First Pwn2Own 2009 Contest Winners Emerge

← Back to Stories (view on slashdot.org)

First Pwn2Own 2009 Contest Winners Emerge

Posted by timothy on Thursday March 19, 2009 @09:23AM from the good-work-if-you-can-get-it dept.

mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."

98 comments

Let me be the first to say by Jurily · 2009-03-19 09:27 · Score: 3, Insightful

Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.
Wow.
1. Re:Let me be the first to say by von_rick · 2009-03-19 09:53 · Score: 2, Insightful
  
  I'm pretty sure he knows more methods to compromise the OS through these browsers. Most likly he'll use those methods at next years' pwn2own. Same could be said about Charlie Miller.
  
  --
  Face your daemons!
2. Re:Let me be the first to say by moderatorrater · 2009-03-19 10:25 · Score: 4, Informative
  
  Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.
3. Re:Let me be the first to say by Laser_iCE · 2009-03-19 10:36 · Score: 2, Interesting
  
  He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.
  I tried to find some sort of source for this, but instead found this:
  
  Windows 7 PC Outlasts Mac In Security Test, at PWN2OWN.
4. Re:Let me be the first to say by Laser_iCE · 2009-03-19 10:38 · Score: 4, Informative
  
  Nevermind,
  
  Mac easiest to hack, says $10,000 winner
5. Re:Let me be the first to say by tonywong · 2009-03-19 10:55 · Score: 5, Informative
  
  Since no one has placed what 'owned' means, here's the rules from the canwest site:
  2009-03-18-01:00:00 PWN2OWN Final Rules
  Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.
  Browsers and Associated Test PAltform
  Vaio - Windows 7
  * IE8
  * Firefox
  * Chrome
  Macintosh
  * Safari
  * Firefox
  Day 1: Default install no additional plugins. User goes to link.
  Day 2: flash, java, .net, quicktime. User goes to link.
  Day 3: popular apps such as acrobat reader ... User goes to link
  What is owned? - code execution within context of application
  =====
  I'm presuming that code execution is the first step towards owning the whole box, which may or may not be trivial once you got code execution happening within the app.
6. Re:Let me be the first to say by drsmithy · 2009-03-19 11:51 · Score: 4, Funny
  
  Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.
  BURN HIM ! BURN THE HERETIC !
7. Re:Let me be the first to say by Anonymous Coward · 2009-03-19 14:19 · Score: 2, Insightful
  
  No not burn, just leave him and all the other to their windoze spyware nightmare :)
8. Re:Let me be the first to say by terwey · 2009-03-19 14:56 · Score: 1, Informative
  
  "The MacBook Air was running the current version of Mac OS X, 10.5.2, with all the latest security patches applied." uhm... osx been buggin me quite some time now for updates for 10.5.6!
9. Re:Let me be the first to say by oaklybonn · 2009-03-19 16:49 · Score: 1, Flamebait
  
  I wonder how much of "Mac easiest to hack" is due to the fact that WebKit is open source? Its got to be pretty easy to find exploits when you've got the source in front of you! And considering Darwin is open source, I'm surprised they weren't able to find a root exploit as well.
10. Re:Let me be the first to say by Hurricane78 · 2009-03-19 20:09 · Score: 1
  
  The nice thing about this, is that for Firefox, and probably also Safari, the bugs are already fixed.
  So all in all, this was a good thing for us all.
  The third exploit was a good thing for botnet owners only. ;)
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
11. Re:Let me be the first to say by Simetrical · 2009-03-20 07:32 · Score: 2, Informative
  
  Its got to be pretty easy to find exploits when you've got the source in front of you!
  A comparison of high-profile, seriously damaging Apache and IIS exploits would seem to indicate the opposite. Code Red and Nimda both caused a lot of damage, and targeted IIS. Any comparable stories for Apache, which has a larger market share than IIS by any figures I've seen?
  Or heck, look at Firefox vs. IE. IE has historically been much less secure, although Firefox has had its share of screwups too. (Of course, the closed-source software does have a larger market share in this case. But then, WebKit has a smaller market share than either, so by that logic it should be even more secure.)
  Even though it may be easier for malicious people to find vulnerabilities in open-source code, it's also easier for benevolent coders and third-party security auditors to find the exact same vulnerabilities and tell the vendor. This is Linus' law at work: given enough eyeballs, all bugs are shallow. There is no reason to assume a priori that open-source applications will be more vulnerable: only study will show that. And it seems like they're less vulnerable than most closed-source software, if anything.
  
