Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwn2Own 2016 Recap: Hackers Earn $460,000 For 21 Hacks (securityweek.com)

Posted by BeauHD on from the money-is-a-good-incentive dept.

wiredmikey writes from an article on SecurityWeek: Pwn2Own 2016 has come to an end, with researchers earning a total of $460,000 in cash for disclosing 21 new vulnerabilities in Windows, OS X, Flash, Safari, Edge and Chrome. On the first day of the well-known hacking competition, contestants earned $282,500 for vulnerabilities in Safari, Flash Player, Chrome, Windows and OS X. On the second day, Tencent Security Team Sniper took the lead after demonstrating a successful root-level code execution exploit in Safari via a use-after-free flaw in Safari and an out-of-bounds issue in Mac OS X. The exploit earned them $40,000 and 10 Master of Pwn points. This year's contestants earned nearly $100,000 less for their exploits compared to Pwn2Own 2015, when researchers walked away with more than $550,000 for their exploits.

52 comments

  1. depressing by phantomfive · · Score: 3, Insightful

    This kind of stuff is depressing. You'd like to say, "Oh, the programmers are doing the best they can," but when you have an open bug list that looks like this, you can't possibly ensure that your code is secure, not even close. That kind of codebase is like a playground for hackers.

    --
    "First they came for the slanderers and i said nothing."
    1. Re: depressing by WarJolt · · Score: 1

      Isn't this the whole point behind the rust effort? Programmers can't be trusted with writing correct code without a type system that forces you to think about correctness.

      Seriously these bugs should be caught by the compiler.

        Many of these bugs can be found with static analysis of the object code. It should be even easier to find them in the compiler.

    2. Re:depressing by Anonymous Coward · · Score: 0

      No different for webkit open bugs, or Chromium.

    3. Re:depressing by Anonymous Coward · · Score: 0

      Over at Mozilla they seem to be all consumed with trying to turn Firefox a Chrome clone. Security (and common sense) have apparently been relegated to the back seat for some time now. Certainly paying attention to customers has.

      What I find particularly disturbing about that actually small sampling of errors that you linked to, is how absolutely horribly maintained their buglists are. There are new and unconfirmed errors (a few of which sound like critical security issues based on the titles I see there) that date back a decade. At the very least, someone over there should assign a competent individual or two to start sifting through those lists and sorting them out.

      If a bug is real and can be reproduced then assign it.

      If it can't, then follow up with the submitter. Perhaps things have changed since 2008 when the bug was initially reported.

      If it's a security issue, get after it already.

      They could take some of those millions and millions of dollars they've been getting from Google (and now Yahoo) every month for all of these years and hire some people with both the know-how and the desire to fix their browser, instead of the dreamers they have working on the project now who clearly wished they were working for Google instead.

      Culture is an overused and misunderstood word, but it really matters in an organization, and Mozilla's culture sure feels toxic to those of us looking in from the outside, and an undermaintained buglist is just a minor symptom of that.

      Having said all that, it's still the browser I use, because the alternatives are all that much worse from a user perspective.

    4. Re:depressing by Burz · · Score: 1

      That's why you should only browse inside VMs (esp. an OS that makes all apps run inside VMs) ... preferably running on a tight, bare metal hypervisor.

      Browsers themselves are way too complex to ever secure them from within. They need to run in strong containment if you want to avoid a high level of risk.

    5. Re:depressing by phantomfive · · Score: 1

      Is there some kind of system that makes it easy to do that? Like a command line or something?

      --
      "First they came for the slanderers and i said nothing."
    6. Re: depressing by phantomfive · · Score: 1

      Yeah, you're right, and I'm interested in seeing how Rust turns out; it's a good project and I support it.
      However, I've seen enough security bugs in Java code to know that memory protection and array overflow checking isn't enough to stop security bugs. I don't think a strong type system is enough either.

      It's up to the programmers to improve their skill. They need to try to think of everything that can go wrong, instead of focusing on "getting it to work."

      --
      "First they came for the slanderers and i said nothing."
    7. Re:depressing by Burz · · Score: 1

      The OS I linked to (which I'm tying on now) shows your apps in the Launcher menu under each 'domain' or VM you've set up. For instance, I have an 'untrusted' VM and a 'personal' VM, as well as 'banking'. Each one of those has a Firefox entry in the launcher; each is completely isolated from the others (especially the VMs I setup with no network access).

