Next Pwn2Own Contest Targets IE8, Firefox, iPhone

← Back to Stories (view on slashdot.org)

Next Pwn2Own Contest Targets IE8, Firefox, iPhone

Posted by timothy on Wednesday February 11, 2009 @10:43AM from the better-there-than-in-the-wild dept.

Windows Secrets writes "After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets: Web browsers and mobile phones. According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile."

64 comments

Unbalanced? by AKAImBatman · 2009-02-11 10:45 · Score: 4, Interesting

Am I the only one who wonders if the design of this contest doesn't create an unbalanced playing field? It's often struck me that if the computers are "Pwn2Own", then the participants are going to focus more heavily on "pwning" the system they want to take home with them. e.g. Given a choice between a Vaio running Windows and a MacBook Pro running OS X, I know I would rather have the MacBook Pro. Thus I'm not going to try as hard to crack the Windows system because the system I REALLY want is the Mac.
Maybe it's just me. Maybe there are an equal number of equally talented individuals who's only disagreement is the preference of their machine. But somehow I don't think it's that easy.

--
Javascript + Nintendo DSi = DSiCade
1. Re:Unbalanced? by quickOnTheUptake · 2009-02-11 10:47 · Score: 3, Funny
  
  yeah and who the hell wants to be given a copy of IE8 as first prize?
  
  --
  Mod points: Guaranteed to remove your sense of humor.
  Side effects may include gullibility and temporary retardation
2. Re:Unbalanced? by Anonymous Coward · 2009-02-11 10:47 · Score: 0, Troll
  
  Does not take too long for Apple fanbois to come out crying, whining and defending to a ridiculous level.
3. Re:Unbalanced? by XPeter · 2009-02-11 10:55 · Score: 3, Funny
  
  We all know that Windows Mobile and IE8 will come out on top as they are far superior to the competition.
  
  --
  "The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
4. Re:Unbalanced? by drquoz · 2009-02-11 10:58 · Score: 3, Funny
  
  For the browser competition, you get the computer it's running on. Or at least that's what I gather; the article accidentally a whole verb. FTA: "CanSecWest organizers plan to Sony VAIO P running Windows 7 as the platform for the contest. The successful hacker gets to keep the machine."
5. Re:Unbalanced? by jpmorgan · 2009-02-11 11:16 · Score: 2, Insightful
  
  But I thought OS X is inherently more secure, and the perceived security has nothing to do with it being a less tempting target than Windows.
  Or at least, that's what everybody tells me...
6. Re:Unbalanced? by decipher_saint · 2009-02-11 11:25 · Score: 2, Interesting
  
  Actually I think this might be part of the plan. Right now one of the things that might make Windows less desireable is that it is a bit of a security risk and (apparently) not as hard to crack. So the big flashy prize is something that people want because it's supposedly more secure or otherwise better (or at least sells itself that way) and it's going to get a bit more attention. So maybe more people discover security issues for the desired prize during contests like this which vendors can ultimately fix (making it an even better product).
  In fact, seeing more concentrated efforts to crack the Mac might be an indication of what's to come. After all if the desired prize is relative to the desires of the upcoming consumer market for the next few years getting to know the soft spots will be valuable for at least some parties.
  Either all that or I've hit that state of delirium after the caffeine has worn off...
  
  --
  crazy dynamite monkey
7. Re:Unbalanced? by nicolas.kassis · 2009-02-11 11:28 · Score: 3, Funny
  
  You probably have some security patches that need to be installed on your mac cause you obviously seem to not think that those are of any use.
8. Re:Unbalanced? by nicolas.kassis · 2009-02-11 11:29 · Score: 1
  
  Where there a will there is a way. In this case the will must be stronger.
9. Re:Unbalanced? by rsmith-mac · 2009-02-11 11:31 · Score: 4, Insightful
  
