of this year's PWN2OWN contest had to say about why it's easier to target Mac OS X.

BTW, this is not a troll, and I'm not a (Windows|Mac|Linux) evangelist of any kind. I just find kneejerk Windows bashing rather tiresome

The pwn to own prize was $20000 plus the laptop on the first day, (it dropped as they allowed more attack vectors) so whatever machine you wanted the best machine to attack was gonna be the weakest. (You can always ebay or give your gran the unwanted one.) Look here

Actually the IE8 exploit used during Pwn2Own contest wouldn't work on the final release of IE8 published one day later on the 19th of March.

http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure

http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure

I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier about this and asked his thoughts.

Here was my email to him:

Hi Bruce,

I've been following the Pwn2Own contest for the last couple of years.
Last year a researcher from ISE ( http://securityevaluators.com/ )
named Charlie Miller used an exploit in a Perl library included in
WebKit, the base code for Apple's Safari browser and won a cash price
for his effort. In the press it was claimed he "hacked Safari in mere
seconds". In truth it took a lot more time than that to devise the
exploit and only seconds to execute it.

This year he did it again with another preplanned exploit which he
says he discovered while researching last years bug. Again he won a
cash prize of $10,000.

In an interview with ZDNet he said: "I never give up free bugs. I have
a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
market value so it makes no sense to work hard to find a bug, write an
exploit and then give it away," Miller told ZDNet. "Apple pays people
to do the same job so we know there's value to this work."

I have a major problem with his philosophy and feel this is a
dangerous precedent to set and a bastardization of the goals of
security in the fist place. I feel he has an obligation to inform
Apple and not dangle a dollar amount for the how-to.

Sure he should be paid for his time and effort which is why he works
at a security firm. This contest is basically bonus money and about
bragging rights. Sitting on a bug puts the safety of other users at
risk. But he is basically demanding bribe money for bugs. Who is to
say he wouldn't give up his research to the highest bidder? I'm sure
there are blackhat groups like those in Russia and China that would
pay handsomely for some juicy exploits like this.

Yes there is a long history of security firms hiring hackers and there
have been many questions of whether that is a good idea. But security
firms should take notice of this philosophy and not employee those who
engage in this kind of behavior. It's bad form for his employer and
makes the security industry as a whole look bad by proxy. Would you
hire a security company that employees hackers who blackmail for bugs
to work on your systems? If we hired his firm while I was working IT
at a large New York bank I would advised my boss to make sure he's not
on our project (and perhaps hire an entirely different firm altogether).

I've been in a discussion with other users about this. There seems to
be a split in viewpoint, one side saying he should let Apple and the
WebKit developers know about this exploit for the betterment of
everyone (for free). The other side feels this is purely about
capitalism and he has no moral or ethical obligation to tell anyone.

Some have likened it to seeing a crack in a bridge that might fail.
Are you obligated to inform someone of the problem? What if Dan
Kaminsky demanded $1 million to divulge details on the DNS BIND problem?

What are your feelings on this?

Thanks

Here's the discussion I've been following:

http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/996001677931?r=869003677931#869003677931

http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up

Bruce wrote me back today with his response:

There's a fine line between being paid for your efforts and extortion. This seems to cross it.

After much appreciated feedback from the contestants, weâ(TM)ll be sure that such details as version numbers of the OS and exact hardware specs are made available well in advance.

HTH

unless he believes he's more l33t than anyone else

Maybe he does.

As others have pointed out, Apple pay for verified bugs

Maybe he wanted the notoriety that winning the contest would provide.

he thought there was a more profitable use for the bug. And I wonder what those would be?

He entered a contest. He won $5000 for the exploit (which is undoubtedly far less than he could have got for the exploit* if he had actually been a black-hat cracker as you claim). Apple now has the exploit, so they can fix the hole**. What's the big problem again?

Something a damned sight more productive than this cracker, which is probably why I don't have to fuck about to get paid.

You believe that your job is more productive than a guy who has provided several large companies with invaluable information about undiscovered flaws in their products which would potentially have a global effect if ever exploited by a malicious person or persons? Oh...

Oh do fuck off you anonymous twat.

Posting anonymously to avoid un-doing moderation. You cleverly avoid my point: what makes you think this guy should work for free? He provided a valuable service; he deserves to be compensated for his hard work.

--

* According to this guy, whom I have no reason to doubt.

** From the 2008 Pwn2Own rules:

All winning exploits will be handed over to the affected vendors at the conference through the ZDI, with the appropriate credit given to the contestant once the vendor patches the issue. Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit through the ZDI.

Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

Charlie Miller got the luck of the draw, and had the first time slot for the browser competition. His target- Safari on Mac OS X. Before I could even pull my camera out, it was over within 2 minutes- and Charlie (coincidentally also last year's first winner of the day) is now the proud owner of yet another MacBook, and $5,000 from the Zero Day Initiative.

Next up, Nils. Just Nils- you know, like "Prince" or "Madonna". With a little tweaking, he ran a sleek exploit against IE8, defying Microsoft's latest built in protection technologies- DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization) to take home the Sony Vaio and $5,000 from ZDI.

Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

Charlie Miller got the luck of the draw, and had the first time slot for the browser competition. His target- Safari on Mac OS X. Before I could even pull my camera out, it was over within 2 minutes- and Charlie (coincidentally also last year's first winner of the day) is now the proud owner of yet another MacBook, and $5,000 from the Zero Day Initiative.

Next up, Nils. Just Nils- you know, like "Prince" or "Madonna". With a little tweaking, he ran a sleek exploit against IE8, defying Microsoft's latest built in protection technologies- DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization) to take home the Sony Vaio and $5,000 from ZDI.

Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

Charlie Miller got the luck of the draw, and had the first time slot for the browser competition. His target- Safari on Mac OS X. Before I could even pull my camera out, it was over within 2 minutes- and Charlie (coincidentally also last year's first winner of the day) is now the proud owner of yet another MacBook, and $5,000 from the Zero Day Initiative.

Next up, Nils. Just Nils- you know, like "Prince" or "Madonna". With a little tweaking, he ran a sleek exploit against IE8, defying Microsoft's latest built in protection technologies- DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization) to take home the Sony Vaio and $5,000 from ZDI.

His python code is here. It implements a HTTP web server (as well as a command line and direct socket server mode) that directly invokes a DLL to control the unit. And so in the video he can control the thing using the web browser in his cellphone.

All the code is only 283 lines and easy to understand. I don't see anything awkward about it.

In what way exactly would Lua be better at doing that?

How about the brand new, fully patched up-to-date Macbook Air at this year's pwn-to-own contest a couple months ago? Oh noes! It was the first to be compromised. http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

If they were easy to crack, they would be cracked.

Now trust me I am not a windows fan (I'll stick with Ubuntu) and I can appreciate what you are saying in that Macs haven't been exploited as much but I don't think blind fanboyism does anyone any good. A certain group of people need to turn down the reality distortion field for a second and start realizing the truth of things. Is Vista the end all of security? Definitely not but it is a step in the right direction. For example running IE as a limited user is a very good idea. Firefox and Safari should both follow suit.
Is the Mac this great bastion of security that everyone seems to think it is, definitely not. If I were to pick the single greatest security asset that Apple does have though I would say it is their users. I would say the average Apple user is probably more tech savvy then the average PC user. When its all said and done its the user that determines the security and it always will be. There is no amount of annoying pop up boxes or security measures that Microsoft or anyone else can implement that will keep people from clicking on and running anything that blinks, flashes, or pops up.

...only finally fell when the contest organizers modified the rules...

>If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

You are wrong, I fear. The rules were that each OS had its default configuration. Check http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 for details. So, if the protected mode is turned on by default - it was turned on during the contest.
Besides, they were using the default browser - the browser which is held as the most secure and reliable one by OS creators. On the third day of contest you were able to install other browser too.

And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?

hot off the press, looks like the Vista box just fell over

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

> If you can still win those (which I think you can?) even though there's no longer a cash prize there's at least incentive for someone to hack them.

Actually the other teams could still win the cash prices from the other machines:

"The first winner of each laptop gets to keep it (one laptop per vulnerability entry) as well as a cash prize sponsored by ZDI."

"Therefore there are a maximum of three cash prizes, one per laptop."

http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008

But both Vista and Ubuntu survived the second day intact.

Probably the former - the rules state that they judges will only visit a malicious webpage. I'm pretty sure they used to explicitly say that they wouldn't even click on any links on that web page - I'm not sure if this has changed, or if there are more detailed rules elsewhere.

And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?

To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs).

The results for the other machines are in, at the end of day 2 the Vista and Ubuntu laptops have yet to be compromised:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

You could report it through a 3rd party like The Zero Day Initiative, a division of 3com's Tipping Point intrusion prevention service.

That gives small time security experts a platform of anonymity to disclose vulnerabilities to anyone (not just 3com's customers) while retaining the possibility of a reward.