Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Pwn2Own 2009 Contest Winners Emerge

Posted by timothy on from the good-work-if-you-can-get-it dept.

mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."

7 of 98 comments (clear)

  1. Re:WTF ? by JB19000 · · Score: 3, Informative

    Nonsense, all exploits used at these have already been know to at least the competitor. Afterwords they are submitted to the developers. This competition is used to give recognition to security researchers and improve browsers not to prove anything about a certain program.

  2. Re:Let me be the first to say by moderatorrater · · Score: 4, Informative

    Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.

  3. ScoreAfter Day 1 (for the TL;DR crowd) by Deathlizard · · Score: 4, Informative

    Browsers
    Chrome: 0
    IE8: 1
    Firefox: 1(1)*
    Safari: 2(1)*

    Mobile Browsers
    Blackberry: 0
    Android: 0
    iPhone: 0
    Nokia/Symbian: 0
    Windows Mobile: 0

    *Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.

    --
    In Soviet Russia, Trojan exploits YOU!
  4. Re:Let me be the first to say by Laser_iCE · · Score: 4, Informative

    Nevermind,

    Mac easiest to hack, says $10,000 winner

  5. Re:Let me be the first to say by tonywong · · Score: 5, Informative

    Since no one has placed what 'owned' means, here's the rules from the canwest site:

    2009-03-18-01:00:00 PWN2OWN Final Rules

    Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.

    Browsers and Associated Test PAltform

    Vaio - Windows 7

            * IE8
            * Firefox
            * Chrome

    Macintosh

            * Safari
            * Firefox

    Day 1: Default install no additional plugins. User goes to link.
    Day 2: flash, java, .net, quicktime. User goes to link.
    Day 3: popular apps such as acrobat reader ... User goes to link

    What is owned? - code execution within context of application

    =====

    I'm presuming that code execution is the first step towards owning the whole box, which may or may not be trivial once you got code execution happening within the app.

  6. Re:Or, ... by BZ · · Score: 3, Informative

    > The respective companies should offer a running bounty on exploits on their browsers.

    You mean like http://www.mozilla.org/security/bug-bounty.html ?

    The problem is that browser exploits sell for about $10,000 at the moment (that's how much various "security" companies will pay for them). The bug bounty above is $500...

  7. Re:Hmmm.... by makomk · · Score: 3, Informative

    No, it was via Safari's very outdated internal copy (probably even a fork, from what I recall) of the pcre regex library. I think the equivalent bug had been fixed in the upstream library ages before.