  The current security situation of the platform is not an XOR matter. It is inherently more secure thanks in large part to tested Unix/BSD bits and very few backwards compatibility hacks that later end up used as vulnerabilities, but at the same time there are vulnerabilities that have not been found because not nearly as many people poke at it as they do Windows. If as many people poked at Mac OS X as they did Windows I'm sure we'd see more vulnerabilities in the wild, but I have no reason to believe there would be as many as we see with Windows.
  As for the contest at hand, I'd be shocked if they didn't break it. Browsers are a mess, and this goes for IE8, Firefox, and Safari. They'll most certainly get Safari to trigger a remote code execution situation, the bigger challenge will be finding a local privilege escalation flaw to combine that with to actually own the system.
10. Re:Unbalanced? by mjwx · 2009-02-11 11:35 · Score: 4, Insightful
  
  (Flamebait)It shouldn't matter though because OSX running on proprietary Apple hardware with its uber *nix under pinings is supah secure.(/Flamebait)
  I know you're trying to be funny but, even the NT kernel is secure. Almost every single exploit will come in via applications, this is true for Mac, Linux/Unix and Windows.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
11. Re:Unbalanced? by Jurily · 2009-02-11 11:35 · Score: 4, Insightful
  
  Apple has a history of virtually 100% secure operating systems, especially OS X that is going on almost a decade without a single virus or worm.
  FTFA:
  
  In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay to hijack a MacBook Pro via a flaw in Apple's QuickTime software. A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.
12. Re:Unbalanced? by KibibyteBrain · 2009-02-11 11:36 · Score: 5, Interesting
  
  I still think from a game theory perspective, it is best to go after the platform you are best at pwning if you assume all the other participants are about as skilled as you are. This is because time is a factor, and so you are better off making sure you hack first and get something than trying hack the best prize if there is a better chance one of the other hackers is more experienced at it than you. A good chance of getting something bad is usually better than a bad chance of getting something good.
13. Re:Unbalanced? by moderatorrater · 2009-02-11 11:38 · Score: 1
  
  That should work, but (at least in past years) they have cash prizes that are worth far more than the machines they're going to get, so that should be mitigates. Also, they've got a small number of machines for a large number of people trying to penetrate them, so as soon as the more desirable machine is gone everyone should focus on the other machines as much as they focused on the most desirable one. Overall, it seems that the desirability of the machines shouldn't affect the outcome too much.
14. Re:Unbalanced? by Anonymous Coward · 2009-02-11 11:39 · Score: 0
  
  ... Sony VAIO P running Windows 7 ...
  Actually, I'd target that myself. I just saw one of those machines the other day, I'd love to have one.
15. Re:Unbalanced? by v1 · 2009-02-11 11:43 · Score: 4, Insightful
  
  fwiw, all the successful attacks I've seen were due to privilege escalation for a local user. The key difference most people are talking about is being secure over a network, from a remote attacker. Viruses don't really even count here, just worms. It's a lot more important to be secure from the 35 million people out on the internet than from the 2 that have an account on your computer.
  Windows has been shown to fail miserably, repeatedly, and in epic ways in this respect. OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.
  
  --
  I work for the Department of Redundancy Department.
16. Re:Unbalanced? by aliquis · 2009-02-11 11:56 · Score: 1
  
  Because no virus mean secure? Since when? But I guess I shouldn't bother answering.
17. Re:Unbalanced? by Reece400 · 2009-02-11 11:57 · Score: 1
  
  On the other hand, I'd personally go for the PC as I know that there's probably 1/2 the competition, and much greater odds for me to win..
18. Re:Unbalanced? by Anarchitect_in_oz · 2009-02-11 12:08 · Score: 1
  
  As of Leopard you don't need to replace the U with *.
  
