Pwn2Own 2012 Set To Reveal More Browser Vulnerabilities Than In the Past

← Back to Stories (view on slashdot.org)

Pwn2Own 2012 Set To Reveal More Browser Vulnerabilities Than In the Past

Posted by Soulskill on Monday January 23, 2012 @07:24PM from the quality-over-quantity-but-quantity-is-good-too dept.

darthcamaro writes "In any given year, Slashdot always has stories about how a researcher hacked a browser in only a few minutes at the Pwn2own hacking challenge. This year the rules are a bit different, and instead of hackers winning for just one vulnerability, the rules allow for multiple vulnerabilities to be presented. The winner isn't the first one to hack a browser, but is the one that can hack the browser the most. 'In the past, due to the way the competition was architected, we had lots of sensationalist headlines, things like "Mac hacked in three seconds,"' said Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint. 'We don't think that type of sensationalism was representative of all the research that was going on.'"

57 comments

Min score:

Reason:

Sort:

Actually an extremely good point by Riceballsan · 2012-01-23 19:30 · Score: 4, Insightful

The time is pretty irelevant. I mean it isn't like the hackers hadn't seen the OS's or browsers before they set foot on the floor and were going blind. That is like giving someone a sudoku puzzle a month in advance, having him do it from memory and claiming that this guy is so smart he can solve the sudoku puzzle in 30 seconds.
1. Re:Actually an extremely good point by Anonymous Coward · 2012-01-23 19:43 · Score: 0
  
  Well, see, the point is that he's able to solve the sudoku at all.
2. Re:Actually an extremely good point by Riceballsan · 2012-01-23 19:47 · Score: 3, Insightful
  
  Right, but solving it in an hour or solving it in 30 seconds makes no difference. When the goal of the tournament is who can solve it fastest, it doesn't prove he is any better then the other competitors when the contest ends after the first person solves it
3. Re:Actually an extremely good point by mikael_j · 2012-01-23 20:22 · Score: 3, Insightful
  
  It gets even more ridiculous when the Apple or Microsoft brand sudoku puzzle is the first one scheduled to be solved and everyone screams about how this is proof that those puzzles are easier to solve than the Mozilla or Google brand puzzles.
  And yeah, this has happened in previous years, Safari scheduled to be attacked first so the media and anti-Apple people online scream about how Safari is the least secure browser because it was broken "first" (even though if you look at the event schedule this obviously happened because the demonstrations of the browsers were all scheduled at different times with it simply being the first target as opposed to all browsers being attacked simultaneously).
  
  --
  Greylisting is to SMTP as NAT is to IPv4
4. Re:Actually an extremely good point by mjwx · 2012-01-23 20:36 · Score: 4, Interesting
  
  And yeah, this has happened in previous years, Safari scheduled to be attacked first so the media and anti-Apple people online scream about how Safari is the least secure browser because it was broken "first"
  I dont suppose that you've considered that Safari gets broken first and fastest because there are a lot of undiscovered exploits, due largely to the fact that no-one targets safari as a browser due to low usage. Pwn2Own requires an entirely new exploit (otherwise I'm sure IE would be down in a number of nanoseconds)
  
  BTW, Safari was not simply broken first, it was broken fastest, this is important as you pointed out the demonstrations took place at different times.
  
  IE, Chrome and Firefox all have larger user bases, it stands to reason that they will have fewer undiscovered exploits then Safari because they are targeted more often.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
5. Re:Actually an extremely good point by Anonymous Coward · 2012-01-23 20:55 · Score: 0, Informative
  
  The time is pretty irelevant. I mean it isn't like the hackers hadn't seen the OS's or browsers before they set foot on the floor and were going blind. That is like giving someone a sudoku puzzle a month in advance, having him do it from memory and claiming that this guy is so smart he can solve the sudoku puzzle in 30 seconds.
  Actually everything is scripted, so all they have to do is launch the executable.
  Still my bet is on Internet Explorer to lose again, badly.
6. Re:Actually an extremely good point by Anonymous Coward · 2012-01-23 21:02 · Score: 5, Interesting
  