      Qubes also has disposable VMs that you can use to quickly launch a browser, and the VM is destroyed when you close the browser.

      Finally, there is the privacy stuff related to Tor: You can have Tor-specific VMs that are isolated from the rest of the system.

    8. Re:depressing by KGIII · · Score: 1

      I've been playing with something called "firejail."

      Here's a handy link to check it out a bit:
      http://www.linux-magazine.com/...

      --
      "So long and thanks for all the fish."
    9. Re:depressing by phantomfive · · Score: 1

      nice, thanks

      --
      "First they came for the slanderers and i said nothing."
    10. Re:depressing by xvan · · Score: 1

      This is useless, all my important stuff is in some sort of cloud... There is nothing on my computer that could interest a random hacker, so why being all paranoid?

    11. Re:depressing by Anonymous Coward · · Score: 0

      This kind of stuff is depressing. You'd like to say, "Oh, the programmers are doing the best they can," but when you have an open bug list...you can't possibly ensure that your code is secure, not even close. That kind of codebase is like a playground for hackers.

      Mozilla gave you the software for free and you are free to use it or not at your own risk. We could have bug-free software that's provably correct, if only people wanted to pay for it. It would probably look something like the software for the master events controllers in the Space Shuttle and it would cost just about as much, which is to say billions of dollars. When small mistakes can be catastrophic and lives are on the line it can be worth paying that much, but for most everything else we accept some level of bugs in exchange for a reasonable price and delivery time instead.

    12. Re:depressing by Anonymous Coward · · Score: 0

      Are you serious? Stop uploading your life to mainframes.

    13. Re:depressing by Burz · · Score: 1

      You may want to think twice about relying on that:

      http://theinvisiblethings.blog...

      Its just one of very many examples of Linux security mechanisms failing ...and that was hardly even trying. Here is another reason why kernel security cannot protect you:

      http://theinvisiblethings.blog...

      "Jails" sounds impressive and strong, but its still kernel-based and therefore built on sand. Kernels are great at supplying functional features -- and that's what Qubes uses them for -- but their complexity means their isolation mechanisms don't hold water.

    14. Re:depressing by KGIII · · Score: 1

      A few things...

      I'd no more rely on that than I would rely on anything else. Security is a process, not an application.
      You'll note the first one was patched and I'm thinking that SELinux isn't the same as firejail.
      I don't actually have an Intel NIC, at least not in this box. That's happenstance, not an objective.

      But, you're right. Don't rely on it. Absolutely not. If you're relying on one thing then you're damned stupid, regardless of what operating system you use. I'd like to think that I might be stupid but that I'm not damned stupid.

      --
      "So long and thanks for all the fish."
    15. Re:depressing by Burz · · Score: 1

      I don't rely on SELinux or Linux namespaces or anything else based on that stuff because they are ground up and packaged like a big block of bologna. The nature of the tools you choose are important, and large monolithic kernels are the last thing anyone should use for security.

    16. Re:depressing by KGIII · · Score: 1

      That sounds nice and looks good on paper but it's entirely unrealistic in the real world. Starting at the top, nothing will ever be secure. There are just degrees of security. There are goals and risks, what risks will you take to meet your goals? I've used several OSes with microkernel designs. I've used Qubes-OS, MINIX, and QNX. They're fine OSes if you want serious limitations. Until that's no longer a problem, they're entirely unrealistic options.

      Security is a process, not an application. If you can still accomplish your goals in a manner that you can accept and with a risk set that you're willing to accept then you should use whatever OS it is you prefer. I recommend making an informed choice about the benefits and negatives applicable with each. When Qubes-OS gets more hardware support, ability to compile more software easier, and a virtualization application such as VMWare, then I may consider it again. It is, currently, not a realistic option but I have hope for it in the future. I also like MINIX. Then again, I kind of like every OS I've ever come across. I've never found one I didn't like, just some that I didn't prefer. Well, at least not for a long time I haven't.

      --
      "So long and thanks for all the fish."
    17. Re:depressing by Burz · · Score: 1

      No OS should be a paragon of consumer convenience out of the box. That is the "realist" position of convenience taken by the industry for the past couple decades and it hasn't worked.

