Next Pwn2Own Contest Targets IE8, Firefox, iPhone

Windows Secrets writes "After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets: Web browsers and mobile phones. According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile."

Unbalanced?

[AKAImBatman]

Am I the only one who wonders if the design of this contest doesn't create an unbalanced playing field? It's often struck me that if the computers are "Pwn2Own", then the participants are going to focus more heavily on "pwning" the system they want to take home with them. e.g. Given a choice between a Vaio running Windows and a MacBook Pro running OS X, I know I would rather have the MacBook Pro. Thus I'm not going to try as hard to crack the Windows system because the system I REALLY want is the Mac.

Maybe it's just me. Maybe there are an equal number of equally talented individuals who's only disagreement is the preference of their machine. But somehow I don't think it's that easy.

Re:Unbalanced?

[quickOnTheUptake]

yeah and who the hell wants to be given a copy of IE8 as first prize?

Re:

[drquoz]

For the browser competition, you get the computer it's running on. Or at least that's what I gather; the article accidentally a whole verb. FTA: "CanSecWest organizers plan to Sony VAIO P running Windows 7 as the platform for the contest. The successful hacker gets to keep the machine."

Re:

[MadMidnightBomber]

second prize: two copies of IE8.

Re:

[MadMidnightBomber]

I can't believe that got modded Funny - that joke is probably older than the transistor.

Re:Unbalanced?

[nicolas.kassis]

You probably have some security patches that need to be installed on your mac cause you obviously seem to not think that those are of any use.

Re:Unbalanced?

[Jurily]

Apple has a history of virtually 100% secure operating systems, especially OS X that is going on almost a decade without a single virus or worm.

FTFA:

In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay to hijack a MacBook Pro via a flaw in Apple's QuickTime software. A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.

Re:Unbalanced?

[v1]

fwiw, all the successful attacks I've seen were due to privilege escalation for a local user. The key difference most people are talking about is being secure over a network, from a remote attacker. Viruses don't really even count here, just worms. It's a lot more important to be secure from the 35 million people out on the internet than from the 2 that have an account on your computer.

Windows has been shown to fail miserably, repeatedly, and in epic ways in this respect. OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.

Re:

[Anonymous Coward]

how about both the examples in the parent post? One is where you load a malicious webpage when you have quicktime installed (almost everyone) and the other is loading a malicious webpage in safari without needing any extra stuff installed.

Re:

[Serious Callers Only]

OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.

You are wrong.

The original jailbreaking of the iPhone was based on a tiff handling vulnerability in the Safari browser - this could be exploited remotely until the hole was fixed, simply by visiting a website.

http://www.iphone-hacks.com/2007/10/10/iphone-111-jailbroken-again-using-tiff-exploit/ [iphone-hacks.com]

I would be surprised if there are not more holes in the Safari browser which ships with the iPhone (and its desktop equivalent), indeed I've read about a few more since (can't be bothered to look them all up just now)

Re:

[v1]

Now OS X has been less vulnerable to worms spreading automatically compared to Window

Please provide one example of a worm that spreads automatically on OS X.

Saying "less vulnerable" makes it sound like windows and os x even have some remote similarity. "hundreds of examples" vs "no examples" hardly qualifies you to say "less vulnerable".

Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safet

Re:

[SuperNothing307]

>

Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safety of my shoe. It's deceptive.

Yeah, because it's not deceptive to claim that an operating system has no exploitable flaws without source code, let alone a formal proof, that that is so...I think "less vulnerable" is an entirely accurate assessment. And I wouldn't take those shoes on a plane with you...last guy who did that got thrown in jail for the rest of eternity.

Re:

[Serious Callers Only]

Please provide one example of a worm that spreads automatically on OS X.

OK. Because of people like you, anti-virus vendors have created a worm for OS X (I believe there are other examples):

http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99 [symantec.com]

It's not a commercial worm, but this sort of worm is possible on OS X, just more difficult. You talk as if this sort of exploit is impossible somehow on OS X, it is not.