  Safari scheduled to be attacked first so the media and anti-Apple people online scream about how Safari is the least secure browser because it was broken "first"
  The schedule is not relevant, the Mac was hacked in the shortest amount of time which is why we say it was hacked "first".
  And what pissed all you fanboys off wasn't how fast it got hacked, but the statement by the hacker that he chose the Mac because "it was the easiest to compromise quickly".
  If Apple would stop its misleading marketing campaign, and if Apple's users would stop with the constant "Derp derp my Mac is 100% immune to any and all malicious activity of any kind" then we wouldn't laugh at your ass all the time.
7. Re:Actually an extremely good point by Anonymous Coward · 2012-01-23 21:40 · Score: 0
  
  The time is pretty irelevant. I mean it isn't like the hackers hadn't seen the OS's or browsers before they set foot on the floor and were going blind. That is like giving someone a sudoku puzzle a month in advance, having him do it from memory and claiming that this guy is so smart he can solve the sudoku puzzle in 30 seconds.
  Actually everything is scripted, so all they have to do is launch the executable.
  Still my bet is on Internet Explorer to lose again, badly.
  What do you mean by again? Safari has been hacked the quickest (not because scheduled first, but quickest, the last few years and if the time to hack are not of interest -- still the winner saying that Safari on OSX was the easiest platform to compromise should be of interest).
8. Re:Actually an extremely good point by GordonBX · 2012-01-23 21:49 · Score: 1
  
  And yet the prize for winning the contest ... a shiny new MacBook Air. Go figure.
9. Re:Actually an extremely good point by Anonymous Coward · 2012-01-23 22:18 · Score: 1
  
  And yet the prize for winning the contest ... a shiny new MacBook Air. Go figure.
  I love this argument. There was a 15k$ cash price to the winner in addition to the laptop. So you are claiming that the MacBook Air is so shiny that they would risk the 15k$ casch price by not going after the easiest target just to get it. RDF indeed.
10. Re:Actually an extremely good point by mikael_j · 2012-01-23 23:18 · Score: 1
  
  And what pissed all you fanboys off wasn't how fast it got hacked, but the statement by the hacker that he chose the Mac because "it was the easiest to compromise quickly".
  Skip the ad hominems, will you?
  And most complaints were about the media blowing this out of proportion while leaving details out (I've seen lots of pwn2own reports in the media where it was basically stated "the first browser to get hacked was Apple's Safari raising concerns that blablabla..." with no mention of the fact that this was not a "everyone goes in blind and attacks the browser of their choice for the first time simultaneously" situation) and the anti-fanboys hollering about how this proved that everything Apple had ever done was inferior to everything else ever made.
  
  --
  Greylisting is to SMTP as NAT is to IPv4
11. Re:Actually an extremely good point by Anonymous Coward · 2012-01-23 23:44 · Score: 0
  
  If Apple would stop its misleading marketing campaign
  Citation?
12. Re:Actually an extremely good point by Anonymous Coward · 2012-01-23 23:44 · Score: 0
  
  Fanboys on both sides detract from the main point - there is no room for complacency in security. It doesn't matter if your browser and OS combination of choice are the most secure, security is still important. You should still take steps to ensure your security and the companies responsible should still be striving for added security. For that reason it's absolutely a good thing that traditionally what were seen as the most secure browsers got hacked and made the news. What good will it do with the new model where IE is flagged up as the worst browser? We all know that already, it will just encourage non-IE users to get complacent again.
13. Re:Actually an extremely good point by Anonymous Coward · 2012-01-24 00:00 · Score: 0
  
  Decided to RTFA, it says, for Safari on a Mac:
  
  Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser.
  For Windows:
  
  Using the target machine, he clicked on a link and immediately launched the calculator app (calc.exe).
  Maybe we're just fuzzing hairs, but five seconds and immediately could be seen as the same length of time (immediately sounds faster, but it's just the word of the guy doing the report).
14. Re:Actually an extremely good point by somersault · 2012-01-24 00:00 · Score: 4, Funny
  
  It does if he has a gun pointed to his head while getting a blow job.. man that was an awful film..
  