      I don't mind Qubes telling me there are some processes that won't work for risky behavior. The act of not thinking about /where/ workflows take place doesn't fly here... I always have to choose and that in itself is awesome.

      Qubes' biggest challenge is hardware support, but that is a factor of consumer attitudes as well. There are probably more suitable models available for it than for OSX, 3D access notwithstanding... its the single most limiting issue (the kind that should be overcome).

    18. Re:depressing by KGIII · · Score: 1

      They might get there and be a more realistic option. Remember, they've changed the industry to reflect the needs of the many and that has resulted in aiming for the lowest common denominator. There's not a lot that can be done, with any immediacy, in that area. I suspect I dislike it as much as you - I'm big on personal responsibility and knowing how to use your tools if you're going to use them at all.

      I'm not a fan of the monolithic kernel architecture. I use it because it, its ecosystem more so than anything else, is my only realistic option - coupled with the nature of the beast in that I really don't have anything to worry about. I've no vast treasure troves of data that will ruin me if they are leaked. I do operate with least privilege routines, I do filter at the hardware level, I do check logs from hardware that is not under the control of the same operating system.

      In an effort to demonstrate that it can be done, I used a Windows system (several different OS versions) without running resident/active anti-malware. I practices safe hex and operated accordingly. With heavy monitoring to ensure that this was true - I found zero evidence of any security incidents and no outbound traffic that could not be accounted for and permissions expressly granted, and knowingly granted. I did that for several years, actually. I would not recommend that for the feint of heart. I would not recommend that for the home user of norm. But, it was done and was a good learning experience.

      I've played with Qubes OS before. It intrigues me and I like their goal. I suspect you're reading into me something that I am not. That something that I am not is a zealot. I'm a pragmatist. You, on the other hand, are starting to come off as a zealot. That may or may not be true. That may or may not be a problem for you. That may or may not be your intent.

      I do not, largely, disagree with your sentiment. I just feel that it is not only impractical, at this time, but that it's going to be a while longer before it happens and, even then, it's unlikely to go mainstream. Remember, it was us that urged people to get a computer - all those years ago. This is our fault. We are reaping what we sowed. We put boxes into people's homes and then told them to read the fucking manual. We expected them to do so.

      They've trashed our ecosystem. They've turned our networks into hell. They've made us deal with stupid regulations, inferior products, and sub-par standards. This is your fault - you did this. Own up to it and move on. I'm just as guilty as you are - and the barn door is still wide open as now we push them onto dumb terminals known as phones and tablets. To top it off, we've then pushed them back onto the mainframe as they resort to cloud services. Truth be told, that might be for the best. I'm kind of glad that they're on Facebook, Twitter, Reddit, YouTube, and 4chan. It shows me where I don't want to go.

      It was us, us who urged them to get computers which are now transmitting malware more rapidly than they have ever been able to before as we urged them to get broadband and made the content even richer. It was us who told them to cut their cords. It was us who told them how to pirate. It was us who, way back when, told them how to find Usenet. We invited them here and we rejoiced when they came because they gave us money - and power.

      And while it may seem that I'm waxing philosophical, I urge you to think again as to how those things all tie into this. Oh, don't get me wrong... I love a microkernel. I love the separation, the design, the utility, and the security. I love the fact that a driver or server or service can halt and be brought back up without crashing the whole system. I know, and understand, the layers associated and I appreciate the differences.

      And before you ask what I have done... Why, I've donated to Qubes not just once but multiple times - sometimes a fairly good sized donation. This thread is relatively old now so I'm thinking few will notice it. I'd rather it not be spectacular and I alr

      --
      "So long and thanks for all the fish."
    19. Re:depressing by Burz · · Score: 1

      That may or may not be TL;DR....

      May you or maybe not have a nice day! :)

    20. Re:depressing by KGIII · · Score: 1

      LOL It's all good. The gist of it is that I support Qubes and hope to be able to use it someday. Right now, I have needs it doesn't really fill. I've even aided them financially 'cause I want to use it.

      Yeah, I'm a bit verbose.

      --
      "So long and thanks for all the fish."
  2. Not Just Money by frovingslosh · · Score: 1

    So Tencent Security Team Sniper's root-level code execution exploit earned not just $40,000 but TEN POINTS too! Wow, now I'm impressed.

