Next Pwn2Own Contest Targets IE8, Firefox, iPhone

Windows Secrets writes "After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets: Web browsers and mobile phones. According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile."

Unbalanced?

Am I the only one who wonders if the design of this contest doesn't create an unbalanced playing field? It's often struck me that if the computers are "Pwn2Own", then the participants are going to focus more heavily on "pwning" the system they want to take home with them. e.g. Given a choice between a Vaio running Windows and a MacBook Pro running OS X, I know I would rather have the MacBook Pro. Thus I'm not going to try as hard to crack the Windows system because the system I REALLY want is the Mac.

Maybe it's just me. Maybe there are an equal number of equally talented individuals who's only disagreement is the preference of their machine. But somehow I don't think it's that easy.

Re:Unbalanced?

yeah and who the hell wants to be given a copy of IE8 as first prize?

Re:

For the browser competition, you get the computer it's running on. Or at least that's what I gather; the article accidentally a whole verb. FTA: "CanSecWest organizers plan to Sony VAIO P running Windows 7 as the platform for the contest. The successful hacker gets to keep the machine."

Re:

second prize: two copies of IE8.

Re:

We all know that Windows Mobile and IE8 will come out on top as they are far superior to the competition.

Re:

But I thought OS X is inherently more secure, and the perceived security has nothing to do with it being a less tempting target than Windows.

Or at least, that's what everybody tells me...

Re:

Where there a will there is a way. In this case the will must be stronger.

Re:Unbalanced?

The current security situation of the platform is not an XOR matter. It is inherently more secure thanks in large part to tested Unix/BSD bits and very few backwards compatibility hacks that later end up used as vulnerabilities, but at the same time there are vulnerabilities that have not been found because not nearly as many people poke at it as they do Windows. If as many people poked at Mac OS X as they did Windows I'm sure we'd see more vulnerabilities in the wild, but I have no reason to believe there would be as many as we see with Windows.

As for the contest at hand, I'd be shocked if they didn't break it. Browsers are a mess, and this goes for IE8, Firefox, and Safari. They'll most certainly get Safari to trigger a remote code execution situation, the bigger challenge will be finding a local privilege escalation flaw to combine that with to actually own the system.

Re:

Actually I think this might be part of the plan. Right now one of the things that might make Windows less desireable is that it is a bit of a security risk and (apparently) not as hard to crack. So the big flashy prize is something that people want because it's supposedly more secure or otherwise better (or at least sells itself that way) and it's going to get a bit more attention. So maybe more people discover security issues for the desired prize during contests like this which vendors can ultimately fix

Re:Unbalanced?

I still think from a game theory perspective, it is best to go after the platform you are best at pwning if you assume all the other participants are about as skilled as you are. This is because time is a factor, and so you are better off making sure you hack first and get something than trying hack the best prize if there is a better chance one of the other hackers is more experienced at it than you. A good chance of getting something bad is usually better than a bad chance of getting something good.

Re:Unbalanced?

You probably have some security patches that need to be installed on your mac cause you obviously seem to not think that those are of any use.

Re:Unbalanced?

Apple has a history of virtually 100% secure operating systems, especially OS X that is going on almost a decade without a single virus or worm.

FTFA:

In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay to hijack a MacBook Pro via a flaw in Apple's QuickTime software. A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.

Re:Unbalanced?

fwiw, all the successful attacks I've seen were due to privilege escalation for a local user. The key difference most people are talking about is being secure over a network, from a remote attacker. Viruses don't really even count here, just worms. It's a lot more important to be secure from the 35 million people out on the internet than from the 2 that have an account on your computer.

Windows has been shown to fail miserably, repeatedly, and in epic ways in this respect. OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.

Re:

OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.

You are wrong.

The original jailbreaking of the iPhone was based on a tiff handling vulnerability in the Safari browser - this could be exploited remotely until the hole was fixed, simply by visiting a website.

http://www.iphone-hacks.com/2007/10/10/iphone-111-jailbroken-again-using-tiff-exploit/ [iphone-hacks.com]

I would be surprised if there are not more holes in the Safari browser which ships with the iPhone (and its desktop equivalent), indeed I've read about a few more since (can't be bothered to look them all up just now)

Re:

Now OS X has been less vulnerable to worms spreading automatically compared to Window

Please provide one example of a worm that spreads automatically on OS X.

Saying "less vulnerable" makes it sound like windows and os x even have some remote similarity. "hundreds of examples" vs "no examples" hardly qualifies you to say "less vulnerable".

Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safet

Re:Unbalanced?

(Flamebait)It shouldn't matter though because OSX running on proprietary Apple hardware with its uber *nix under pinings is supah secure.(/Flamebait)

I know you're trying to be funny but, even the NT kernel is secure. Almost every single exploit will come in via applications, this is true for Mac, Linux/Unix and Windows.

2Own

You could win own your very own copies of IE8, Firefox 3, and Safari!

Wonder if it requires the iPhone to be jailbroken

That would fall in line with their use of a 3rd party wireless card to hack the MacBook. (i.e. using the product in a way most people wouldn't be using it.)

How much attention does this get?

How much attention does this contest actually get? While there are lots of upstanding people who will participate, I would be surprised if there weren't quite a few talented individuals who will not be participating.

I mean, if you're a blackhat, an exploit for any of these targets is worth a lot more than a laptop or a mobile phone.

Re:How much attention does this get?

The blackhats try to exploit the whole contest so that nobody can win. :)

Then they continue to use the holes they only they know about.

My experience....

Last year I DJ'd for the CanSecWest dinner party, and I was kinda amused to see that a lot of the people who were at the conference were ex-blackhats anyway. A good number of them had criminal records and were now raking in hella money working on the legit side (a shitload more than they made during their blackhat careers). I even met a couple of them at a 2600 meeting once.

Hackers are hackers, regardless of which side of the legal coin they fall on. The exploits used are known to anybody with the resources to find them. In fact, last year nobody took home the Linux box not because they couldn't find any exploits, but because there was so much more effort and time involved in breaking the linux systems that everybody just went for the OSX or Windows machines. Versions of this contest probably exist in the blackhat world, but are a lot less publicized because they don't have industry heavyweights like Cisco or Microsoft sponsoring it.

Spose so, but...

If a conglomorate offers you a six+ figure salary to do what you essentially do for fun, are you really going to say no?

Isn't the OS still important?

Doesn't the underline operating system still assist with the overall security of a browser? ie. can't a more secure OS make escalation of a browser hack more difficult?

Re:

Doesn't the underline operating system still assist with the overall security of a browser?

Only if it hasn't been upgraded to the italic operating system.

Obligatory XKCD

http://xkcd.com/166/ [xkcd.com]