  --
  MediaWiki developer, Total War Center sysadmin
12. Re:Let me be the first to say by Simetrical · 2009-03-20 07:33 · Score: 1
  
  What is owned? - code execution within context of application
  Does this mean that you win if you execute code in a sandboxed application, even if that means you can't actually harm the user at all?
  
  --
  MediaWiki developer, Total War Center sysadmin
13. Re:Let me be the first to say by Quantumstate · 2009-03-20 09:26 · Score: 1
  
  The article is dated March 28, 2008 so perhaps this would explain?
14. Re:Let me be the first to say by mpeskett · 2009-03-21 14:49 · Score: 1
  
  Of course it only applies if the code in question actually gets looked over by a lot of people. True for high profile things like Apache, but smaller open source projects can't be automatically assumed to be more secure - they may well have no more, or less, people actively reviewing their code than an equivalent program from a normal developer.
15. Re:Let me be the first to say by Anonymous Coward · 2009-03-25 04:28 · Score: 0
  
  Yes, but then again, maybe all the (obvious) root exploits in Darwin were already found and patched? As I think WebKit sees more development activity, it's likely to have more undiscovered exploits per kLOC.
16. Re:Let me be the first to say by nametaken · 2009-03-25 18:31 · Score: 1
  
  Yeah, cause I'm sure THIS GUY has the same spyware problems my grandma has. :)
Let me be the second to say by Anonymous Coward · 2009-03-19 09:29 · Score: 3, Funny

Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.
Wow.
Wow.
1. Re:Let me be the second to say by Aranykai · 2009-03-19 13:28 · Score: 0, Redundant
  
  In this case, shouldn't the moderation be + Redundant?
  
  --
  If sharing a song makes you a pirate, what do I have to share to be a ninja?
2. Re:Let me be the second to say by Anonymous Coward · 2009-03-19 13:51 · Score: 0
  
  NO.
3. Re:Let me be the second to say by Anonymous Coward · 2009-03-25 13:27 · Score: 0
  
  WoW.
Macintosh by Anonymous Coward · 2009-03-19 09:33 · Score: 0, Insightful

'Security' through obscurity
Hmmm.... by Khyber · 2009-03-19 09:45 · Score: 2, Insightful

Well, I'm not surprised it didn't take but a few moments for the contest to be won.
Man can make it, man can break it. That's it.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. Re:Hmmm.... by Anonymous Coward · 2009-03-19 09:52 · Score: 5, Funny
  
  But Safari was created by the Gods at Apple....
2. Re:Hmmm.... by doas777 · 2009-03-19 10:13 · Score: 1
  
  well, security research is something you prep for, not do on the fly. no doubt they have been polishing the exploits and throughly testing them "off stage", as it were.
3. Re:Hmmm.... by broken_chaos · 2009-03-19 10:26 · Score: 1
  
  No kidding. Basically it was a draw from the summary's hat for who won the computers, from what I can gather. At least, that's the impression I'm getting...
  It's also very unclear what constitutes "pwned". Even reading the rules, "code execution in the context of the application" or something... Does that mean these exploits are actually usable to do something malicious, or do they just, say, crash the browser?
4. Re:Hmmm.... by doas777 · 2009-03-19 10:36 · Score: 1
  
  good point. i was wondering what the runner-up did that put his exploits outside the criteria of the contest.
5. Re:Hmmm.... by ijakings · 2009-03-19 10:50 · Score: 5, Funny
  
  Firefox Three for the Elven-kings under the sky,
  IE Seven for the Dwarf-lords in their halls of stone,
  Netscape Nine for Mortal Men doomed to die,
  One Safari for the Dark Lord on his dark throne
  In the Land of Apple where the Shadows lie.
  One Browser to rule them all, One Browser to find them,
  One Browser to bring them all and in the darkness bind them
  In the Land of Apple where the Shadows lie.
6. Re:Hmmm.... by rts008 · 2009-03-19 10:51 · Score: 2, Insightful
  
  Does that mean these exploits are actually usable to do something malicious,...
  Yes.
  The code executed by the contestant may not be malicious, it is only meant to showcase the exploit being used. If I were a contestant, I would not run malicious code on the laptop I was hoping to take home with me! Maybe download a Kubuntu .iso and Wubi.exe, and execute Wubi.....
  Used in the wild, the exploit would almost certainly be used to execute malicious code, I'd think.
  
