Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Pwn2Own 2009 Contest Winners Emerge

Posted by timothy on from the good-work-if-you-can-get-it dept.

mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."

25 of 98 comments (clear)

  1. Let me be the first to say by Jurily · · Score: 3, Insightful

    Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.

    Wow.

    1. Re:Let me be the first to say by moderatorrater · · Score: 4, Informative

      Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.

    2. Re:Let me be the first to say by Laser_iCE · · Score: 4, Informative

      Nevermind,

      Mac easiest to hack, says $10,000 winner

    3. Re:Let me be the first to say by tonywong · · Score: 5, Informative

      Since no one has placed what 'owned' means, here's the rules from the canwest site:

      2009-03-18-01:00:00 PWN2OWN Final Rules

      Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.

      Browsers and Associated Test PAltform

      Vaio - Windows 7

              * IE8
              * Firefox
              * Chrome

      Macintosh

              * Safari
              * Firefox

      Day 1: Default install no additional plugins. User goes to link.
      Day 2: flash, java, .net, quicktime. User goes to link.
      Day 3: popular apps such as acrobat reader ... User goes to link

      What is owned? - code execution within context of application

      =====

      I'm presuming that code execution is the first step towards owning the whole box, which may or may not be trivial once you got code execution happening within the app.

    4. Re:Let me be the first to say by drsmithy · · Score: 4, Funny

      Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.

      BURN HIM ! BURN THE HERETIC !

  2. Let me be the second to say by Anonymous Coward · · Score: 3, Funny

    Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.

    Wow.

    Wow.

  3. Re:Hmmm.... by Anonymous Coward · · Score: 5, Funny

    But Safari was created by the Gods at Apple....

  4. Re:WTF ? by CannonballHead · · Score: 3, Insightful

    Or both.

  5. Re:WTF ? by JB19000 · · Score: 3, Informative

    Nonsense, all exploits used at these have already been know to at least the competitor. Afterwords they are submitted to the developers. This competition is used to give recognition to security researchers and improve browsers not to prove anything about a certain program.

  6. Re:WTF ? by JumpDrive · · Score: 3, Insightful

    I think that something is very wrong with the security features of these apps or the OS on which they were run.
    I'd like to see a browser stabilized so that more work can be done on the security. I always wonder, how can they may a secure browser if they are constantly adding features to it?
    What else do we need for a browser to do?
    I'm serious, what else do we really need a browser to do? Can we stop for awhile and work on making one more secure?

  7. Re:WTF ? by doas777 · · Score: 3, Insightful

    it's seems to me to be an indication that we are pushing new functionality before the basis upon which it functions is mature enough to be safely reviewed. the complexity of a given computing environment is increasing at an approximately exponential rate, so there is more and more that need be tested and vetted everyday.
    there are just some things that we need to accept aren't safe yet. As much as I like active web pages like this one, the problems with CGI and javascript persist even today, despite a decade+ of review and testing. I find online banking and drivers license registeration very convient, but at the same time, I firmly believe that there is no way to be safe when performing fiscal transactions online. don't get me wrong, I use these services, but I wish the chaotic computing environment would slow down a bit so we can catch up with the securiy problems of last year, before facing next years.

  8. Or, ... by reiisi · · Score: 3, Insightful

    Once or twice meant something, but now it's an institution.

    Meaning that somebody is going to try to make a career of breaking the easiest part of the system at this contest.

    Meaning that these guys are going to sit on their exploits.

    Meaning that this contest, running at a set time once a year, is now meaningless.

    Except for advertising potential. You know, keeping your product name in the headlines.

    The respective companies should offer a running bounty on exploits on their browsers. Yeah, that would spoil all the pageantry of Pwn20wn, but do we really need another pageant?

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
    1. Re:Or, ... by Nazlfrag · · Score: 3, Insightful

      They change the rules and targets each year. Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year. It's used to promote the Zero Day Initiative which pays you directly for exploits, no fancy contest needed. The contest serves its purpose perfectly. It's never been a meaningful way to stop exploits anyway, just a promotional vehicle for the conference and the respective companies. Nobody's going to make a career out of this competition. If they were good enough to do that, they could make a comfortable living from the ZDI.

