Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

First Pwn2Own 2009 Contest Winners Emerge 98

Posted by timothy from the good-work-if-you-can-get-it dept.
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
This discussion has been archived. No new comments can be posted.

First Pwn2Own 2009 Contest Winners Emerge More

First Pwn2Own 2009 Contest Winners Emerge

Comments Filter:

  • Re:Let me be the first to say (Score:2, Interesting)

    by Laser_iCE ( 1125271 ) on Thursday March 19, 2009 @06:36PM (#27262661)

    He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.

    I tried to find some sort of source for this, but instead found this:

    Windows 7 PC Outlasts Mac In Security Test [infopackets.com], at PWN2OWN.

  • Re:ScoreAfter Day 1 (for the TL;DR crowd) (Score:3, Interesting)

    by Slashdot Suxxors ( 1207082 ) * on Thursday March 19, 2009 @06:52PM (#27262861)
    Has nobody tried "hacking" the mobile devices? You'd think with all the BBs/iPhones/WM and Symbian devices out there, there would be a market for exploiting them.

  • Re:Hmmm.... (Score:3, Interesting)

    by rthille ( 8526 ) <web-slashdot@@@rangat...org> on Thursday March 19, 2009 @08:00PM (#27263457) Homepage Journal

    Yeah, but from what I read, the attack was via a PERL regex library used by the javascript engine. So it was in something Apple just used and not something they wrote from scratch. <sarcasm> I'm sure had Apple written the whole thing from scratch, there'd be no bugs...</sarcasm>

  • Re:No details? (Score:5, Interesting)

    by ld a,b ( 1207022 ) on Thursday March 19, 2009 @08:16PM (#27263591) Journal
    >"we had the user click a link and all hell broke loose"

    That is exactly what happened with Safari on MacOS, in seconds. I guess the others fell just as easily, but with a bit more crude exploits.

    We don't get to know the details because vendors get to fix the hole before anything is published, which is long after all of us have forgotten about the contest.

    What really is misleading is that Windows 7 and MacOS are implied pwned when it appears that only the browsers were taken.

    With IE8 purportedly running in a "sandbox", breaking out of that was interesting by itself and hopefully a bit more difficult than just escalating privileges in MacOS.

    I miss Linux too. A hole in firefox means being just one local exploit away from pwning your box.

  • Didn't write the exploits in seconds did they?! (Score:3, Interesting)

    by BestNicksRTaken ( 582194 ) on Friday March 20, 2009 @05:36AM (#27266075)

    The speed factor seems pointless in this exercise - if they didn't write the exploits there and then at the conference, it effectively boils down to who can stick his thumbdrive in the slot and double-click the fastest!

    Why did it take longer to kill IE8/Firefox if the exploits were already written and just needed to be run by clicking a URL?

    Make the fsckers write their own exploits, and make them do it at the show. THAT would be worth 10k.

  • What details...? (Score:4, Interesting)

    by argent ( 18001 ) <peter@slashdot.2 ... m ['.ta' in gap]> on Friday March 20, 2009 @07:08AM (#27266405) Homepage Journal

    Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program.

    I see no details here.

  • Re:Hmmm.... (Score:2, Interesting)

    by Simetrical ( 1047518 ) <Simetrical+sd@gmail.com> on Friday March 20, 2009 @03:41PM (#27272731) Homepage

    thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile

    So what if the user uses "Save Page As..."? You'd have to have an infrastructure that allows spawning a file picker as a separate app with its own permissions. What if the user customizes the directory for storing the web cache? What if Firefox creates an executable in a prohibited location and then runs it? Etc. Firefox is an awfully big application; it would be hard to pin it down with hard-and-fast rules on what directories it can access.

    OO should ONLY be able to read/write to disk, NO network access,.

    That's a real impediment. Just write out your malicious script to the user's home directory somewhere, and append some lines to ~/.bashrc or whatever startup files you like.

    What's really needed isn't so much restricting what files the program can access, but how it can access them. Bitfrost [wikipedia.org] has a very interesting approach. I haven't looked at Android, but I'd assume it's similar in some ways. You need a fair amount of infrastructure for this to work, though.

  • Like they don't care? (Score:3, Interesting)

    by SirSlud ( 67381 ) on Wednesday March 25, 2009 @10:10PM (#27337811) Homepage

    Who the hell cares about Windows, Macs, Linux?

    Put these folks on voting machines - it's way more important to protect the sanctity of democracy than to point out exploitable browsers.

    I get the economics of it, but this is what insurance is for. Software companies care about security, but at some point this becomes more about mental masturbation - cracking will always occur. Why not create some incentive to put the desire to crack on important systems rather than worry about jo-shmoes machine getting compromised.

Slashdot Top Deals

Happiness is twin floppies.

Close