  --
  Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
7. Re:Hmmm.... by MadnessASAP · 2009-03-19 11:12 · Score: 2, Insightful
  
  It's also very unclear what constitutes "pwned". Even reading the rules, "code execution in the context of the application" or something... Does that mean these exploits are actually usable to do something malicious, or do they just, say, crash the browser?
  Seems pretty cut and dry to me, it means they were able to inject their own code into the processes memory and get it too execute. So no privilege escalation but you can now do whatever said application would theoretically been able to do.
  
  --
  I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
8. Re:Hmmm.... by rthille · 2009-03-19 12:00 · Score: 2, Interesting
  
  Yeah, but from what I read, the attack was via a PERL regex library used by the javascript engine. So it was in something Apple just used and not something they wrote from scratch. <sarcasm> I'm sure had Apple written the whole thing from scratch, there'd be no bugs...</sarcasm>
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
9. Re:Hmmm.... by RiotingPacifist · 2009-03-19 12:23 · Score: 3, Insightful
  
  thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile, OO should ONLY be able to read/write to disk, NO network access,.
  
  --
  IranAir Flight 655 never forget!
10. Re:Hmmm.... by drinkypoo · 2009-03-19 13:20 · Score: 1
  
  Yeah, but from what I read, the attack was via a PERL regex library used by the javascript engine. So it was in something Apple just used and not something they wrote from scratch. <sarcasm> I'm sure had Apple written the whole thing from scratch, there'd be no bugs...</sarcasm>
  
  While we're conjecturing wildly (well, you didn't cite) Apple has a history of failing to keep their Open Source components current, especially perl modules (there was a discussion here recently about manually-updated perl modules being whacked by an Apple 'update'.)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
11. Re:Hmmm.... by UnRDJ · 2009-03-19 15:05 · Score: 1
  
  Now let's consider how many inexperienced users run everything as administrator/root. Those botnets don't make themselves!
12. Re:Hmmm.... by MadnessASAP · 2009-03-19 16:08 · Score: 1
  
  I think most slashdotters can understand the implications of what happens when an application running as root get compromised. Those that don't probably work at Microsoft :-).
  
  --
  I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
13. Re:Hmmm.... by Anonymous Coward · 2009-03-19 16:41 · Score: 0
  
  this makes you wonder if the widespread adopting of WebKit is actually a bad thing...
14. Re:Hmmm.... by erikina · 2009-03-19 20:18 · Score: 1
  
  Something like SELinux?
15. Re:Hmmm.... by makomk · 2009-03-19 23:27 · Score: 3, Informative
  
  No, it was via Safari's very outdated internal copy (probably even a fork, from what I recall) of the pcre regex library. I think the equivalent bug had been fixed in the upstream library ages before.
16. Re:Hmmm.... by Lars+T. · 2009-03-20 00:41 · Score: 1
  
  It's about time the iPhone got copy&paste, else one couldn't write masterpieces like that on it!
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
17. Re:Hmmm.... by Dr.+Smoove · 2009-03-20 01:29 · Score: 1
  
  "Android style security"??? It's a sad day on /. when someone calls mandatory access control "android style security".
  
  --
  "If you plant ice, you're gonna harvest wind."
18. Re:Hmmm.... by Simetrical · 2009-03-20 07:41 · Score: 2, Interesting
  
  thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile
  So what if the user uses "Save Page As..."? You'd have to have an infrastructure that allows spawning a file picker as a separate app with its own permissions. What if the user customizes the directory for storing the web cache? What if Firefox creates an executable in a prohibited location and then runs it? Etc. Firefox is an awfully big application; it would be hard to pin it down with hard-and-fast rules on what directories it can access.
  
  OO should ONLY be able to read/write to disk, NO network access,.
  That's a real impediment. Just write out your malicious script to the user's home directory somewhere, and append some lines to ~/.bashrc or whatever startup files you like.
  What's really needed isn't so much restricting what files the program can access, but how it can access them. Bitfrost has a very interesting approach. I haven't looked at Android, but I'd assume it's similar in some ways. You need a fair amount of infrastructure for this to work, though.
  