  --
  "Call us when the New age is old enough to drink" Beck
19. Re:Unbalanced? by Anonymous Coward · 2009-02-11 12:35 · Score: 2, Informative
  
  You're working on the premise that these guys value MacBook Pro more than a Sony. I'm pretty sure that they easily afford a MacBook Pro. I'm sure that Motivation here is actually cracking the system rather than owning the laptop.
20. Re:Unbalanced? by Kugrian · 2009-02-11 12:43 · Score: 1
  
  This is good no? Macs still don't get targeted enough in the wild for their weaknesses to be apparent. Windows gets raped. I'm on the 'windows is inherently less secure' side of the fence, but until the market share of OSes reaches a point where it's viable for black hats to attack both MS and Apple (and others ofc, but not relevant here), it's a hard point to prove.
21. Re:Unbalanced? by Anonymous Coward · 2009-02-11 12:45 · Score: 1, Insightful
  
  how about both the examples in the parent post? One is where you load a malicious webpage when you have quicktime installed (almost everyone) and the other is loading a malicious webpage in safari without needing any extra stuff installed.
22. Re:Unbalanced? by Anonymous Coward · 2009-02-11 12:57 · Score: 0
  
  Yeah, they are both local, not remote, exploits. Dangerous, but not as bad as being able to get hacked without even touching the computer.
23. Re:Unbalanced? by Anonymous Coward · 2009-02-11 14:04 · Score: 0
  
  The result will depend on installed plugins: acrobat, java, real, flash, quicktime, silverlight, etc.
  
  Firefox without noscript would be at an unreasonable disadvantage...I'm guessing IE8 will do well considering probable circumstances.
  
  Safari still has no chance, though Chrome would be interesting in its place.
24. Re:Unbalanced? by Anonymous Coward · 2009-02-11 14:08 · Score: 0
  
  They compete more for reputation/resume items than to get the actual item.
25. Re:Unbalanced? by Serious+Callers+Only · 2009-02-11 19:00 · Score: 2, Interesting
  
  OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.
  You are wrong.
  The original jailbreaking of the iPhone was based on a tiff handling vulnerability in the Safari browser - this could be exploited remotely until the hole was fixed, simply by visiting a website.
  http://www.iphone-hacks.com/2007/10/10/iphone-111-jailbroken-again-using-tiff-exploit/
  I would be surprised if there are not more holes in the Safari browser which ships with the iPhone (and its desktop equivalent), indeed I've read about a few more since (can't be bothered to look them all up just now) and expect to see the iPhone compromised.
  Here's another more recent which could be costly by calling unknown numbers :
  http://www.pcadvisor.co.uk/news/index.cfm?newsid=10113
  Or another, allowing access to data :
  http://www.techradar.com/news/phone-and-communications/mobile-phones/iphone-macs-vulnerable-to-safari-hack-attack-154585
  Now OS X has been less vulnerable to worms spreading automatically compared to Windows historically (not so much compared to Vistia), has some good security policies in place like the lack of services on by default, firewall and a sane use of password dialogs, but that doesn't make it immune. Apple has not been as vigilant or communicative in this area as they should be.
26. Re:Unbalanced? by Anonymous Coward · 2009-02-11 22:42 · Score: 0
  
  funny? moderators are strange sometimes.
27. Re:Unbalanced? by MadMidnightBomber · 2009-02-12 00:21 · Score: 2, Funny
  
  second prize: two copies of IE8.
  
  --
  "It doesn't cost enough, and it makes too much sense."
28. Re:Unbalanced? by Anonymous Coward · 2009-02-12 01:20 · Score: 0
  
  Yeah, they are both local, not remote, exploits. Dangerous, but not as bad as being able to get hacked without even touching the computer.
  Those things are REMOTE exploits, the hacker does not have to have LOCAL access to the machine in order to crack it. He just sets up an evil website and waits until a user visits it...
  4. profit!!
29. Re:Unbalanced? by ohcrapitssteve · 2009-02-12 02:26 · Score: 1
  
  Okay, both of those flaws you cite require user interaction. That doesn't constitute a "virus" or a "worm." That's a vulnerability. A vulnerability, I might add, never amounted to anything in the wild, and was patched quickly by Apple. Not an apologist, flaws are flaws are flaws. But they aren't viruses. The distinction is important.
30. Re:Unbalanced? by v1 · 2009-02-12 02:31 · Score: 2, Insightful
  
  Now OS X has been less vulnerable to worms spreading automatically compared to Window
  Please provide one example of a worm that spreads automatically on OS X.
  Saying "less vulnerable" makes it sound like windows and os x even have some remote similarity. "hundreds of examples" vs "no examples" hardly qualifies you to say "less vulnerable".
  Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safety of my shoe. It's deceptive.
  
