Slashdot Mirror

← Back to Stories (view on slashdot.org)

Next Pwn2Own Contest Targets IE8, Firefox, iPhone

Posted by timothy on from the better-there-than-in-the-wild dept.

Windows Secrets writes "After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets: Web browsers and mobile phones. According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile."

9 of 64 comments (clear)

  1. Unbalanced? by AKAImBatman · · Score: 4, Interesting

    Am I the only one who wonders if the design of this contest doesn't create an unbalanced playing field? It's often struck me that if the computers are "Pwn2Own", then the participants are going to focus more heavily on "pwning" the system they want to take home with them. e.g. Given a choice between a Vaio running Windows and a MacBook Pro running OS X, I know I would rather have the MacBook Pro. Thus I'm not going to try as hard to crack the Windows system because the system I REALLY want is the Mac.

    Maybe it's just me. Maybe there are an equal number of equally talented individuals who's only disagreement is the preference of their machine. But somehow I don't think it's that easy.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Unbalanced? by rsmith-mac · · Score: 4, Insightful

      The current security situation of the platform is not an XOR matter. It is inherently more secure thanks in large part to tested Unix/BSD bits and very few backwards compatibility hacks that later end up used as vulnerabilities, but at the same time there are vulnerabilities that have not been found because not nearly as many people poke at it as they do Windows. If as many people poked at Mac OS X as they did Windows I'm sure we'd see more vulnerabilities in the wild, but I have no reason to believe there would be as many as we see with Windows.

      As for the contest at hand, I'd be shocked if they didn't break it. Browsers are a mess, and this goes for IE8, Firefox, and Safari. They'll most certainly get Safari to trigger a remote code execution situation, the bigger challenge will be finding a local privilege escalation flaw to combine that with to actually own the system.

    2. Re:Unbalanced? by mjwx · · Score: 4, Insightful

      (Flamebait)It shouldn't matter though because OSX running on proprietary Apple hardware with its uber *nix under pinings is supah secure.(/Flamebait)

      I know you're trying to be funny but, even the NT kernel is secure. Almost every single exploit will come in via applications, this is true for Mac, Linux/Unix and Windows.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    3. Re:Unbalanced? by Jurily · · Score: 4, Insightful

      Apple has a history of virtually 100% secure operating systems, especially OS X that is going on almost a decade without a single virus or worm.

      FTFA:

      In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay to hijack a MacBook Pro via a flaw in Apple's QuickTime software. A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.

    4. Re:Unbalanced? by KibibyteBrain · · Score: 5, Interesting

      I still think from a game theory perspective, it is best to go after the platform you are best at pwning if you assume all the other participants are about as skilled as you are. This is because time is a factor, and so you are better off making sure you hack first and get something than trying hack the best prize if there is a better chance one of the other hackers is more experienced at it than you. A good chance of getting something bad is usually better than a bad chance of getting something good.

    5. Re:Unbalanced? by v1 · · Score: 4, Insightful

      fwiw, all the successful attacks I've seen were due to privilege escalation for a local user. The key difference most people are talking about is being secure over a network, from a remote attacker. Viruses don't really even count here, just worms. It's a lot more important to be secure from the 35 million people out on the internet than from the 2 that have an account on your computer.

      Windows has been shown to fail miserably, repeatedly, and in epic ways in this respect. OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.

      --
      I work for the Department of Redundancy Department.
  2. 2Own by DanTheStone · · Score: 4, Funny

    You could win own your very own copies of IE8, Firefox 3, and Safari!

  3. Wonder if it requires the iPhone to be jailbroken by Vandil+X · · Score: 4, Interesting

    That would fall in line with their use of a 3rd party wireless card to hack the MacBook. (i.e. using the product in a way most people wouldn't be using it.)

    --
    Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
  4. My experience.... by ebbomega · · Score: 4, Interesting

    Last year I DJ'd for the CanSecWest dinner party, and I was kinda amused to see that a lot of the people who were at the conference were ex-blackhats anyway. A good number of them had criminal records and were now raking in hella money working on the legit side (a shitload more than they made during their blackhat careers). I even met a couple of them at a 2600 meeting once.

    Hackers are hackers, regardless of which side of the legal coin they fall on. The exploits used are known to anybody with the resources to find them. In fact, last year nobody took home the Linux box not because they couldn't find any exploits, but because there was so much more effort and time involved in breaking the linux systems that everybody just went for the OSX or Windows machines. Versions of this contest probably exist in the blackhat world, but are a lot less publicized because they don't have industry heavyweights like Cisco or Microsoft sponsoring it.

    --
    Karma: Non-Heinous