  --
  MediaWiki developer, Total War Center sysadmin
19. Re:Hmmm.... by rthille · 2009-03-20 07:57 · Score: 2, Funny
  
  heh, my memory had conflated pcre and perl. That'll teach me to look shit up.
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
20. Re:Hmmm.... by Anonymous Coward · 2009-03-25 09:38 · Score: 0
  
  Only if you count ripping off Konqueror's rendering engine "creating".
WTF ? by Anonymous Coward · 2009-03-19 09:52 · Score: 0, Insightful

Either these guys are very good.
or something is very wrong with the security features of these Apps
1. Re:WTF ? by CannonballHead · 2009-03-19 09:59 · Score: 3, Insightful
  
  Or both.
2. Re:WTF ? by JB19000 · 2009-03-19 10:11 · Score: 3, Informative
  
  Nonsense, all exploits used at these have already been know to at least the competitor. Afterwords they are submitted to the developers. This competition is used to give recognition to security researchers and improve browsers not to prove anything about a certain program.
3. Re:WTF ? by Anonymous Coward · 2009-03-19 10:12 · Score: 0, Funny
  
  I'll tell you what's very wrong with the security features of these apps: they're all written in C++.
4. Re:WTF ? by JumpDrive · 2009-03-19 10:19 · Score: 3, Insightful
  
  I think that something is very wrong with the security features of these apps or the OS on which they were run.
  I'd like to see a browser stabilized so that more work can be done on the security. I always wonder, how can they may a secure browser if they are constantly adding features to it?
  What else do we need for a browser to do?
  I'm serious, what else do we really need a browser to do? Can we stop for awhile and work on making one more secure?
5. Re:WTF ? by doas777 · 2009-03-19 10:22 · Score: 3, Insightful
  
  it's seems to me to be an indication that we are pushing new functionality before the basis upon which it functions is mature enough to be safely reviewed. the complexity of a given computing environment is increasing at an approximately exponential rate, so there is more and more that need be tested and vetted everyday.
  there are just some things that we need to accept aren't safe yet. As much as I like active web pages like this one, the problems with CGI and javascript persist even today, despite a decade+ of review and testing. I find online banking and drivers license registeration very convient, but at the same time, I firmly believe that there is no way to be safe when performing fiscal transactions online. don't get me wrong, I use these services, but I wish the chaotic computing environment would slow down a bit so we can catch up with the securiy problems of last year, before facing next years.
6. Re:WTF ? by fat_mike · 2009-03-19 16:31 · Score: 0, Flamebait
  
  Do you really believe that these things involve anything more than "I'm uber-geek, all shall bow before me" contests?
  If these "Pwn20wn" things were serious then they wouldn't be advertised on here.
  Also you suck and so does your grammar, gramer, grammer, gemmar. Fuck, somebody write me a Linux grammar checker.
7. Re:WTF ? by Anonymous Coward · 2009-03-19 23:25 · Score: 0
  
  I`m writing my applications in C you insensitive clod
8. Re:WTF ? by rastos1 · 2009-03-20 01:45 · Score: 1
  
  We run a marathon. If I stop now to reconsider my strategy, the other guys will keep going and leave me behind. If I come up with better strategy while thinking, I will make up the loss sooner or later. However the rules are different here: If the gap between the main group and me grows too much, I get disqualified. Now the question is whether I can come up with better strategy at all and whether I can do it before the gap grows too much.
9. Re:WTF ? by Anonymous Coward · 2009-03-20 04:19 · Score: 0
  
  Real men write in objective-C
Sandboxing to rescue by Anonymous Coward · 2009-03-19 10:08 · Score: 0

If browsers would be truely sandboxed, no big worries. Sandbox could be even recreated at every start from safe binary cache on harddisk so compromise would only affect the current session inside sandbox. Sandbox could be even completely separate slimmed down virtual session.
It is not impossibe to teach people to restart it after surfing porn. It is impossible to prevent them visiting malicious sites.
1. Re:Sandboxing to rescue by doas777 · 2009-03-19 10:26 · Score: 2, Informative
  
  i think the problem is, that if you completely isolate the browser, it becomse less useful, so no one wants to. also interprocess communication is a kernel level thing, so whatever process is running inherently has the ability to work with other processes and threads. all you have to do is break the protections within the process and you have some real control.
  they are getting better with this, but they still have a long way to go.
2. Re:Sandboxing to rescue by Anonymous Coward · 2009-03-19 10:30 · Score: 0
  
  So it would be cool if all it could get was your bank account data from the site you just logged into a moment ago? Or did you mean that each web page you visit gets its own independent sandbox?
3. Re:Sandboxing to rescue by Beardo+the+Bearded · 2009-03-19 10:31 · Score: 1
  
