Forgot your password?
typodupeerror
Security The Almighty Buck

Pwn2own 2014 Set To Hunt Unicorns 66

Posted by samzenpus
from the crack-it-if-you-can dept.
darthcamaro writes "The annual Pwn2own hacking competition has always made short work of all browser vendors' security, shredding perception of safety by hacking IE, Firefox, Safari and Chrome in minutes. This year the competition is adding a twist — for IE on Windows 8.1, hackers will also have to bypass Microsoft EMET, which is a seemingly bulletproof type of sandbox. The competition is calling this the 'Unicorn Exploit' and the first researcher to successful exploit it will pocket $150,000."
This discussion has been archived. No new comments can be posted.

Pwn2own 2014 Set To Hunt Unicorns

Comments Filter:
  • I hope whoever wins this one has a handle that's a character name from Legend...
  • "In minutes" (Score:5, Insightful)

    by thetagger (1057066) on Monday February 03, 2014 @11:34AM (#46140735)

    Sure, they hack browsers "in minutes" after months of studying and audits.

    • by Daniel Hoffmann (2902427) on Monday February 03, 2014 @11:43AM (#46140817)

      But don't they just type the hack really fast at a moments notice just like in the movies? Hollywood you lied to me!

      • by Anonymous Coward

        ...housewives don't generally pay for plumbing or electrical work in sexual favors, either...

        • by boristdog (133725)

          ...housewives don't generally pay for plumbing or electrical work in sexual favors, either...

          So I'm wasting my time with my cable repairman correspondence course?

        • Probably because I've never met a plumber who looked anything like a porn star...

      • No they just insert a floppy disk and the computer autoruns their exploit for them.

      • by citizenr (871508)

        But don't they just type the hack really fast at a moments notice just like in the movies?

        This requires two people typing really fast on the same keyboard simultanously

    • Re:"In minutes" (Score:5, Insightful)

      by Anubis IV (1279820) on Monday February 03, 2014 @11:44AM (#46140827)

      Exactly. What all of these headlines neglect to mention is that these folks have created automated suites that oftentimes make use of zero-day or recent exploits. It's not as if they sit down and start putting something together once they get there. Rather, they carefully crated these tools in advance in order to allow them to make the headlines by hacking things in mere minutes or even seconds.

      • by the_B0fh (208483)

        Does anyone seriously expect someone to just walk up to a machine, and search for a new vulnerability and hack it in 30 minutes?

        • Have you talked to any of the types of folks that are regular watchers of CSI and its ilk? For most of them, computers are still magic boxes. A mother I was talking with yesterday was asking me if they still made computers with floppy drives, since she still uses them on a regular basis, and she was shocked to learn that not only have all of the major manufacturers stopped putting them in, but that the industry is even starting to move away from CD/DVD drives at this point towards download-only distribution

          • A mother I was talking with yesterday . . .

            I know; mothers are the worst. Completely technologically illiterate. Did you know that the average mother still uses her uterus to produce a child?

            • To be clear, I wasn't generalizing about mothers. I was generalizing about the sort of folks who watch shows like that. The two sets may intersect for a large portion of their members, but they are by no means identical. I'm friends with a mother who has a doctorate, has flown in space four times, is one of the leading experts on certain types of robotics, does occasional stints as a university professor, and could run circles around me when it comes to anything technological. On the other end of the spectr

              • by wesk (2662405)
                What's the basis for your generalization of those who watch CSI "and its ilk"? I used to watch one of those shows, and while I realize that the technical abilities portrayed might not be realistic or even possible, I enjoyed the show for other reasons.
                • I actually enjoyed CSI for the first few seasons as well, but I think we all have a mental picture of the sorts of people I'm talking about when I make a comment along those lines. That is, people who think that technology is much more capable than it actually is, that scientists and the like catch all of the finest details every single time, and that even the slightest thing out of place is sufficient for dismissing the entire idea. I've heard that prosecutors have been having a really hard time since CSI

            • by operagost (62405)
              They could at least use 9 uteruses to get it done in 1 month!
  • From GHacks.net "It is by no means a catch-all security application, but it mitigates many common attack types and forms on the system. " The review on their website had led me to believe that the best of hackers could still get through EMET security. It will still be exciting to see how quickly the victor can make it into the heavily defended IE.
  • I was curious about this "seemingly bulletproof" sandbox as described in the summary. But the opening paragraph on Microsoft's website [microsoft.com] explains:
    These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited

    So much for the hyped-up summary...