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re:Not Just Money by Anonymous Coward · · Score: 0

      Presumably the more points you amass, the higher the queue you become for presenting your attacks. Don't forget that once an exploit has been found, it's off the cards to everyone else that may also have discovered it. TSTS (sounds more like a lazy 80s high hat drum-machine pattern) will now be able to strut their stuff much sooner next year.

  3. Software has bugs by paskie · · Score: 4, Informative

    I thought you were linking to some sort of security-related bugs. But these are just plain bugs. And the codebase involved in rendering web pages is huge, because it's not an easy thing to do (try it; I maintained a text-mode browser for a couple of years). And huge codebases have many bugs, because the effort to keep them without minor bugs is just not worth it to anyone unless it is flying airplanes or directly responsible for hauling over hundreds of millions of dollars.

    Welcome to the real world - we just don't know how to write software without bugs without it being too onerous, expensive and boring (and the code running slow). And there's no short term prospect of learning it either. The only thing we can do is fix the major ones and security-wise, design the whole thing so that most bugs don't matter.

    --
    It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
    1. Re:Software has bugs by Anonymous Coward · · Score: 0

      I thought it was going to be much worse!

    2. Re:Software has bugs by nuckfuts · · Score: 4, Interesting

      I thought you were linking to some sort of security-related bugs. But these are just plain bugs.

      You're making an interesting distinction. When the folks at OpenBSD, (renowned for proactive security), audit their code, they intentionally avoid this distinction:

      During our ongoing auditing process we find many bugs, and endeavor to fix them even though exploitability is not proven. We fix the bug, and we move on to find other bugs to fix. We have fixed many simple and obvious careless programming errors in code and only months later discovered that the problems were in fact exploitable.

    3. Re:Software has bugs by Anonymous Coward · · Score: 0

      https://www.youtube.com/watch?v=qKAOfhyRMoA

      a lot of for example

    4. Re:Software has bugs by phantomfive · · Score: 1

      And huge codebases have many bugs, because the effort to keep them without minor bugs is just not worth it to anyone unless

      From this statement, I know what your code looks like, and I hope that I never have to work in it.
      I invoke upon you every insult of wrath ever to have been uttered from the mouth of Linus, oh bug producer.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Software has bugs by KGIII · · Score: 1

      I dunno... It's not *that* huge? I've been playing with Dillo lately. I sometimes use eLinks and Lynx. The code base for all of those is not that large. On Windows, I used to sometimes use something called Off-By-One which is kind of neat, actually. I almost licensed the source at one point to build my own browser just for gits and shiggles. It was not all that large and a quick look tells me that it's still not all that large - when built.

      --
      "So long and thanks for all the fish."
    6. Re:Software has bugs by KGIII · · Score: 1

      I was expecting a more verbose and lively response as I'd noticed who started the thread and then seen the reply. I'm also familiar with your varied signatures, comments, and journal posts. I'm familiar with your programming philosophy (or what you've shared of it) and how you feel about bugs and security - as well as your feelings about their production and those who produced them.

      I was actually looking forward to a good rant. ;-)

      --
      "So long and thanks for all the fish."
    7. Re:Software has bugs by phantomfive · · Score: 1

      I was actually looking forward to a good rant. ;-)

      lol I tried, but found words are insufficient to express the true depths of my scorn and disgust.

      --
      "First they came for the slanderers and i said nothing."
    8. Re:Software has bugs by phantomfive · · Score: 1

      I was really looking to make it a teaching moment, show him that actually there are people (like Donald Knuth) who program with a very low bug count such that their bug tracker is always empty (because they have few enough bugs that they can fix them as soon as they are reported), and that there are people who even teach how to accomplish that kind of programming,

      But if he's gone this long without coming to that awareness, what can I say to him that would change his mind? Is there anything? He seems too set in his ways to see anything different.

      --
      "First they came for the slanderers and i said nothing."
    9. Re:Software has bugs by KGIII · · Score: 1

      I read the usernames before reading the comments, very frequently, out of habit. It helps me make a mental profile. As you know, I like and respect your views. So, I was already expecting you to comment. This is, after all, bugs. Then I saw there reply. I had my hopes up.