  --
  I work for the Department of Redundancy Department.
31. Re:Unbalanced? by mdwh2 · 2009-02-12 02:55 · Score: 1
  
  Apple has a history of virtually 100% secure operating systems, especially OS X
  Especially OS X? Leaving aside the debate of whether that's true, what other "virtually 100% secure" operating systems has Apple released? Your memory of their history seems to leave out "classic" MacOS, which had viruses, and didn't even support memory protection.
32. Re:Unbalanced? by Miseph · 2009-02-12 03:36 · Score: 1
  
  Unless that something bad is gonorrhea.
  
  --
  Try not to take me more seriously than I take myself.
33. Re:Unbalanced? by SuperNothing307 · 2009-02-12 03:55 · Score: 1
  
  >
  Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safety of my shoe. It's deceptive.
  Yeah, because it's not deceptive to claim that an operating system has no exploitable flaws without source code, let alone a formal proof, that that is so...I think "less vulnerable" is an entirely accurate assessment. And I wouldn't take those shoes on a plane with you...last guy who did that got thrown in jail for the rest of eternity.
34. Re:Unbalanced? by Anonymous Coward · 2009-02-12 04:24 · Score: 0
  
  For the less-observant: He intentionally left out an important word, just like he was saying the article did. Hence, funny. I'm surprised the mods noticed.
35. Re:Unbalanced? by Serious+Callers+Only · 2009-02-12 06:41 · Score: 1
  
  Please provide one example of a worm that spreads automatically on OS X.
  OK. Because of people like you, anti-virus vendors have created a worm for OS X (I believe there are other examples):
  http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99
  It's not a commercial worm, but this sort of worm is possible on OS X, just more difficult. You talk as if this sort of exploit is impossible somehow on OS X, it is not.
  Quite apart from that, you were wrong to say it has not been owned remotely - it has on multiple occasions had remote exploits via the browser. These require the user to visit a page with malicious javascript, that is all. Then a remote exploit commences. They do not require local access to the computer. Some have been patched, some are still open. Other browsers have similar exploits.
  To quote your initial incorrect statement :
  
  It's a lot more important to be secure from the 35 million people out on the internet than from the 2 that have an account on your computer.
  The exploits I listed are not ones which require a local log in by the hacker, and this competition will specifically be testing browsers too.
  Now you can play semantics, and try to twist remote to mean 'remote with no user action' but that's not what you said initially, it would not be a real world test, and that's not what the later stages of this contest test - last year I think they progressed from default locked down config, to services on, to visiting a web page. Last year the macbook was hacked via visiting a web page. A fair test given that most users don't leave their machine with no services on and never visiting web pages.
  Vulnerabilities in web browsers certainly should not be dismissed as 'local' exploits - they only require minimal user intervention (clicking a link), and if that can lead to the system being compromised, it should be considered insecure. Indeed, after one initial infection, a worm could easily spread this way by emailing/iming contacts with a URL.
  PS I run OS X, and don't run a virus scanner due to the lack of worms/viruses, but I don't view it as invulnerable, and neither should you. Your munition/shoe analogy doesn't make any sense, and implies that you really think that using OS X makes you somehow invulnerable to any exploits - it really doesn't.
36. Re:Unbalanced? by MadMidnightBomber · 2009-02-12 07:22 · Score: 1
  
  I can't believe that got modded Funny - that joke is probably older than the transistor.
  
