Forgot your password?
typodupeerror
Security

First Pwn2Own 2009 Contest Winners Emerge 98

Posted by timothy
from the good-work-if-you-can-get-it dept.
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
This discussion has been archived. No new comments can be posted.

First Pwn2Own 2009 Contest Winners Emerge

Comments Filter:
  • by Jurily (900488) <jurily@[ ]il.com ['gma' in gap]> on Thursday March 19, 2009 @05:27PM (#27261899)

    Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.

    Wow.

    • by Anonymous Coward

      Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.

      Wow.

      Wow.

    • Re: (Score:3, Insightful)

      by von_rick (944421)
      I'm pretty sure he knows more methods to compromise the OS through these browsers. Most likly he'll use those methods at next years' pwn2own. Same could be said about Charlie Miller.
      • by moderatorrater (1095745) on Thursday March 19, 2009 @06:25PM (#27262549)
        Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.
        • Re: (Score:2, Interesting)

          by Laser_iCE (1125271)

          He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.

          I tried to find some sort of source for this, but instead found this:

          Windows 7 PC Outlasts Mac In Security Test [infopackets.com], at PWN2OWN.

          • by Laser_iCE (1125271) on Thursday March 19, 2009 @06:38PM (#27262693)
            Nevermind,

            Mac easiest to hack, says $10,000 winner [computerworld.com]
            • Re: (Score:1, Informative)

              by terwey (917072)
              "The MacBook Air was running the current version of Mac OS X, 10.5.2, with all the latest security patches applied." uhm... osx been buggin me quite some time now for updates for 10.5.6!
            • Re: (Score:1, Flamebait)

              by oaklybonn (600250)
              I wonder how much of "Mac easiest to hack" is due to the fact that WebKit is open source? Its got to be pretty easy to find exploits when you've got the source in front of you! And considering Darwin is open source, I'm surprised they weren't able to find a root exploit as well.
              • Re: (Score:2, Informative)

                by Simetrical (1047518)

                Its got to be pretty easy to find exploits when you've got the source in front of you!

                A comparison of high-profile, seriously damaging Apache and IIS exploits would seem to indicate the opposite. Code Red and Nimda both caused a lot of damage, and targeted IIS. Any comparable stories for Apache, which has a larger market share than IIS by any figures I've seen?

                Or heck, look at Firefox vs. IE. IE has historically been much less secure, although Firefox has had its share of screwups too. (Of course, the closed-source software does have a larger market share in this case. But then, WebKi

                • by mpeskett (1221084)

                  Of course it only applies if the code in question actually gets looked over by a lot of people. True for high profile things like Apache, but smaller open source projects can't be automatically assumed to be more secure - they may well have no more, or less, people actively reviewing their code than an equivalent program from a normal developer.

        • by drsmithy (35869) <drsmithy.gmail@com> on Thursday March 19, 2009 @07:51PM (#27263389)

          Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.

          BURN HIM ! BURN THE HERETIC !

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            No not burn, just leave him and all the other to their windoze spyware nightmare :)

    • by tonywong (96839) on Thursday March 19, 2009 @06:55PM (#27262885) Homepage

      Since no one has placed what 'owned' means, here's the rules from the canwest site:

      2009-03-18-01:00:00 PWN2OWN Final Rules

      Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.

      Browsers and Associated Test PAltform

      Vaio - Windows 7

              * IE8
              * Firefox
              * Chrome

      Macintosh

              * Safari
              * Firefox

      Day 1: Default install no additional plugins. User goes to link.
      Day 2: flash, java, .net, quicktime. User goes to link.
      Day 3: popular apps such as acrobat reader ... User goes to link

      What is owned? - code execution within context of application

      =====

      I'm presuming that code execution is the first step towards owning the whole box, which may or may not be trivial once you got code execution happening within the app.

      • What is owned? - code execution within context of application

        Does this mean that you win if you execute code in a sandboxed application, even if that means you can't actually harm the user at all?

    • The nice thing about this, is that for Firefox, and probably also Safari, the bugs are already fixed.
      So all in all, this was a good thing for us all.

      The third exploit was a good thing for botnet owners only. ;)

  • Hmmm.... (Score:3, Insightful)

    by Khyber (864651) <techkitsune@gmail.com> on Thursday March 19, 2009 @05:45PM (#27262097) Homepage Journal

    Well, I'm not surprised it didn't take but a few moments for the contest to be won.

    Man can make it, man can break it. That's it.

    • Re:Hmmm.... (Score:5, Funny)

      by Anonymous Coward on Thursday March 19, 2009 @05:52PM (#27262189)

      But Safari was created by the Gods at Apple....