  Don't you read slashdot? There's a known hack to take control of the CPU and circumvent the entire OS.
  Your computer is only yours by the whims of others.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
4. Re:Sandboxing to rescue by Goaway · 2009-03-19 13:39 · Score: 1
  
  That only works in ring 0, that is, if you are already root. Thus, it can only make a bad exploit even worse, it won't help you get out of a sandbox.
Or, ... by reiisi · 2009-03-19 10:32 · Score: 3, Insightful

Once or twice meant something, but now it's an institution.
Meaning that somebody is going to try to make a career of breaking the easiest part of the system at this contest.
Meaning that these guys are going to sit on their exploits.
Meaning that this contest, running at a set time once a year, is now meaningless.
Except for advertising potential. You know, keeping your product name in the headlines.
The respective companies should offer a running bounty on exploits on their browsers. Yeah, that would spoil all the pageantry of Pwn20wn, but do we really need another pageant?

--
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
1. Re:Or, ... by Nazlfrag · 2009-03-19 17:00 · Score: 3, Insightful
  
  They change the rules and targets each year. Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year. It's used to promote the Zero Day Initiative which pays you directly for exploits, no fancy contest needed. The contest serves its purpose perfectly. It's never been a meaningful way to stop exploits anyway, just a promotional vehicle for the conference and the respective companies. Nobody's going to make a career out of this competition. If they were good enough to do that, they could make a comfortable living from the ZDI.
2. Re:Or, ... by BZ · 2009-03-19 17:36 · Score: 3, Informative
  
  > The respective companies should offer a running bounty on exploits on their browsers.
  You mean like http://www.mozilla.org/security/bug-bounty.html ?
  The problem is that browser exploits sell for about $10,000 at the moment (that's how much various "security" companies will pay for them). The bug bounty above is $500...
3. Re:Or, ... by pyrrhonist · 2009-03-19 19:38 · Score: 3, Insightful
  
  Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year.
  That's exactly what happened this year:
  
  I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.
  
  --
  Show me on the doll where his noodly appendage touched you.
4. Re:Or, ... by Fred_A · 2009-03-19 20:27 · Score: 4, Insightful
  
  That's exactly what happened this year:
  
  I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.
  So in a way what this event did is help keep a known vulnerability open for a year more than it should have been. Which means that there is a fair chance that in the mean time some body else might have found and used it in the wild.
  Brilliant.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
5. Re:Or, ... by Plunky · 2009-03-19 21:23 · Score: 1
  
  Alas, the bad guys will always want to pay more for the exploit as its more valuable to them. Get this: $10,000 is nothing, they can make millions in profit!
6. Re:Or, ... by Simetrical · 2009-03-20 07:45 · Score: 2, Informative
  
  That's exactly what happened this year:
  
  I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.
  So in a way what this event did is help keep a known vulnerability open for a year more than it should have been. Which means that there is a fair chance that in the mean time some body else might have found and used it in the wild.
  Brilliant.
  Wrong. Read the rest of the link:
  
  Did you consider reporting the vulnerability to Apple?
  I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there's value to this work. No more free bugs.
  
  He wouldn't have given up the bug if not for the contest. He'd have sat on it anyway until he found someone else to pay him for it.
  
  --
  MediaWiki developer, Total War Center sysadmin
7. Re:Or, ... by reiisi · 2009-03-20 20:08 · Score: 1
  
  Well, yeah, but I'm not sure I'd call it profit.
  Ill-gotten gains have the baggage of having been gotten by ill means. When you start taking from other people, you start forgetting how to make your own.
  I know the economy is bad. It's always bad. That's part of the puzzle we are trying to solve, how to provide for ourselves and our own in an adversarial economy. When we solve that puzzle well, we add value to the economy and to our own state of being. When we steal, we take away from both.
  Of course, the bad guys don't understand this, and maybe it isn't worth quibbling over words, but I think I would have said "rake in" instead of "make", and not said profit. What to say instead of profit, I'm not sure. Any ideas?
  
  --
  Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
8. Re:Or, ... by its_schwim · 2009-03-28 15:09 · Score: 1
  
  Oh, you thought they do this for the betterment of the world? Well, that's not naive.
ScoreAfter Day 1 (for the TL;DR crowd) by Deathlizard · 2009-03-19 10:33 · Score: 4, Informative

Browsers
Chrome: 0
IE8: 1
Firefox: 1(1)*
Safari: 2(1)*
Mobile Browsers
Blackberry: 0
Android: 0
iPhone: 0
Nokia/Symbian: 0
Windows Mobile: 0
*Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.

