IE8, Safari, iPhone All Fall At Pwn2Own Contest

← Back to Stories (view on slashdot.org)

IE8, Safari, iPhone All Fall At Pwn2Own Contest

Posted by timothy on Thursday March 25, 2010 @10:27AM from the sucks-to-be-everyone dept.

SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it." Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."

11 of 223 comments (clear)

Min score:

Reason:

Sort:

Title misleading? by Anonymous Coward · 2010-03-25 10:31 · Score: 5, Insightful

Title misleading maybe... just a bit? Firefox got owned as well.
1. Re:Title misleading? by Anonymous Coward · 2010-03-25 10:34 · Score: 4, Insightful
  
  Mod parent up. We all love firefox and all, but seriously, it deserves as much shame as all the other failed browsers. Submitter biased much?
2. Re:Title misleading? by poetmatt · 2010-03-25 14:29 · Score: 4, Insightful
  
  What are you doing exactly that firefox crashes? Other than jinitiator problems, there's almost nothing that can do so.
  Your lack of information makes me skeptical of vying for firefox instability. In fact, it sounds downright misleading. This is like saying "My car stalls sometimes". The answer is, sure, it does, but what are you doing to cause it? Firefox doesn't just "Crash on it's own" and neither does any browser.
  Likewise, the same basically applies to safari, IE8, etc. As much as all browsers have security risks, their instabilities mostly don't exist.
Well ... by WrongSizeGlass · 2010-03-25 10:33 · Score: 5, Insightful

... these guys (and gals?) all know what they are going to try before they ever get to this contest. It's not like they discover all these vulnerabilities during some epiphany once they arrive.

On the other hand, these security holes are real and need to be addressed by anyone and everyone that was shamed (this means MS, Apple, Mozilla, everyone) pronto!
So 64-bit ASLR on Windows is flawed as well... by dingen · 2010-03-25 10:42 · Score: 4, Insightful

It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.

--
Pretty good is actually pretty bad.
Misleading; no credibility by carlhaagen · 2010-03-25 10:51 · Score: 5, Insightful

The exploits were of course not found in the 5, 10 or 15 minutes advertised. They were all worked on for weeks, and even months, and were well-tested and prepared before being executed at the contest like a rehearsed stage play. Also worth to note is that the reason behind "Chrome only browser that withstood security breach" was that NO ONE TESTED CHROME AT ALL. I give this particular "Pwn2Own" show no credibility what so ever because of these details.
On the other hand... by Tetsujin · 2010-03-25 11:02 · Score: 4, Insightful

the very fact that these people know what to do beforehand is proof that app security is generally terrible.
Well, I think you have a very good point there - but on the other hand, the developers do have to prioritize the work they do. Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort. In principle "security through obscurity" isn't a good policy but in practice it's often good enough. If the software has a serious flaw but nobody knows about it, that's good enough, at least temporarily.

--
Bow-ties are cool.
1. Re:On the other hand... by Tetsujin · 2010-03-25 11:35 · Score: 4, Insightful
  
  Nice, you've just contradicted every security researcher over the last however many years. Congratulations on coming across as a fool.
  Dude, we disagree. It happens. You don't need to be a douche about it.
  Software Engineering is an engineering discipline. That means the principles according to which the product should work are always tempered by the reality of how the work must be conducted. What good is it, for instance, if you have the most secure browser of them all, if nobody uses it? That's an extreme case, of course, in which security concerns are so heavily emphasized that they would compromise some other essential concern (for instance, it could fuck up the release schedule, interfere with work being done to make the software run quickly, or take development resources away from the challenge of trying to make the browser more appealing to its audience...) Obviously there are other intermediate outcomes possible. But generally speaking one can't aim for perfection. If you set out to make something perfect, it never gets done, because it's never perfect. Obviously the bugs should be fixed... But finding and fixing a security flaw before an exploit has made its way into the wild is not necessarily the best use of development resources. It depends on the situation, really.
  
  --
  Bow-ties are cool.
Re:Misleading; no credibility by Elwood+P+Dowd · 2010-03-25 11:13 · Score: 4, Insightful

Isn't your point about Chrome invalidated by your point about the time taken?
Did no one attack Chrome because none of these researchers had an exploit that would work against it?

--

There are no trails. There are no trees out here.
Re:Misleading; no credibility by Bill_the_Engineer · 2010-03-25 11:18 · Score: 4, Insightful

I give this particular "Pwn2Own" show no credibility what so ever because of these details.
I believe what you really meant to say was that we shouldn't fall into the trap of believing that Chrome is actually safer due to the fact that no one really targeted it in this contest.
I've done my share of "Digital Combat Exercises" and you are correct that we should only view the contest as a verification that flaws exist, and not as a certification that a particular platform is safe.
For my first competition, my team concentrated on all the windows machine on the network because we had a list of known exploits and figured that we could exploit them the quickest and therefore accumulate the highest score possible within the time limits. All teams used the same strategy, and the Linux machines weren't even targeted. This wasn't because Linux was safer, it was because we all knew Windows was a softer target. This made for a some very close final scores.
For the following year's contest (which I couldn't participate due to a schedule conflict), my old team paid attention to the known exploits for Linux and started targeting them to guarantee a larger lead going into the final minutes of the contest.
I think you'll see this pattern in all "hacker" contests. Each year more platforms will fall as each team strategize on what will give them the edge during the time alloted. You'll probably see Chrome fall next year. Look at Safari in Pwn2Own, it wasn't until 2 years ago before people started to seriously attack it for the points.

--
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Re:They had no choice, Slashdot headlines are shor by quadelirus · 2010-03-25 13:00 · Score: 4, Insightful

How about:

IE8, Safari, FF, iPhone All Fall At Pwn2Own

It has fewer characters.

Or, focus on one area: IE8, Safari, Firefox all Fall At Pwn2Own

And they didn't bother to mention Firefox in the description either, which clearly had enough space to include the word "Firefox."