  --
  which is totally what she said
15. Re:Actually an extremely good point by Anonymous Coward · 2012-01-24 00:17 · Score: 1
  
  Just looking at the stories from last year, it does seem like the order played into it. One story about IE8's exploit last year says:
  
  The only other browser to fall Wednesday was Apple's Safari 5, which dropped to a team from French security company Vupen minutes before Fewer took his shot at IE8.
  And really, the "Apple Hacked First" headlines will always get more attention than "IE Hacked First", so it does make business sense to have that one scheduled first to ensure the most clickable story gets out.
16. Re:Actually an extremely good point by windcask · 2012-01-24 00:18 · Score: 1
  
  Maybe the best way to do this sort of thing would be to use a nightly build, then. This might close some vulns, open others, and leave others still alone. You wouldn't know until you started.
17. Re:Actually an extremely good point by RyuuzakiTetsuya · 2012-01-24 00:25 · Score: 1
  
  Well, not just that, but, past entries have done what, written a file to disk and executed something like the calculator?
  Big hairy deal. I'm not concerned until we see a mac drive by that also escalates to root.
  
  --
  Non impediti ratione cogitationus.
18. Re:Actually an extremely good point by drsmithy · 2012-01-24 00:42 · Score: 3, Insightful
  
  Shush, this is Slashdot. Marketshare and userbase are never factors.
19. Re:Actually an extremely good point by drsmithy · 2012-01-24 00:44 · Score: 2
  
  Big hairy deal. I'm not concerned until we see a mac drive by that also escalates to root.
  Nothing on my computer I care about, needs root privileges to access.
20. Re:Actually an extremely good point by Anonymous Coward · 2012-01-24 00:57 · Score: 0
  
  Seeing as how finding a vulnerability and a stable exploit which uses said vulnerability takes these teams upwards of two weeks, that'd be a fairly boring contest where nothing happens, no free advertising for CanSecWest plastered over the internet, etc. :)
21. Re:Actually an extremely good point by thue · 2012-01-24 01:19 · Score: 1
  
  If the exploit works by the user viewing a web page, an exploit which requires the user to view the web page for 3 seconds is significantly more powerful than an exploit which requires the user to view the web page for an hour.
  I know that the exploits are more proff of concept, and that the hour long exploit may (or may not) be capable of running faster. But time to exploit is still not totally irrellevant.
22. Re:Actually an extremely good point by FranktehReaver · 2012-01-24 01:22 · Score: 1
  
  That and the MacBook line up has a higher retail cost and looks better on paper saying they won a more expensive laptop.
23. Re:Actually an extremely good point by Dinghy · 2012-01-24 03:27 · Score: 1
  
  Pwn2Own requires an entirely new exploit (otherwise I'm sure IE would be down in a number of nanoseconds)
  Actually that's one of the changes, they no longer require a zero day:
  
  In a new twist, Pwn2Own 2012 will also be taking aim at known vulnerabilities. These are browser issues that were disclosed at some point in the past year, but do not yet have a public exploit. The researchers will need to actually exploit the given vulnerability in order to score additional points.
  So if an vulnerability exists but has not been shown to be exploitable, if you can show that it is, you get points.
24. Re:Actually an extremely good point by morgauxo · 2012-01-24 03:47 · Score: 1
  
  Hey I'll take one of those! Sounds like a good hardware platform to run Linux on to me!
25. Re:Actually an extremely good point by guruevi · 2012-01-24 03:48 · Score: 1
  
  Safari is still based on WebKit which also runs Chrome, Konqueror, Android and a host of other commercial and open source browsers.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
26. Re:Actually an extremely good point by morgauxo · 2012-01-24 03:50 · Score: 1
  
  That's still a pretty big deal. If you can get that far you can probably compromise an individual user's data. Even if not you could probably at least start a browser pointed to some shock site. That could be a pretty big deal on a workplace or school computer.
27. Re:Actually an extremely good point by tlhIngan · 2012-01-24 04:45 · Score: 3, Interesting
  
  I dont suppose that you've considered that Safari gets broken first and fastest because there are a lot of undiscovered exploits, due largely to the fact that no-one targets safari as a browser due to low usage. Pwn2Own requires an entirely new exploit (otherwise I'm sure IE would be down in a number of nanoseconds)
  
