Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

First Pwn2Own 2009 Contest Winners Emerge 98

Posted by timothy from the good-work-if-you-can-get-it dept.
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
This discussion has been archived. No new comments can be posted.

First Pwn2Own 2009 Contest Winners Emerge More

First Pwn2Own 2009 Contest Winners Emerge

Comments Filter:

  • Let me be the first to say (Score:4, Insightful)

    by Jurily ( 900488 ) <jurily&gmail,com> on Thursday March 19, 2009 @05:27PM (#27261899)

    Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.

    Wow.

  • Macintosh (Score:0, Insightful)

    by Anonymous Coward on Thursday March 19, 2009 @05:33PM (#27261963)

    'Security' through obscurity

  • Hmmm.... (Score:3, Insightful)

    by Khyber ( 864651 ) <techkitsune@gmail.com> on Thursday March 19, 2009 @05:45PM (#27262097) Homepage Journal

    Well, I'm not surprised it didn't take but a few moments for the contest to be won.

    Man can make it, man can break it. That's it.

  • WTF ? (Score:0, Insightful)

    by Anonymous Coward on Thursday March 19, 2009 @05:52PM (#27262177)

    Either these guys are very good.

    or something is very wrong with the security features of these Apps

  • Re:Let me be the first to say (Score:3, Insightful)

    by von_rick ( 944421 ) on Thursday March 19, 2009 @05:53PM (#27262193) Homepage
    I'm pretty sure he knows more methods to compromise the OS through these browsers. Most likly he'll use those methods at next years' pwn2own. Same could be said about Charlie Miller.

  • Re:WTF ? (Score:4, Insightful)

    by CannonballHead ( 842625 ) on Thursday March 19, 2009 @05:59PM (#27262263)
    Or both.

  • Re:WTF ? (Score:3, Insightful)

    by JumpDrive ( 1437895 ) on Thursday March 19, 2009 @06:19PM (#27262499)
    I think that something is very wrong with the security features of these apps or the OS on which they were run.
    I'd like to see a browser stabilized so that more work can be done on the security. I always wonder, how can they may a secure browser if they are constantly adding features to it?
    What else do we need for a browser to do?
    I'm serious, what else do we really need a browser to do? Can we stop for awhile and work on making one more secure?

  • Re:WTF ? (Score:4, Insightful)

    by doas777 ( 1138627 ) on Thursday March 19, 2009 @06:22PM (#27262519)
    it's seems to me to be an indication that we are pushing new functionality before the basis upon which it functions is mature enough to be safely reviewed. the complexity of a given computing environment is increasing at an approximately exponential rate, so there is more and more that need be tested and vetted everyday.
    there are just some things that we need to accept aren't safe yet. As much as I like active web pages like this one, the problems with CGI and javascript persist even today, despite a decade+ of review and testing. I find online banking and drivers license registeration very convient, but at the same time, I firmly believe that there is no way to be safe when performing fiscal transactions online. don't get me wrong, I use these services, but I wish the chaotic computing environment would slow down a bit so we can catch up with the securiy problems of last year, before facing next years.

  • Or, ... (Score:4, Insightful)

    by reiisi ( 1211052 ) on Thursday March 19, 2009 @06:32PM (#27262621) Homepage

    Once or twice meant something, but now it's an institution.

    Meaning that somebody is going to try to make a career of breaking the easiest part of the system at this contest.

    Meaning that these guys are going to sit on their exploits.

    Meaning that this contest, running at a set time once a year, is now meaningless.

    Except for advertising potential. You know, keeping your product name in the headlines.

    The respective companies should offer a running bounty on exploits on their browsers. Yeah, that would spoil all the pageantry of Pwn20wn, but do we really need another pageant?

  • Re:Hmmm.... (Score:3, Insightful)

    by rts008 ( 812749 ) on Thursday March 19, 2009 @06:51PM (#27262847) Journal

    Does that mean these exploits are actually usable to do something malicious,...

    Yes.