--
In Soviet Russia, Trojan exploits YOU!
1. Re:ScoreAfter Day 1 (for the TL;DR crowd) by Slashdot+Suxxors · 2009-03-19 10:52 · Score: 3, Interesting
  
  Has nobody tried "hacking" the mobile devices? You'd think with all the BBs/iPhones/WM and Symbian devices out there, there would be a market for exploiting them.
2. Re:ScoreAfter Day 1 (for the TL;DR crowd) by Anonymous Coward · 2009-03-19 18:55 · Score: 0
  
  Higher is worse, right?
3. Re:ScoreAfter Day 1 (for the TL;DR crowd) by Insanity+Defense · 2009-03-23 05:37 · Score: 1
  
  Firefox on Mac was done but how about Firefox on Windows? (Nils did it on the Mac)
No linux? by Anonymous Coward · 2009-03-19 11:14 · Score: 0

Not clear in the article, but the exploits were only under windows and osx?
1. Re:No linux? by RiotingPacifist · 2009-03-19 12:25 · Score: 3, Insightful
  
  firefox is firefox, it runs on linux, it can be exploited on linux. NOSCRIPT FTW
  
  --
  IranAir Flight 655 never forget!
2. Re:No linux? by ld+a,b · 2009-03-19 12:51 · Score: 2, Insightful
  
  The same hole can have different levels of exploitability in different OSes. FF for Windows cannot take advantage of ASLR because Windows XP didn't support it. In Linux it should be enabled by default by now. MacOS X has nothing at all yet.
  
  If all OSes would implement all of OpenBSD security features, even if not perfectly, the amount of exploitable bugs would decrease considerably. The bug is still there, but the black hat is met with a harsh environment totally unlike the green garden that are major OSes.
  
  --
  10 little-endian boys went out to dine, a big-endian carp ate one, and then there were -246.
3. Re:No linux? by vistapwns · 2009-03-19 14:22 · Score: 1
  
  FF on Vista does use ASLR and DEP, but not protected mode like IE. This can be verified with Process Explorer run on Vista with FF open, just add "ASLR" and "DEP" columns.
  
  --
  "...I think the Microsoft hatred is a disease." - Linus Torvalds
No details? by rbanzai · 2009-03-19 11:31 · Score: 2, Insightful

I checked the article and there don't appear to be any details. A few of these hacking contests have been a bit overblown so I'd like to know what manner of exploit they used.
If it's another "well you need physical access to the machine and know the admin username and password" then it's no big deal. If it's "we had the user click a link and all hell broke loose" that would be much more interesting.
1. Re:No details? by ld+a,b · 2009-03-19 12:16 · Score: 5, Interesting
  
  >"we had the user click a link and all hell broke loose"
  
  That is exactly what happened with Safari on MacOS, in seconds. I guess the others fell just as easily, but with a bit more crude exploits.
  
  We don't get to know the details because vendors get to fix the hole before anything is published, which is long after all of us have forgotten about the contest.
  
  What really is misleading is that Windows 7 and MacOS are implied pwned when it appears that only the browsers were taken.
  
  With IE8 purportedly running in a "sandbox", breaking out of that was interesting by itself and hopefully a bit more difficult than just escalating privileges in MacOS.
  
  I miss Linux too. A hole in firefox means being just one local exploit away from pwning your box.
  
  --
  10 little-endian boys went out to dine, a big-endian carp ate one, and then there were -246.
2. Re:No details? by Anonymous Coward · 2009-03-20 01:03 · Score: 0
  
  I guess the others fell just as easily, but with a bit more crude exploits.
  That's not what this interview with the Safari winner seems to indicate. He says that IE8 and Windows in general is tougher to crack than safari and OSX.
  A little off topic, but I was checking out this reddit "viewer" that shows activity in real time and the interview article was getting _slammed_ with downvotes.
Sensored? by Anonymous Coward · 2009-03-19 11:41 · Score: 1, Funny

Is it just me, or does it look like they censored Nils' zipper when he was showing off his winnings?
1. Re:Sensored? by Anonymous Coward · 2009-03-19 12:34 · Score: 0
  
  Incorrect. It is his ID badge. You can see it in the other shots.
2. Re:Sensored? by 93+Escort+Wagon · 2009-03-19 12:36 · Score: 4, Funny
  
  Is it just me, or does it look like they censored Nils' zipper when he was showing off his winnings?
  I have no idea - but why were you were looking down there in the first place?
  