      • Re:Hmmm.... (Score:5, Funny)

        by ijakings (982830) on Thursday March 19, 2009 @06:50PM (#27262837)

        Firefox Three for the Elven-kings under the sky,
        IE Seven for the Dwarf-lords in their halls of stone,
        Netscape Nine for Mortal Men doomed to die,
        One Safari for the Dark Lord on his dark throne
        In the Land of Apple where the Shadows lie.
        One Browser to rule them all, One Browser to find them,
        One Browser to bring them all and in the darkness bind them
        In the Land of Apple where the Shadows lie.

        • by Lars T. (470328)
          It's about time the iPhone got copy&paste, else one couldn't write masterpieces like that on it!
      • Re: (Score:3, Interesting)

        by rthille (8526)

        Yeah, but from what I read, the attack was via a PERL regex library used by the javascript engine. So it was in something Apple just used and not something they wrote from scratch. <sarcasm> I'm sure had Apple written the whole thing from scratch, there'd be no bugs...</sarcasm>

        • by drinkypoo (153816)

          Yeah, but from what I read, the attack was via a PERL regex library used by the javascript engine. So it was in something Apple just used and not something they wrote from scratch. <sarcasm> I'm sure had Apple written the whole thing from scratch, there'd be no bugs...</sarcasm>

          While we're conjecturing wildly (well, you didn't cite) Apple has a history of failing to keep their Open Source components current, especially perl modules (there was a discussion here recently about manually-updated perl modules being whacked by an Apple 'update'.)

        • Re:Hmmm.... (Score:4, Informative)

          by makomk (752139) on Friday March 20, 2009 @07:27AM (#27266473) Journal
          No, it was via Safari's very outdated internal copy (probably even a fork, from what I recall) of the pcre regex library. I think the equivalent bug had been fixed in the upstream library ages before.
          • Re: (Score:3, Funny)

            by rthille (8526)

            heh, my memory had conflated pcre and perl. That'll teach me to look shit up.

    • by doas777 (1138627)
      well, security research is something you prep for, not do on the fly. no doubt they have been polishing the exploits and throughly testing them "off stage", as it were.
      • No kidding. Basically it was a draw from the summary's hat for who won the computers, from what I can gather. At least, that's the impression I'm getting...

        It's also very unclear what constitutes "pwned". Even reading the rules, "code execution in the context of the application" or something... Does that mean these exploits are actually usable to do something malicious, or do they just, say, crash the browser?

        • by doas777 (1138627)
          good point. i was wondering what the runner-up did that put his exploits outside the criteria of the contest.
        • Re: (Score:3, Insightful)

          by rts008 (812749)

          Does that mean these exploits are actually usable to do something malicious,...

          Yes.

          The code executed by the contestant may not be malicious, it is only meant to showcase the exploit being used. If I were a contestant, I would not run malicious code on the laptop I was hoping to take home with me! Maybe download a Kubuntu .iso and Wubi.exe, and execute Wubi.....

          Used in the wild, the exploit would almost certainly be used to execute malicious code, I'd think.

        • Re: (Score:3, Insightful)

          by MadnessASAP (1052274)

          It's also very unclear what constitutes "pwned". Even reading the rules, "code execution in the context of the application" or something... Does that mean these exploits are actually usable to do something malicious, or do they just, say, crash the browser?

          Seems pretty cut and dry to me, it means they were able to inject their own code into the processes memory and get it too execute. So no privilege escalation but you can now do whatever said application would theoretically been able to do.

          • Re: (Score:3, Insightful)

            thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile, OO should ONLY be able to read/write to disk, NO network access,.

            • by erikina (1112587)
              Something like SELinux?
            • "Android style security"??? It's a sad day on /. when someone calls mandatory access control "android style security".

            • Re: (Score:2, Interesting)

              by Simetrical (1047518)

              thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile

              So what if the user uses "Save Page As..."? You'd have to have an infrastructure that allows spawning a file picker as a separate app with its own permissions. What if the user customizes the directory for storing the web cache? What if Firefox creates an executable in a prohibited location and then runs it? Etc. Firefox is an awfully big application; it would be hard to pin it down with hard-and-fast rules on what directories it can access.

              OO should ONLY be able to read/write to disk, NO network access,.

              That's a real impediment. Just write out your malicious scrip

          • by UnRDJ (712762)
            Now let's consider how many inexperienced users run everything as administrator/root. Those botnets don't make themselves!
            • I think most slashdotters can understand the implications of what happens when an application running as root get compromised. Those that don't probably work at Microsoft :-).