  Possible, but given it's Pwn2Own, the machine you "pwned" is the machine you win.
  And given in the past you had a choice of Macbook Pro (OS X), a Sony Vaio (Windows) and sometihng else (for Linux), and had the ability to choose what computer you wanted, what would you go for?
  Most would go for the Macbook purely because it's a nice decent machine that happens to look and function great (and runs Windows and Linux). If I had a series of exploits that worked on all three platforms, I'd go after the Mac first just to win that over a Sony. Then I'd go for the Sony next (if it wasn't for the crapware, at least they're nice looking machines).
  Once that was won, people concentrated on the next machine that was second on their list, etc. Smart contestants go after the computer no one is breaking in as they have a greater chance of winning a free computer.
  And despite the /. crowd chanting "FUNCTION FIRST, not form", most people seem to consistently go for the Macs.
  Given the machines are all around the same value, perhaps a fairer comparison would be if everyone of them was a Macbook Pro or so, running the OS of choice (after all, Windows and Linux run great on a Macbook Pro - I know Ubuntu has a EFI installer that boots natively).
28. Re:Actually an extremely good point by _0xd0ad · 2012-01-24 05:34 · Score: 1
  
  you had a choice of Macbook Pro (OS X), a Sony Vaio (Windows) and sometihng else (for Linux) ...
  And despite the /. crowd chanting "FUNCTION FIRST, not form", most people seem to consistently go for the Macs.
  And despite what most people seem to consistently do, last time I blew a tidy sum on a laptop, I bought a Sony Vaio.
  As you said... nice machine, after the crapware was cleaned up a bit.
29. Re:Actually an extremely good point by Anonymous Coward · 2012-01-24 08:01 · Score: 0
  
  time is very relevant
  it's the difference between a stranger sitting around you for an extended period of time versus someone simply walking past you
  and so what if they had seen the OS and browsers beforehand
  guess what? it's what most people actually use
30. Re:Actually an extremely good point by Anonymous Coward · 2012-01-24 08:08 · Score: 0
  
  Ofcource.. people want the macbook pro because its easiest to exploit.. err.. no..wait.. they want to exploit the macbook pro first because its hard to get.. err no wait.
  Oops.. did I say that these security consultants who earn hundreds of thousands of dollars from their consulting are desperate for a laptop? Wait.. ofcource they are ! Thats why they're in this competition. They're hard up for cash ! They want a macbook !
31. Re:Actually an extremely good point by Anonymous Coward · 2012-01-24 08:13 · Score: 0
  
  Why would they go to best buy? Everytime I enter an apple store there are countless people bringing in their broken apple products at the "genius" bar because they are just as shitty as the rest.
  OSX marketting has succeeded in telling people that the ability to run fewer games fewer apps and connecting to fewer devices should costs higher than the alternatives.
  Its quite interesting actually. Ofcource not all people are that stupid... but it aligns well with general statistics. 10% of the population could be just that stupid.
32. Re:Actually an extremely good point by EdIII · 2012-01-24 09:43 · Score: 1
  
  It may have been an awful film from a technical perspective... but that was one hell of an interview process.
33. Re:Actually an extremely good point by Anonymous Coward · 2012-01-24 11:27 · Score: 0
  
  ... it's called iTunes.
34. Re:Actually an extremely good point by RyuuzakiTetsuya · 2012-01-25 03:02 · Score: 1
  
  I'd go after the Mac first just to win that over a Sony.
  
  Living the dream. Owning apple and sony products with out giving them a single dime!
  
  --
  Non impediti ratione cogitationus.
Also helps with vulnerability hoarding by slimjim8094 · 2012-01-23 19:36 · Score: 5, Informative

I heard that it's been the case before that discovered vulnerabilities would be kept secret so that they could be used across multiple years. This changes the incentive to reward whoever's found the most, which is what the point was all along - exposing as many vulnerabilities as possible.

--
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
1. Re:Also helps with vulnerability hoarding by robbak · 2012-01-23 20:11 · Score: 3, Interesting
  
  As well, all contestants should reveal all techniques they intend to use a part of their application. All these reports would be provided to the vendors after the competition.
  
  --
  Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
2. Re:Also helps with vulnerability hoarding by Anonymous Coward · 2012-01-23 23:10 · Score: 0
  
  I don't think you've thought that through.
  You want to build a list of competition winning techniques well in advance of the event that concerns quite a large group of very skilled hackers.
3. Re:Also helps with vulnerability hoarding by Krneki · 2012-01-24 02:49 · Score: 1
  
  As well, all contestants should reveal all techniques they intend to use a part of their application. All these reports would be provided to the vendors after the competition.
  No-go, this exploits are worth a shit load of money on the black market. Unless you are willing to pay for the discovery all you will achieve is to push this people back in the underground and while you don't know how they work, at least you know they are out there.
  