  • by daboochmeister (914039) <daboochmeister&gmail,com> on Monday February 03, 2014 @01:45PM (#46142165)
    At the risk of introducing information into the discussion ... some of the other respondents have taken oblique cue shots off this info, but to get it out on the table ... EMET is a software package that enforces otherwise existing security protections on programs that may not have them in place. For example, DEP, ASLR, SEHOP (very Windows-specific mitigation), heapspray prevention, and in 4.1 they added certificate pinning, to detect mitm attacks. (looking up acronyms left as an exercise for the reader)

    The good news - these mitigations can be applied from outside the apps involved (as of 4.1, no more app recompiling or special-versions needed). The somewhat bad news - there are compatibility issues, and many apps are not compatible with the whole list of protections (see the MS KB article [microsoft.com] for more info). I also wonder if there are performance impacts from doing so, as opposed to compiling in the mitigations that can be compiled in - but don't quote me on that, I'm not sure

    More bad news - it won't work with certain app features, e.g. any code that accesses certain system services at too low a level, so for example DRM-using apps (so many videogames are off the table); and it only intended for desktop apps (so they "do not advise" you use it with system services or server apps).

    We tested the 3.0 version, focusing solely on the mitigations that could be imposed from outside the code even in that version - and found that many apps had issues with most, and some with all, of the mitigations (and, a killer for us, it wouldn't work with virtualized apps). Maybe that's improved, not claiming to know.

    All in all - it has value if you're deploying legacy apps over which you have no control to a broad array of desktops, and it doesn't break your apps. Frankly, I don't know why the emphasis on IE11 ... I think the only protection that wouldn't already be compiled in is the certificate pinning, but maybe that alone is enough - or it makes it doubly difficult to break out of IE11 if you have the compiled in e.g. ASLR as well as the imposed-sandbox ASLR ... not sure.

    To be clear ... it's NOT comparable to mandatory access control - it's more mitigation-specific than that. And also, by way of information, the open source operating systems often enforce the same kinds of mitigations on the apps that they support from their repositories (e.g., the Canonical Ubuntu team compiles every app in their repo with all possible mitigations -- see the Ubuntu security features page [ubuntu.com] for more info). That's one of the big advantages of open source - you don't have to try to impose really-meant-to-be-compiled-in security features from outside.
  • typically attracts people that already have a stable full of unicorns, especially if you're foolish enough to put a big bounty on it. Announcing you have "perfect security" just brings the embarrassment to your door that much faster.

    And try as you might, even actual "perfect security" on your part will usually fail miserably at someone else's hands. Look at Safai, and how often flash or java (or the user themselves) is used to compromise it. (approaching 100%?)

  • 215 of The Patriot Act, The NSA, The CIA, The FBI, DHS and the following individuals who shall remain nameless. Without whose contributions, there would be no "ethical" paid hacking as a career, endless amounts of American civil liberties, no war on ter-r. Think any agencies will be doing some recruiting there?
  • it's clear that the amount offered is very little compared to what you could get by selling the info. if you can get a browser hack that can highjack the OS then it's worth a shitload more than the pennies they are offering. they need to start offering real cash for these deep level hacks.

  • Here I thought this would be about talking to single ladies at couples clubs.

  • ... When you can just order it online? [thinkgeek.com]

UNIX was half a billion (500000000) seconds old on Tue Nov 5 00:53:20 1985 GMT (measuring since the time(2) epoch). -- Andy Tannenbaum

Working...