Quite apart from that, you were wrong to say it has not been owned remotely - it has on multiple occasions had remote exploits via the browser. The

Re:

[v1]

Thank you for the link - I had a suspicion there were one or two proof of concept viruses for the mac, and now I can see one.

But I do have to argue your point about browser exploits. Here you are requiring the user's active assistance, and are only spreading "one step" per user assist.

For practical purposes, they behave almost identical to trojan horse applications, or possibly email-payload viruses. I suppose browser exploits sit in the middleground between trojans and viruses. Not as automatic, but cer

Re:

[ohcrapitssteve]

Okay, both of those flaws you cite require user interaction. That doesn't constitute a "virus" or a "worm." That's a vulnerability. A vulnerability, I might add, never amounted to anything in the wild, and was patched quickly by Apple. Not an apologist, flaws are flaws are flaws. But they aren't viruses. The distinction is important.

Re:

[aliquis]

Because no virus mean secure? Since when? But I guess I shouldn't bother answering.

Re:

[mdwh2]

Apple has a history of virtually 100% secure operating systems, especially OS X

Especially OS X? Leaving aside the debate of whether that's true, what other "virtually 100% secure" operating systems has Apple released? Your memory of their history seems to leave out "classic" MacOS, which had viruses, and didn't even support memory protection.

Re:

[XPeter]

We all know that Windows Mobile and IE8 will come out on top as they are far superior to the competition.

Re:Unbalanced?

[mjwx]

(Flamebait)It shouldn't matter though because OSX running on proprietary Apple hardware with its uber *nix under pinings is supah secure.(/Flamebait)

I know you're trying to be funny but, even the NT kernel is secure. Almost every single exploit will come in via applications, this is true for Mac, Linux/Unix and Windows.

Re:

[Anarchitect_in_oz]

As of Leopard you don't need to replace the U with *.

Re:

[jpmorgan]

But I thought OS X is inherently more secure, and the perceived security has nothing to do with it being a less tempting target than Windows.

Or at least, that's what everybody tells me...

Re:

[nicolas.kassis]

Where there a will there is a way. In this case the will must be stronger.

Re:Unbalanced?

[rsmith-mac]

The current security situation of the platform is not an XOR matter. It is inherently more secure thanks in large part to tested Unix/BSD bits and very few backwards compatibility hacks that later end up used as vulnerabilities, but at the same time there are vulnerabilities that have not been found because not nearly as many people poke at it as they do Windows. If as many people poked at Mac OS X as they did Windows I'm sure we'd see more vulnerabilities in the wild, but I have no reason to believe there would be as many as we see with Windows.

As for the contest at hand, I'd be shocked if they didn't break it. Browsers are a mess, and this goes for IE8, Firefox, and Safari. They'll most certainly get Safari to trigger a remote code execution situation, the bigger challenge will be finding a local privilege escalation flaw to combine that with to actually own the system.

Re:

[decipher_saint]

Actually I think this might be part of the plan. Right now one of the things that might make Windows less desireable is that it is a bit of a security risk and (apparently) not as hard to crack. So the big flashy prize is something that people want because it's supposedly more secure or otherwise better (or at least sells itself that way) and it's going to get a bit more attention. So maybe more people discover security issues for the desired prize during contests like this which vendors can ultimately fix

Re:Unbalanced?

[KibibyteBrain]

I still think from a game theory perspective, it is best to go after the platform you are best at pwning if you assume all the other participants are about as skilled as you are. This is because time is a factor, and so you are better off making sure you hack first and get something than trying hack the best prize if there is a better chance one of the other hackers is more experienced at it than you. A good chance of getting something bad is usually better than a bad chance of getting something good.

Re:

[Miseph]

Unless that something bad is gonorrhea.

Re:

[moderatorrater]

That should work, but (at least in past years) they have cash prizes that are worth far more than the machines they're going to get, so that should be mitigates. Also, they've got a small number of machines for a large number of people trying to penetrate them, so as soon as the more desirable machine is gone everyone should focus on the other machines as much as they focused on the most desirable one. Overall, it seems that the desirability of the machines shouldn't affect the outcome too much.

