Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

First Pwn2Own 2009 Contest Winners Emerge

Posted by timothy on Thursday March 19, @05:23PM
from the good-work-if-you-can-get-it dept.
Security
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
security ie8beta firefox safari it security story

Related Stories

[+] Apple: MacBook Air First To Be Compromised In Hacking Contest 493 comments
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
[+] Next Pwn2Own Contest Targets IE8, Firefox, iPhone 64 comments
Windows Secrets writes "After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets: Web browsers and mobile phones. According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile."
Firehose:First Pwn2Own 2009 Contest Winners Emerge by Anonymous Coward
[+] Mobile: All Five Smartphones Survive Pwn2Own Contest 144 comments
CWmike writes "Although three of the four browsers that were targets in the PWN2OWN hacking contest quickly fell to a pair of researchers, none of the smartphones were successfully exploited. TippingPoint had offered $10,000 for each exploit on any of the phones, which included the iPhone and the BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems. 'With the mobile devices so limited on memory and processing power, a lot of [researchers'] main exploit techniques are not able to work,' said TippingPoint's Terri Forslof. 'Take, for example, [Charlie] Miller's Safari exploit,' referring to Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year. 'People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000?' she said. 'The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone.'" Chrome was the only browser at the contest that was not successfully exploited. We previously discussed day one of the contest, and a summary of day two is available as well.
[+] Pwn2Own 2009 Winner Charlie Miller Interviewed 160 comments
crazipper writes "Tom's Hardware interviewed Charlie Miller, winner of this year's Pwn2Own contest and formerly with the NSA. He discusses the effort it took before the contest to be able to take down a MacBook within seconds, sandboxing, and the effectiveness of the NX bit and ASLR. His outlook on end-users protecting themselves against attacks? 'Users are at the mercy of the products they buy.'"
[+] Mozilla First To Patch Pwn2Own Browser Vulnerability 140 comments
Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

First Pwn2Own 2009 Contest Winners Emerge 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.

    Wow.

    • Let me be the second to say (Score:3, Funny)

      by Anonymous Coward

      Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.

      Wow.

      Wow.

    • Re: (Score:3, Insightful)

      by von_rick (944421)
      I'm pretty sure he knows more methods to compromise the OS through these browsers. Most likly he'll use those methods at next years' pwn2own. Same could be said about Charlie Miller.

    • Re:Let me be the first to say (Score:5, Informative)

      by tonywong (96839) on Thursday March 19, @06:55PM (#27262885) Homepage

      Since no one has placed what 'owned' means, here's the rules from the canwest site:

      2009-03-18-01:00:00 PWN2OWN Final Rules

      Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.

      Browsers and Associated Test PAltform

      Vaio - Windows 7

              * IE8
              * Firefox
              * Chrome

      Macintosh

              * Safari
              * Firefox

      Day 1: Default install no additional plugins. User goes to link.
      Day 2: flash, java, .net, quicktime. User goes to link.
      Day 3: popular apps such as acrobat reader ... User goes to link

      What is owned? - code execution within context of application

      =====

      I'm presuming that code execution is the first step towards owning the whole box, which may or may not be trivial once you got code execution happening within the app.

  • Hmmm.... (Score:3, Insightful)

    by Khyber (864651) <khyberkitsune@gmail.com> on Thursday March 19, @05:45PM (#27262097) Journal

    Well, I'm not surprised it didn't take but a few moments for the contest to be won.

    Man can make it, man can break it. That's it.

    • Re:Hmmm.... (Score:5, Funny)

      by Anonymous Coward on Thursday March 19, @05:52PM (#27262189)

      But Safari was created by the Gods at Apple....

      • Re:Hmmm.... (Score:5, Funny)

        by ijakings (982830) on Thursday March 19, @06:50PM (#27262837)

        Firefox Three for the Elven-kings under the sky,
        IE Seven for the Dwarf-lords in their halls of stone,
        Netscape Nine for Mortal Men doomed to die,
        One Safari for the Dark Lord on his dark throne
        In the Land of Apple where the Shadows lie.
        One Browser to rule them all, One Browser to find them,
        One Browser to bring them all and in the darkness bind them
        In the Land of Apple where the Shadows lie.

  • Browsers
    Chrome: 0
    IE8: 1
    Firefox: 1(1)*
    Safari: 2(1)*

    Mobile Browsers
    Blackberry: 0
    Android: 0
    iPhone: 0
    Nokia/Symbian: 0
    Windows Mobile: 0

    *Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.

  • Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program.

    I see no details here.

    • Re:WTF ? (Score:4, Insightful)

      by CannonballHead (842625) on Thursday March 19, @05:59PM (#27262263)
      Or both.