  --
  "It doesn't cost enough, and it makes too much sense."
37. Re:Unbalanced? by Anonymous Coward · 2009-02-12 17:35 · Score: 0
  
  windows Mobile will win because it cant run anything.
38. Re:Unbalanced? by v1 · 2009-02-12 18:27 · Score: 1
  
  Thank you for the link - I had a suspicion there were one or two proof of concept viruses for the mac, and now I can see one.
  But I do have to argue your point about browser exploits. Here you are requiring the user's active assistance, and are only spreading "one step" per user assist.
  For practical purposes, they behave almost identical to trojan horse applications, or possibly email-payload viruses. I suppose browser exploits sit in the middleground between trojans and viruses. Not as automatic, but certainly requiring very little assistance from the user. This by virtue of not requiring the user to double click as if to open something. But then a trojan app that looks like a word document or jpeg could fit that description too.
  The difference being a great one, where worms can (as we have seen with code red) spread across the planet in a matter of minutes, actively infecting user computers. I don't even see how a browser exploit can spread more than one step... from the infected/rigged web server to the user's computer... where does it go from there, unless the user is running a web server?
  That link is to what appears to be a bluetooth worm. I've never even really considered that, it's an interesting angle. Do you know of any internet worms for the mac, proof-of-concept or otherwise?
  
  --
  I work for the Department of Redundancy Department.
2Own by DanTheStone · 2009-02-11 10:46 · Score: 4, Funny

You could win own your very own copies of IE8, Firefox 3, and Safari!
1. Re:2Own by Wamoc · 2009-02-11 11:02 · Score: 0
  
  That would be such a great prize! Even better than the iPhone or the android phone.
2. Re:2Own by Anonymous Coward · 2009-02-11 11:41 · Score: 1, Funny
  
  Yeah, I think I'll wait for this year's Pwning4Ponies instead.
Wonder if it requires the iPhone to be jailbroken by Vandil+X · 2009-02-11 10:59 · Score: 4, Interesting

That would fall in line with their use of a 3rd party wireless card to hack the MacBook. (i.e. using the product in a way most people wouldn't be using it.)

--
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
How much attention does this get? by jpmorgan · 2009-02-11 11:20 · Score: 2, Insightful

How much attention does this contest actually get? While there are lots of upstanding people who will participate, I would be surprised if there weren't quite a few talented individuals who will not be participating.
I mean, if you're a blackhat, an exploit for any of these targets is worth a lot more than a laptop or a mobile phone.
1. Re:How much attention does this get? by Chabo · 2009-02-11 11:48 · Score: 3, Insightful
  
  The blackhats try to exploit the whole contest so that nobody can win. :)
  Then they continue to use the holes they only they know about.
  
  --
  Convert FLACs to a portable format with FlacSquisher
Re:Wonder if it requires the iPhone to be jailbrok by Anonymous Coward · 2009-02-11 11:35 · Score: 1, Funny

Last year they didn't accept my precondition that the root password be set to blank before attempting to hack it.
Isn't the OS still important? by pembo13 · 2009-02-11 11:36 · Score: 1

Doesn't the underline operating system still assist with the overall security of a browser? ie. can't a more secure OS make escalation of a browser hack more difficult?

--
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
1. Re:Isn't the OS still important? by ld+a,b · 2009-02-11 11:49 · Score: 2, Interesting
  
  Of course.
  
  In this case I believe IE8 has a lead in this contest as they all will be running on in Windows, but IE8 will probably get to run in sandbox mode.
  
  My bets are:
  
  1- Safari
  2- IE8
  3- Firefox
  
  or:
  
  1- Safari
  2- Firefox
  3- IE8
  
  --
  10 little-endian boys went out to dine, a big-endian carp ate one, and then there were -246.
2. Re:Isn't the OS still important? by Ironica · 2009-02-11 12:10 · Score: 2, Funny
  
  Doesn't the underline operating system still assist with the overall security of a browser?
  Only if it hasn't been upgraded to the italic operating system.
  