  --
  #DeleteChrome
3. Re:Sensored? by Anonymous Coward · 2009-03-19 19:22 · Score: 0
  
  On the image right above that one you will realize that it's actually some card attached to his pants, which has probably his name or favorite food on it.
4. Re:Sensored? by AioKits · 2009-03-20 00:52 · Score: 1
  
  Maybe a different idea was held when hearing about the first to 'pwn the box' was said?
  
  --
  "Quote me as saying I was mis-quoted." -Groucho Marx
5. Re:Sensored? by Anonymous Coward · 2009-03-20 04:08 · Score: 0
  
  all the cool kids wear their name badges at the bottom of their shirt and backwards
I have your answer. by Khyber · 2009-03-19 17:41 · Score: 1

Straight from the horse's mouth:
"Why Safari? Why didnâ(TM)t you go after IE or Safari?
Itâ(TM)s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs donâ(TM)t do. Hacking into Macs is so much easier. You donâ(TM)t have to jump through hoops and deal with all the anti-exploit mitigations youâ(TM)d find in Windows.
Itâ(TM)s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnâ(TM)t have anti-exploit stuff built into it."
That's right - Windows is harder to exploit because it's so damned convoluted. Macs are easy prey because they don't have that convolution built-in as a security measure.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. Re:I have your answer. by Simetrical · 2009-03-20 07:48 · Score: 2, Informative
  
  Straight from the horse's mouth:
  "Why Safari? Why didn't you go after IE or Safari?
  It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.
  It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnâ(TM)t have anti-exploit stuff built into it."
  That's right - Windows is harder to exploit because it's so damned convoluted. Macs are easy prey because they don't have that convolution built-in as a security measure.
  Wrong. He gives more details than you quoted:
  
  With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.
  He's saying that Windows uses recognized security techniques like DEP and ASLR, and Mac doesn't. (Linux does use both of those, to varying extents depending on distro and configuration.)
  
  --
  MediaWiki developer, Total War Center sysadmin
2. Re:I have your answer. by Khyber · 2009-03-21 06:52 · Score: 1
  
  ASLR is simply making sure core files aren't always loaded into the same address space - making it more convoluted. There are more twists, more hoops, more folds to go through, before you can get to what you want.
  Convoluted - adj: Complex, intricate or complicated; Having numerous overlapping coils or folds
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
3. Re:I have your answer. by Simetrical · 2009-03-21 12:33 · Score: 1
  
  ASLR is simply making sure core files aren't always loaded into the same address space - making it more convoluted. There are more twists, more hoops, more folds to go through, before you can get to what you want.
  Convoluted - adj: Complex, intricate or complicated; Having numerous overlapping coils or folds
  So are you saying ASLR is a bad thing? If so, why? If not, why did you use the clearly derogatory terminology "so damned convoluted"?
  Anyway, a non-executable stack has nothing to do with being convoluted, and that's also an obstacle that he mentioned.
  
  --
  MediaWiki developer, Total War Center sysadmin
4. Re:I have your answer. by Khyber · 2009-03-21 14:09 · Score: 1
  
  Windows is so damned convoluted, that is what I said. ASLR is a good thing. I find it funny that the one thing that people tend to complain about - all the twists and turns in Windows and how sloppy and make-shift it is, ends up making it somewhat more secure in one form.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Not clear if sandbox was breached by benjymouse · 2009-03-19 19:52 · Score: 0