    • Re: (Score:3, Informative)

      by JB19000 (1389999)
      Nonsense, all exploits used at these have already been know to at least the competitor. Afterwords they are submitted to the developers. This competition is used to give recognition to security researchers and improve browsers not to prove anything about a certain program.

    • Re: (Score:3, Insightful)

      by JumpDrive (1437895)
      I think that something is very wrong with the security features of these apps or the OS on which they were run.
      I'd like to see a browser stabilized so that more work can be done on the security. I always wonder, how can they may a secure browser if they are constantly adding features to it?
      What else do we need for a browser to do?
      I'm serious, what else do we really need a browser to do? Can we stop for awhile and work on making one more secure?

    • Re:WTF ? (Score:4, Insightful)

      by doas777 (1138627) on Thursday March 19, @06:22PM (#27262519)
      it's seems to me to be an indication that we are pushing new functionality before the basis upon which it functions is mature enough to be safely reviewed. the complexity of a given computing environment is increasing at an approximately exponential rate, so there is more and more that need be tested and vetted everyday.
      there are just some things that we need to accept aren't safe yet. As much as I like active web pages like this one, the problems with CGI and javascript persist even today, despite a decade+ of review and testing. I find online banking and drivers license registeration very convient, but at the same time, I firmly believe that there is no way to be safe when performing fiscal transactions online. don't get me wrong, I use these services, but I wish the chaotic computing environment would slow down a bit so we can catch up with the securiy problems of last year, before facing next years.

    • Or, ... (Score:4, Insightful)

      by reiisi (1211052) on Thursday March 19, @06:32PM (#27262621) Homepage

      Once or twice meant something, but now it's an institution.

      Meaning that somebody is going to try to make a career of breaking the easiest part of the system at this contest.

      Meaning that these guys are going to sit on their exploits.

      Meaning that this contest, running at a set time once a year, is now meaningless.

      Except for advertising potential. You know, keeping your product name in the headlines.

      The respective companies should offer a running bounty on exploits on their browsers. Yeah, that would spoil all the pageantry of Pwn20wn, but do we really need another pageant?

      • Re:Or, ... (Score:4, Insightful)

        by Nazlfrag (1035012) on Friday March 20, @01:00AM (#27265145) Journal

        They change the rules and targets each year. Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year. It's used to promote the Zero Day Initiative [zerodayinitiative.com] which pays you directly for exploits, no fancy contest needed. The contest serves its purpose perfectly. It's never been a meaningful way to stop exploits anyway, just a promotional vehicle for the conference and the respective companies. Nobody's going to make a career out of this competition. If they were good enough to do that, they could make a comfortable living from the ZDI.

        • Re:Or, ... (Score:4, Insightful)

          by pyrrhonist (701154) on Friday March 20, @03:38AM (#27265693)

          Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year.

          That's exactly what happened [zdnet.com] this year:

          I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.

          • Re:Or, ... (Score:5, Insightful)

            by Fred_A (10934) <(ten.anww) (ta) (derf)> on Friday March 20, @04:27AM (#27265855) Homepage

            That's exactly what happened [zdnet.com] this year:

            I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.

            So in a way what this event did is help keep a known vulnerability open for a year more than it should have been. Which means that there is a fair chance that in the mean time some body else might have found and used it in the wild.

            Brilliant.

      • Re:Or, ... (Score:4, Informative)

        by BZ (40346) on Friday March 20, @01:36AM (#27265271) Homepage

        > The respective companies should offer a running bounty on exploits on their browsers.

        You mean like http://www.mozilla.org/security/bug-bounty.html [mozilla.org] ?

        The problem is that browser exploits sell for about $10,000 at the moment (that's how much various "security" companies will pay for them). The bug bounty above is $500...

    • Re: (Score:3, Informative)

      by doas777 (1138627)
      i think the problem is, that if you completely isolate the browser, it becomse less useful, so no one wants to. also interprocess communication is a kernel level thing, so whatever process is running inherently has the ability to work with other processes and threads. all you have to do is break the protections within the process and you have some real control.
      they are getting better with this, but they still have a long way to go.

    • Re:No details? (Score:5, Interesting)

      by ld a,b (1207022) on Thursday March 19, @08:16PM (#27263591) Journal
      >"we had the user click a link and all hell broke loose"

      That is exactly what happened with Safari on MacOS, in seconds. I guess the others fell just as easily, but with a bit more crude exploits.

      We don't get to know the details because vendors get to fix the hole before anything is published, which is long after all of us have forgotten about the contest.

      What really is misleading is that Windows 7 and MacOS are implied pwned when it appears that only the browsers were taken.

      With IE8 purportedly running in a "sandbox", breaking out of that was interesting by itself and hopefully a bit more difficult than just escalating privileges in MacOS.

      I miss Linux too. A hole in firefox means being just one local exploit away from pwning your box.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.