Slashdot Mirror
First Pwn2Own 2009 Contest Winners Emerge
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
Nonsense, all exploits used at these have already been know to at least the competitor. Afterwords they are submitted to the developers. This competition is used to give recognition to security researchers and improve browsers not to prove anything about a certain program.
Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.
i think the problem is, that if you completely isolate the browser, it becomse less useful, so no one wants to. also interprocess communication is a kernel level thing, so whatever process is running inherently has the ability to work with other processes and threads. all you have to do is break the protections within the process and you have some real control.
they are getting better with this, but they still have a long way to go.
Browsers
Chrome: 0
IE8: 1
Firefox: 1(1)*
Safari: 2(1)*
Mobile Browsers
Blackberry: 0
Android: 0
iPhone: 0
Nokia/Symbian: 0
Windows Mobile: 0
*Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.
In Soviet Russia, Trojan exploits YOU!
Nevermind,
Mac easiest to hack, says $10,000 winner
Since no one has placed what 'owned' means, here's the rules from the canwest site:
2009-03-18-01:00:00 PWN2OWN Final Rules
Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.
Browsers and Associated Test PAltform
Vaio - Windows 7
* IE8
* Firefox
* Chrome
Macintosh
* Safari
* Firefox
Day 1: Default install no additional plugins. User goes to link. .net, quicktime. User goes to link. ... User goes to link
Day 2: flash, java,
Day 3: popular apps such as acrobat reader
What is owned? - code execution within context of application
=====
I'm presuming that code execution is the first step towards owning the whole box, which may or may not be trivial once you got code execution happening within the app.
"The MacBook Air was running the current version of Mac OS X, 10.5.2, with all the latest security patches applied." uhm... osx been buggin me quite some time now for updates for 10.5.6!
> The respective companies should offer a running bounty on exploits on their browsers.
You mean like http://www.mozilla.org/security/bug-bounty.html ?
The problem is that browser exploits sell for about $10,000 at the moment (that's how much various "security" companies will pay for them). The bug bounty above is $500...
No, it was via Safari's very outdated internal copy (probably even a fork, from what I recall) of the pcre regex library. I think the equivalent bug had been fixed in the upstream library ages before.
Its got to be pretty easy to find exploits when you've got the source in front of you!
A comparison of high-profile, seriously damaging Apache and IIS exploits would seem to indicate the opposite. Code Red and Nimda both caused a lot of damage, and targeted IIS. Any comparable stories for Apache, which has a larger market share than IIS by any figures I've seen?
Or heck, look at Firefox vs. IE. IE has historically been much less secure, although Firefox has had its share of screwups too. (Of course, the closed-source software does have a larger market share in this case. But then, WebKit has a smaller market share than either, so by that logic it should be even more secure.)
Even though it may be easier for malicious people to find vulnerabilities in open-source code, it's also easier for benevolent coders and third-party security auditors to find the exact same vulnerabilities and tell the vendor. This is Linus' law at work: given enough eyeballs, all bugs are shallow. There is no reason to assume a priori that open-source applications will be more vulnerable: only study will show that. And it seems like they're less vulnerable than most closed-source software, if anything.
MediaWiki developer, Total War Center sysadmin
That's exactly what happened this year:
I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.
So in a way what this event did is help keep a known vulnerability open for a year more than it should have been. Which means that there is a fair chance that in the mean time some body else might have found and used it in the wild.
Brilliant.
Wrong. Read the rest of the link:
He wouldn't have given up the bug if not for the contest. He'd have sat on it anyway until he found someone else to pay him for it.
MediaWiki developer, Total War Center sysadmin
Straight from the horse's mouth:
"Why Safari? Why didn't you go after IE or Safari?
It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.
It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnâ(TM)t have anti-exploit stuff built into it."
That's right - Windows is harder to exploit because it's so damned convoluted. Macs are easy prey because they don't have that convolution built-in as a security measure.
Wrong. He gives more details than you quoted:
He's saying that Windows uses recognized security techniques like DEP and ASLR, and Mac doesn't. (Linux does use both of those, to varying extents depending on distro and configuration.)
MediaWiki developer, Total War Center sysadmin