      I'm kind of surprised that you didn't go with something akin to, "All bugs are potential security problems." Or, "Code should be bug free." (That would have been funny.) I was then expecting a bunch of links to books on the subject. ;-)

      Anyhow, further down the thread I left you another reply. That'll get you started on your way to at least isolating stuff - if you want. You can build profiles and aliases. You can do all sorts of things with it. I am not a guru with it yet - and don't even bother with it all the time. I don't find it adding much overhead or anything so it's probably a good idea for me to find a nice easy to way to automate it. But, that's a subject for the other reply.

      --
      "So long and thanks for all the fish."
    10. Re:Software has bugs by Anonymous Coward · · Score: 0

      Still, the length a bug list doesn't say much about security. It's confounded with the size of the codebase and the community's bug reporting process.

  4. Re:Firefox FTW by ChronoReverse · · Score: 4, Informative

    Actually it's because Firefox is doing so badly in the security front that they're not bothering: https://it.slashdot.org/story/...


    I'm typing this from Firefox but it's truly sad how Mozilla is caught up with things that are ultimately worthless (Firefox OS) instead of working on their core competency (or "competency").

  5. Re:Firefox FTW by Anonymous Coward · · Score: 0

    Sarcastic I know. But, for the lazy.
    https://it.slashdot.org/story/...

  6. use-after-free by maestroX · · Score: 1

    Can anyone explain the user after free exploit?

    1. Re:use-after-free by xxxJonBoyxxx · · Score: 1

      "User after free" is now a common vulnerability term that refers to vulnerabilities that referencing memory after it has been freed, which can cause a program to crash, use unexpected values, or execute code. It's pretty common in C and C++ applications.
      https://cwe.mitre.org/data/definitions/416.html

    2. Re:use-after-free by wile_e_wonka · · Score: 1

      No.

    3. Re:use-after-free by lgw · · Score: 2

      I worked on a code base where we took elaborate precautions to be 100% sure we had no use-after-free bugs (macros that would crash the system any time it happened). I was just shocked how many we found, and how frequently people kept generating new ones. Too many C programmers who shouldn't be, I guess.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    4. Re:use-after-free by Anonymous Coward · · Score: 0

      I used to have problems with use-after-free bugs, but then I realized that there is a very simple solution. Never free memory.

    5. Re:use-after-free by Anonymous Coward · · Score: 1

      This just results in code that reuses memory in its pool. Then the bug becomes: use after pooled, which resulted it Heartbleed.

    6. Re:use-after-free by tlhIngan · · Score: 1

      I worked on a code base where we took elaborate precautions to be 100% sure we had no use-after-free bugs (macros that would crash the system any time it happened). I was just shocked how many we found, and how frequently people kept generating new ones. Too many C programmers who shouldn't be, I guess.

      Usually it's because of two things.

      1) Race conditions - you need to get rid of an object but the object is being used in another thread. Freeing the object now would mean the other thread would be using an invalid object. This is actually a very hard problem to solve and was a cause of a lot of Linux issues until the kernel fixed it for driver developers (by ensuring the exit code will only be called when all reference to other entry points were gone and there was no other code running).

      2) Aliased references. An object is created, and references to it are passed around to other bits of code that may make more references to it. Freeing the object means having to invalidate all those references, which may not be completely obvious. This could be say, a buffer being passed around the application that various bits are looking at various parts of it. Usually what happens is the buffer is processed and then forgotten, except someone say a neat way to implement a feature so what was stateless now has state. Free the buffer and there you go.

      It is tricky to resolve. The Linux kernel is a great way to learn all about it because you get multiple pointers to objects which is why they use the CONTAINER_OF style macros that mean you can embed a structure within another, and then using a pointer to the inner structure, get the entire object, reducing the need to alias.

    7. Re:use-after-free by phantomfive · · Score: 1

      Maybe the real problem was they had too many threads in their code?

      --
      "First they came for the slanderers and i said nothing."
  7. Add another $100k to the list by xtal · · Score: 1

    At CanSecWest.

    MS just announced a $100k award for IE11 0-day exploits (through to RCE bypassing EMET).

    --
    ..don't panic
  8. $460,000 for 21 hacks? by hyades1 · · Score: 1

    Suckas...

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  9. Why $100,000 less by Anonymous Coward · · Score: 0

    They didn't allow Firefox hacks this year.