Per the contest rules it wasn't necessary to break out of the sandbox, so at this point it is not clear that that happened. Simply executing code in context of the application (browser) would be enough. You can still do a lot of damage inside the browser, i.e. install password/certificate snooping, monitor and inject traffic etc. But it all ends with the browser session. You cannot read/write users' files much less compromise the machine.
Unlike Firefox, Opera and Safari, Chrome and IE actually has such a sandbox. Chrome actually has a 2-level sandbox and a process-per-tab while IE only has a single sandboxed process common to all tabs.
In addition to that IE has a really big supply of extra defenses such as heap encryption, various stack overflow protections, mechanisms designed to foil exception handler exploitation etc. At least some of these must have been broken in the attack against IE8. Recently a couple of security researchers demonstrated how most (if not all) of these mitigation mechanisms (except for sandbox) could be broken by leveraging perfectly valid code to reduce entropy (most of these mitigation mechanisms work by introducing entropy or encryption thus lowering the chance of a successful attack)
Firefox, Opera and Safari has no sandbox and practically no extra mitigation mechanisms to speak of, except for those offered by the operating system. Again, OSX is a the bottom of the heap here, with practically NO extra mitigation techniques. Vista offers the most, especially on 64bit.
For the last couple of years, Firefox (not IE) has been the browser with the most vulns. Combine that with the fact that it has no sandbox, no extra mitigation techniques and that it relies heavily on extensions and plugins the quality of which cannot be controlled by Mozilla. That's a recipe for a security disaster. On Windows and on any other OS.
You can argue that SELinux may be able to achieve something akin to a sandbox. While it can certainly lock down an app pretty tight, it does have 2 issues: 1) It's highly impractical. Mainstream users will not be able to set up a profile and no mainstream distro has been able to supply a built-in profile which suit the needs of the general user. 2) While a profile may prohibit/allow certain calls, it cannot do so based on what the user wants to do. If FF needs to read or write from/to a directory, it will be allowed to do so always. The IE/Chrome sandbox design always denies local file system access. To be able to upload/download files the browser process must interact with a higher privileged process to do the actual marshalling of files. Obviously such a design is inherently stronger.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
1. Re:Not clear if sandbox was breached by drerwk · 2009-03-20 01:08 · Score: 1
  
  But it all ends with the browser session. You cannot read/write users' files much less compromise the machine.
  If you can execute in the applications context, I think you can write to the preferences files - even if the app is in a sandbox. At that point you might be able to save your hack and have it reloaded at start up. You might save your hack as file: //homepage.html and load that.
2. Re:Not clear if sandbox was breached by benjymouse · 2009-03-20 08:22 · Score: 1
  
  If you can execute in the applications context, I think you can write to the preferences files - even if the app is in a sandbox.
  No, not in a sandbox. That\s the difference between something like SELinux and a real sandbox. With SELinux you will be allowed to do what you legitimately need to be able to do. In a sandbox you will have to ask the broker process to perform the privileged operations. Neither Chrome nor IE let the rendering process access the local file system. Instead they supply a broker/helper process. Typically this process will interact with the user, i.e. if downloading a file it will display a dialog or visual element to let the user choose if/where to download the file to.
  You are right that if you protect Firefox with SELinux, it still needs to be able to access the preferences store. Thus a contaminated instance will be allowed to do the same, i.e. it will be able to change settings without user interaction or consent.
  Chrome actually takes it one step further, isolating each tab in its own process. This (in theory) prevents cross-contamination between tabs. If an attacker successfully compromises one tab he can still not intercept communications from/to the other tabs. While IE has a sandbox it doesn't protect individual tabs, merely the browser itself and the file system.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Didn't write the exploits in seconds did they?! by BestNicksRTaken · 2009-03-19 21:36 · Score: 2, Interesting

The speed factor seems pointless in this exercise - if they didn't write the exploits there and then at the conference, it effectively boils down to who can stick his thumbdrive in the slot and double-click the fastest!
Why did it take longer to kill IE8/Firefox if the exploits were already written and just needed to be run by clicking a URL?
Make the fsckers write their own exploits, and make them do it at the show. THAT would be worth 10k.

--
#include <sig.h>
1. Re:Didn't write the exploits in seconds did they?! by Anonymous Coward · 2009-03-20 04:00 · Score: 0
  
  boring too. What you don't seem to understand here is that these exploits are worth 10k to the companies. the real question is how much these exploits are worth on the black market..
2. Re:Didn't write the exploits in seconds did they?! by Anonymous Coward · 2009-03-25 04:37 · Score: 0
  
  Because IE and Firefox are slower than Safari?
What details...? by argent · 2009-03-19 23:08 · Score: 3, Interesting

Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program.
I see no details here.
Like they don't care? by SirSlud · 2009-03-25 14:10 · Score: 2, Interesting

Who the hell cares about Windows, Macs, Linux?
Put these folks on voting machines - it's way more important to protect the sanctity of democracy than to point out exploitable browsers.
I get the economics of it, but this is what insurance is for. Software companies care about security, but at some point this becomes more about mental masturbation - cracking will always occur. Why not create some incentive to put the desire to crack on important systems rather than worry about jo-shmoes machine getting compromised.

--
"Old man yells at systemd"