    2. Re:Or, ... by BZ · · Score: 3, Informative

      > The respective companies should offer a running bounty on exploits on their browsers.

      You mean like http://www.mozilla.org/security/bug-bounty.html ?

      The problem is that browser exploits sell for about $10,000 at the moment (that's how much various "security" companies will pay for them). The bug bounty above is $500...

    3. Re:Or, ... by pyrrhonist · · Score: 3, Insightful

      Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year.

      That's exactly what happened this year:

      I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.

      --
      Show me on the doll where his noodly appendage touched you.
    4. Re:Or, ... by Fred_A · · Score: 4, Insightful

      That's exactly what happened this year:

      I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.

      So in a way what this event did is help keep a known vulnerability open for a year more than it should have been. Which means that there is a fair chance that in the mean time some body else might have found and used it in the wild.

      Brilliant.

      --

      May contain traces of nut.
      Made from the freshest electrons.
  9. ScoreAfter Day 1 (for the TL;DR crowd) by Deathlizard · · Score: 4, Informative

    Browsers
    Chrome: 0
    IE8: 1
    Firefox: 1(1)*
    Safari: 2(1)*

    Mobile Browsers
    Blackberry: 0
    Android: 0
    iPhone: 0
    Nokia/Symbian: 0
    Windows Mobile: 0

    *Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.

    --
    In Soviet Russia, Trojan exploits YOU!
    1. Re:ScoreAfter Day 1 (for the TL;DR crowd) by Slashdot+Suxxors · · Score: 3, Interesting

      Has nobody tried "hacking" the mobile devices? You'd think with all the BBs/iPhones/WM and Symbian devices out there, there would be a market for exploiting them.

  10. Re:Hmmm.... by ijakings · · Score: 5, Funny

    Firefox Three for the Elven-kings under the sky,
    IE Seven for the Dwarf-lords in their halls of stone,
    Netscape Nine for Mortal Men doomed to die,
    One Safari for the Dark Lord on his dark throne
    In the Land of Apple where the Shadows lie.
    One Browser to rule them all, One Browser to find them,
    One Browser to bring them all and in the darkness bind them
    In the Land of Apple where the Shadows lie.

  11. Re:No details? by ld+a,b · · Score: 5, Interesting

    >"we had the user click a link and all hell broke loose"

    That is exactly what happened with Safari on MacOS, in seconds. I guess the others fell just as easily, but with a bit more crude exploits.

    We don't get to know the details because vendors get to fix the hole before anything is published, which is long after all of us have forgotten about the contest.

    What really is misleading is that Windows 7 and MacOS are implied pwned when it appears that only the browsers were taken.

    With IE8 purportedly running in a "sandbox", breaking out of that was interesting by itself and hopefully a bit more difficult than just escalating privileges in MacOS.

    I miss Linux too. A hole in firefox means being just one local exploit away from pwning your box.

    --
    10 little-endian boys went out to dine, a big-endian carp ate one, and then there were -246.
  12. Re:Hmmm.... by RiotingPacifist · · Score: 3, Insightful

    thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile, OO should ONLY be able to read/write to disk, NO network access,.

    --
    IranAir Flight 655 never forget!
  13. Re:No linux? by RiotingPacifist · · Score: 3, Insightful

    firefox is firefox, it runs on linux, it can be exploited on linux. NOSCRIPT FTW

    --
    IranAir Flight 655 never forget!
  14. Re:Sensored? by 93+Escort+Wagon · · Score: 4, Funny

    Is it just me, or does it look like they censored Nils' zipper when he was showing off his winnings?

    I have no idea - but why were you were looking down there in the first place?

    --
    #DeleteChrome
  15. What details...? by argent · · Score: 3, Interesting

    Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program.

    I see no details here.

  16. Re:Hmmm.... by makomk · · Score: 3, Informative

    No, it was via Safari's very outdated internal copy (probably even a fork, from what I recall) of the pcre regex library. I think the equivalent bug had been fixed in the upstream library ages before.