  --
  Love many, trust a few, do harm to none.
My plan by Anonymous Coward · 2012-01-23 19:42 · Score: 2, Funny

1. Hack the browser once using a single vulnerability.
2. Install lots of new vulnerabilities on the compromised machine.
3. Win the contest by exploiting each of those vulnerabilities.
4. PROFIT!!!
1. Re:My plan by The+MAZZTer · 2012-01-24 01:01 · Score: 1
  
  That type of vulnerability is called "It rather involved being on the other side of this airtight hatchway".
Keep the faith! by Anonymous Coward · 2012-01-23 21:47 · Score: 0

Man, remember Aaron Portnoy? That guy complained a lot!
Linux refused for browser testing? by microphage · 2012-01-24 00:34 · Score: 1

"Its sad that they nowadays refuse Linux as a platform for browser testing. I can agree its pretty boring to have one platform that wont be broken so easily, but its a good benchmark against Windows and its abundance of security issues".

Where does it say you can't use Linux for browser testing?
The only targets are OS X Lion or Windows 7 by Sits · 2012-01-24 01:50 · Score: 3, Interesting

Where does it say you can't use Linux for browser testing?
From the rules page:

The targets will be running on the latest, fully patched version of either Windows 7 or Lion.
Back in 2008, Linux was a available as a target in Pwn2Own but in an interview Aaron Portnoy of TippingPoint explained that Linux is now not included in Pwn2Own to avoid controversy.
Re:The security of all browsers needs to be looked by g0bshiTe · 2012-01-24 02:02 · Score: 1

All browsers are insecure. IE beats out Firefox in some aspects as does Firefox beat IE, same with Opera and Safari. I love my Firefox. I think it just comes down to preference. I also used to be one of those that claimed Firefox was the most secure browser, until I found out it wasn't.

--
I am Bennett Haselton! I am Bennett Haselton!
Sensationalist headlines by Idbar · 2012-01-24 02:11 · Score: 1

This its great, so now slashdot won't have sensationalist headlines saying they hacked a browser in X seconds! They will have headlines saying a browser was hacked N times! There will be no sensationalism for sure!
Re:The security of all browsers needs to be looked by Anonymous Coward · 2012-01-24 02:24 · Score: 1

Truth be told, Firefox was not hacked last year. Jus' sayin'.
No longer Linux by devent · 2012-01-24 02:35 · Score: 1

Since they no longer do it with Linux, who cares. Could it be that 2008 Firefox on Ubuntu was un-hacked? It's not good advertisement if a open source system can't be hacked, while the two commercial systems are hacked in seconds?

--
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
1. Re:No longer Linux by Krneki · 2012-01-24 02:57 · Score: 2
  
  Since they no longer do it with Linux, who cares. Could it be that 2008 Firefox on Ubuntu was un-hacked? It's not good advertisement if a open source system can't be hacked, while the two commercial systems are hacked in seconds?
  Last year neither firefox nor Chrome on Windows OS were hacked.
  
  --
  Love many, trust a few, do harm to none.
2. Re:No longer Linux by ledow · 2012-01-24 03:01 · Score: 1
  
  Mmm, that's odd, I have to agree.
  Especially given that both HP and Google are funding it, one of which probably has an interest in a non-open OS being trounced by an open one, and the other of which supports both types of OS on its hardware (and isn't really "competing" or "allied" with Apple in those terms either).
  Weird.
Re:The security of all browsers needs to be looked by Goaway · 2012-01-24 05:14 · Score: 1

Firefox is pretty much the least secure browser at this time.
Re:The security of all browsers needs to be looked by RebelWebmaster · 2012-01-24 09:46 · Score: 1

*Citation please.
Linux natively on Macs problematic by Sits · 2012-01-25 07:20 · Score: 1

Matthew Garrett recommends against (natively) running Linux on Macs and as he is one of the developers active on Linux EFI/UEFI related stuff that would be required to natively boot Linux on a Mac...