Re:

[Reece400]

On the other hand, I'd personally go for the PC as I know that there's probably 1/2 the competition, and much greater odds for me to win..

Re:

[Anonymous Coward]

You're working on the premise that these guys value MacBook Pro more than a Sony. I'm pretty sure that they easily afford a MacBook Pro. I'm sure that Motivation here is actually cracking the system rather than owning the laptop.

Re:

[Kugrian]

This is good no? Macs still don't get targeted enough in the wild for their weaknesses to be apparent. Windows gets raped. I'm on the 'windows is inherently less secure' side of the fence, but until the market share of OSes reaches a point where it's viable for black hats to attack both MS and Apple (and others ofc, but not relevant here), it's a hard point to prove.

2Own

[DanTheStone]

You could win own your very own copies of IE8, Firefox 3, and Safari!

Re:

[Anonymous Coward]

Yeah, I think I'll wait for this year's Pwning4Ponies instead.

Wonder if it requires the iPhone to be jailbroken

[Vandil X]

That would fall in line with their use of a 3rd party wireless card to hack the MacBook. (i.e. using the product in a way most people wouldn't be using it.)

Re:

[Anonymous Coward]

Last year they didn't accept my precondition that the root password be set to blank before attempting to hack it.

How much attention does this get?

[jpmorgan]

How much attention does this contest actually get? While there are lots of upstanding people who will participate, I would be surprised if there weren't quite a few talented individuals who will not be participating.

I mean, if you're a blackhat, an exploit for any of these targets is worth a lot more than a laptop or a mobile phone.

Re:How much attention does this get?

[Chabo]

The blackhats try to exploit the whole contest so that nobody can win. :)

Then they continue to use the holes they only they know about.

My experience....

[ebbomega]

Last year I DJ'd for the CanSecWest dinner party, and I was kinda amused to see that a lot of the people who were at the conference were ex-blackhats anyway. A good number of them had criminal records and were now raking in hella money working on the legit side (a shitload more than they made during their blackhat careers). I even met a couple of them at a 2600 meeting once.

Hackers are hackers, regardless of which side of the legal coin they fall on. The exploits used are known to anybody with the resources to find them. In fact, last year nobody took home the Linux box not because they couldn't find any exploits, but because there was so much more effort and time involved in breaking the linux systems that everybody just went for the OSX or Windows machines. Versions of this contest probably exist in the blackhat world, but are a lot less publicized because they don't have industry heavyweights like Cisco or Microsoft sponsoring it.

Re:

[spacerog]

Real hackers aren't in it for the money.
- SR

Spose so, but...

[ebbomega]

If a conglomorate offers you a six+ figure salary to do what you essentially do for fun, are you really going to say no?

Isn't the OS still important?

[pembo13]

Doesn't the underline operating system still assist with the overall security of a browser? ie. can't a more secure OS make escalation of a browser hack more difficult?

Re:

[ld a,b]

Of course.

In this case I believe IE8 has a lead in this contest as they all will be running on in Windows, but IE8 will probably get to run in sandbox mode.

My bets are:

1- Safari
2- IE8
3- Firefox

or:

1- Safari
2- Firefox
3- IE8

Re:

[Ironica]

Doesn't the underline operating system still assist with the overall security of a browser?

Only if it hasn't been upgraded to the italic operating system.

Obligatory XKCD

[Chabo]

http://xkcd.com/166/ [xkcd.com]

Re:

[perryizgr8]

man i love these obligatory references

Re:

[vosester]

http://xkcd.com/198/ [xkcd.com]

Opera?...

[sznupi]

According to Secunia it had the smallest number of volnurabilities, plus Opera Software somehow likes too boast about security...would be a good contendant and verification of their claims (and don't say that Opera has negligible share, IN YOUR MARKET, there are many where it's quite big (which accidentally are often the healthy ones not dominated by EI/with IE below 50% for some time)