  --
  Don't you wish your girlfriend was a geek like me?
Obligatory XKCD by Chabo · 2009-02-11 11:46 · Score: 3, Funny

http://xkcd.com/166/

--
Convert FLACs to a portable format with FlacSquisher
1. Re:Obligatory XKCD by perryizgr8 · 2009-02-11 18:46 · Score: 1
  
  man i love these obligatory references
  
  --
  Wealth is the gift that keeps on giving.
2. Re:Obligatory XKCD by vosester · 2009-02-12 11:14 · Score: 1
  
  http://xkcd.com/198/
My experience.... by ebbomega · 2009-02-11 12:01 · Score: 4, Interesting

Last year I DJ'd for the CanSecWest dinner party, and I was kinda amused to see that a lot of the people who were at the conference were ex-blackhats anyway. A good number of them had criminal records and were now raking in hella money working on the legit side (a shitload more than they made during their blackhat careers). I even met a couple of them at a 2600 meeting once.
Hackers are hackers, regardless of which side of the legal coin they fall on. The exploits used are known to anybody with the resources to find them. In fact, last year nobody took home the Linux box not because they couldn't find any exploits, but because there was so much more effort and time involved in breaking the linux systems that everybody just went for the OSX or Windows machines. Versions of this contest probably exist in the blackhat world, but are a lot less publicized because they don't have industry heavyweights like Cisco or Microsoft sponsoring it.

--
Karma: Non-Heinous
1. Re:My experience.... by spacerog · 2009-02-12 01:44 · Score: 0
  
  Real hackers aren't in it for the money.
  - SR
Maybe it's just you, NOT! by Anonymous Coward · 2009-02-11 13:12 · Score: 0

>>Maybe it's just me.

No. It's not just you. Every other apple fanbois think the same - that just because Apple makes unbreakable awesome super cool machines which are completely safe and secure that people break into it illegally and only because they love it so much.
This is a setup. Right? by Mac_8100_g3 · 2009-02-11 15:54 · Score: 0

I mean you've got all these hakrz in one room. Then someone is gonna seal the place off and call the fedz. Right? Put 'em all in the pen where they belong. That would be cool!

--
My peace of mind does not depend on /. karma
Opera?... by sznupi · 2009-02-11 20:26 · Score: 1

According to Secunia it had the smallest number of volnurabilities, plus Opera Software somehow likes too boast about security...would be a good contendant and verification of their claims (and don't say that Opera has negligible share, IN YOUR MARKET, there are many where it's quite big (which accidentally are often the healthy ones not dominated by EI/with IE below 50% for some time)

--
One that hath name thou can not otter
Steps... by Anonymous Coward · 2009-02-11 20:44 · Score: 0

This is how browser exploits usually work.
1. Get enough money together to run advert on mainstream site.
2. Buy banner ad at such site. (98% don't seem to give a shit about the content or intent of the ad as long as they get the money.)
3. Convince either a clueless youngster or oldster to "Punch the monkey!" with clever and cheesy animated flash banner.
4. ????
5. Profit!
Alternately you could skip steps 1-3 by using link farms or by taking popular domains that have expired for placement of your attack vector scripts. Then that way search engines and normal internet traffic will bring in your victims.
Also bonus points if you can harvest data from a browser without having anyone click on your banner ad via the scripts running inside it. Show that you get juicy info like passwords and saved account or credit card data stored in cookies or whatever.
Spose so, but... by ebbomega · 2009-02-12 07:53 · Score: 2, Interesting

If a conglomorate offers you a six+ figure salary to do what you essentially do for fun, are you really going to say no?

--
Karma: Non-Heinous
Get a life fucking Apple fanboy (aka troll) by Anonymous Coward · 2009-02-13 15:46 · Score: 0

http://secunia.com/advisories/product/96/?task=advisories
OSX - 861 Vulnerabilities
http://secunia.com/advisories/product/22/?task=advisories
XP - 221 Vulnerabilities
http://secunia.com/advisories/product/13223/?task=advisories
Vista - 82.
----
Vista is by far the most secure OS. But you can continue to spread FUD. Its ok.
Just out of curiosity, do you suck jobs cock or take it up the bum hole? Its OK to be a whore.. but don't be a stupid whore.