    The code executed by the contestant may not be malicious, it is only meant to showcase the exploit being used. If I were a contestant, I would not run malicious code on the laptop I was hoping to take home with me! Maybe download a Kubuntu .iso and Wubi.exe, and execute Wubi.....

    Used in the wild, the exploit would almost certainly be used to execute malicious code, I'd think.

  • Re:Hmmm.... (Score:3, Insightful)

    by MadnessASAP ( 1052274 ) <madnessasap@gmail.com> on Thursday March 19, 2009 @07:12PM (#27263049)

    It's also very unclear what constitutes "pwned". Even reading the rules, "code execution in the context of the application" or something... Does that mean these exploits are actually usable to do something malicious, or do they just, say, crash the browser?

    Seems pretty cut and dry to me, it means they were able to inject their own code into the processes memory and get it too execute. So no privilege escalation but you can now do whatever said application would theoretically been able to do.

  • No details? (Score:3, Insightful)

    by rbanzai ( 596355 ) on Thursday March 19, 2009 @07:31PM (#27263205)

    I checked the article and there don't appear to be any details. A few of these hacking contests have been a bit overblown so I'd like to know what manner of exploit they used.

    If it's another "well you need physical access to the machine and know the admin username and password" then it's no big deal. If it's "we had the user click a link and all hell broke loose" that would be much more interesting.

  • Re:Hmmm.... (Score:3, Insightful)

    by RiotingPacifist ( 1228016 ) on Thursday March 19, 2009 @08:23PM (#27263635)

    thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile, OO should ONLY be able to read/write to disk, NO network access,.

  • Re:No linux? (Score:3, Insightful)

    by RiotingPacifist ( 1228016 ) on Thursday March 19, 2009 @08:25PM (#27263653)

    firefox is firefox, it runs on linux, it can be exploited on linux. NOSCRIPT FTW

  • Re:No linux? (Score:2, Insightful)

    by ld a,b ( 1207022 ) on Thursday March 19, 2009 @08:51PM (#27263799) Journal
    The same hole can have different levels of exploitability in different OSes. FF for Windows cannot take advantage of ASLR because Windows XP didn't support it. In Linux it should be enabled by default by now. MacOS X has nothing at all yet.

    If all OSes would implement all of OpenBSD security features, even if not perfectly, the amount of exploitable bugs would decrease considerably. The bug is still there, but the black hat is met with a harsh environment totally unlike the green garden that are major OSes.

  • Re:Let me be the first to say (Score:2, Insightful)

    by Anonymous Coward on Thursday March 19, 2009 @10:19PM (#27264247)

    No not burn, just leave him and all the other to their windoze spyware nightmare :)

  • Re:Or, ... (Score:4, Insightful)

    by Nazlfrag ( 1035012 ) on Friday March 20, 2009 @01:00AM (#27265145) Journal

    They change the rules and targets each year. Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year. It's used to promote the Zero Day Initiative [zerodayinitiative.com] which pays you directly for exploits, no fancy contest needed. The contest serves its purpose perfectly. It's never been a meaningful way to stop exploits anyway, just a promotional vehicle for the conference and the respective companies. Nobody's going to make a career out of this competition. If they were good enough to do that, they could make a comfortable living from the ZDI.

  • Re:Or, ... (Score:4, Insightful)

    by pyrrhonist ( 701154 ) on Friday March 20, 2009 @03:38AM (#27265693)

    Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year.

    That's exactly what happened [zdnet.com] this year:

    I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.

  • Re:Or, ... (Score:5, Insightful)

    by Fred_A ( 10934 ) <fred@f r e d s h o m e . o rg> on Friday March 20, 2009 @04:27AM (#27265855) Homepage

    That's exactly what happened [zdnet.com] this year:

    I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.

    So in a way what this event did is help keep a known vulnerability open for a year more than it should have been. Which means that there is a fair chance that in the mean time some body else might have found and used it in the wild.

    Brilliant.

Slashdot Top Deals

Ya'll hear about the geometer who went to the beach to catch some rays and became a tangent ?

Close