  • by Deathlizard (115856) on Thursday March 19, 2009 @06:33PM (#27262627) Homepage Journal

    Browsers
    Chrome: 0
    IE8: 1
    Firefox: 1(1)*
    Safari: 2(1)*

    Mobile Browsers
    Blackberry: 0
    Android: 0
    iPhone: 0
    Nokia/Symbian: 0
    Windows Mobile: 0

    *Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.

    • Re: (Score:3, Interesting)

      Has nobody tried "hacking" the mobile devices? You'd think with all the BBs/iPhones/WM and Symbian devices out there, there would be a market for exploiting them.
    • Firefox on Mac was done but how about Firefox on Windows? (Nils did it on the Mac)

  • No details? (Score:3, Insightful)

    by rbanzai (596355) on Thursday March 19, 2009 @07:31PM (#27263205)

    I checked the article and there don't appear to be any details. A few of these hacking contests have been a bit overblown so I'd like to know what manner of exploit they used.

    If it's another "well you need physical access to the machine and know the admin username and password" then it's no big deal. If it's "we had the user click a link and all hell broke loose" that would be much more interesting.

    • Re:No details? (Score:5, Interesting)

      by ld a,b (1207022) on Thursday March 19, 2009 @08:16PM (#27263591) Journal
      >"we had the user click a link and all hell broke loose"

      That is exactly what happened with Safari on MacOS, in seconds. I guess the others fell just as easily, but with a bit more crude exploits.

      We don't get to know the details because vendors get to fix the hole before anything is published, which is long after all of us have forgotten about the contest.

      What really is misleading is that Windows 7 and MacOS are implied pwned when it appears that only the browsers were taken.

      With IE8 purportedly running in a "sandbox", breaking out of that was interesting by itself and hopefully a bit more difficult than just escalating privileges in MacOS.

      I miss Linux too. A hole in firefox means being just one local exploit away from pwning your box.
      • Per the contest rules it wasn't necessary to break out of the sandbox, so at this point it is not clear that that happened. Simply executing code in context of the application (browser) would be enough. You can still do a lot of damage inside the browser, i.e. install password/certificate snooping, monitor and inject traffic etc. But it all ends with the browser session. You cannot read/write users' files much less compromise the machine.

        Unlike Firefox, Opera and Safari, Chrome and IE actually has such a

        • by drerwk (695572)

          But it all ends with the browser session. You cannot read/write users' files much less compromise the machine.

          If you can execute in the applications context, I think you can write to the preferences files - even if the app is in a sandbox. At that point you might be able to save your hack and have it reloaded at start up. You might save your hack as file: //homepage.html and load that.

          • If you can execute in the applications context, I think you can write to the preferences files - even if the app is in a sandbox.

            No, not in a sandbox. That\s the difference between something like SELinux and a real sandbox. With SELinux you will be allowed to do what you legitimately need to be able to do. In a sandbox you will have to ask the broker process to perform the privileged operations. Neither Chrome nor IE let the rendering process access the local file system. Instead they supply a broker/helper process. Typically this process will interact with the user, i.e. if downloading a file it will display a dialog or visual eleme

  • Sensored? (Score:1, Funny)

    by Anonymous Coward

    Is it just me, or does it look like they censored Nils' zipper when he was showing off his winnings?

  • by BestNicksRTaken (582194) on Friday March 20, 2009 @05:36AM (#27266075)

    The speed factor seems pointless in this exercise - if they didn't write the exploits there and then at the conference, it effectively boils down to who can stick his thumbdrive in the slot and double-click the fastest!

    Why did it take longer to kill IE8/Firefox if the exploits were already written and just needed to be run by clicking a URL?

    Make the fsckers write their own exploits, and make them do it at the show. THAT would be worth 10k.

  • What details...? (Score:4, Interesting)

    by argent (18001) <peter@slashdot.2 ... m ['nga' in gap]> on Friday March 20, 2009 @07:08AM (#27266405) Homepage Journal

    Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program.

    I see no details here.

  • by SirSlud (67381) on Wednesday March 25, 2009 @10:10PM (#27337811) Homepage

    Who the hell cares about Windows, Macs, Linux?

    Put these folks on voting machines - it's way more important to protect the sanctity of democracy than to point out exploitable browsers.

    I get the economics of it, but this is what insurance is for. Software companies care about security, but at some point this becomes more about mental masturbation - cracking will always occur. Why not create some incentive to put the desire to crack on important systems rather than worry about jo-shmoes machine getting compromised.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...