Pwn2own 2014 Set To Hunt Unicorns

darthcamaro writes "The annual Pwn2own hacking competition has always made short work of all browser vendors' security, shredding perception of safety by hacking IE, Firefox, Safari and Chrome in minutes. This year the competition is adding a twist — for IE on Windows 8.1, hackers will also have to bypass Microsoft EMET, which is a seemingly bulletproof type of sandbox. The competition is calling this the 'Unicorn Exploit' and the first researcher to successful exploit it will pocket $150,000."

Theme handles

[TWX]

I hope whoever wins this one has a handle that's a character name from Legend...

More than meets the eye

[tepples]

Wouldn't the opposite of a Unicorn be a Priums [tfwiki.net]?

Re:

[Jane Q. Public]

Hah. But THIS time, it's the unicorn that gets uni-cornholed.

"In minutes"

[thetagger]

Sure, they hack browsers "in minutes" after months of studying and audits.

Re:"In minutes"

[Daniel Hoffmann]

But don't they just type the hack really fast at a moments notice just like in the movies? Hollywood you lied to me!

In other shocking news...

[Anonymous Coward]

...housewives don't generally pay for plumbing or electrical work in sexual favors, either...

Re:

[boristdog]

...housewives don't generally pay for plumbing or electrical work in sexual favors, either...

So I'm wasting my time with my cable repairman correspondence course?

Re:

[tolkienfan]

You can guess what happens next...

He fixes the cable?

Re:

[bob_super]

Probably because I've never met a plumber who looked anything like a porn star...

Re:

[wiredlogic]

No they just insert a floppy disk and the computer autoruns their exploit for them.

Re:

[citizenr]

But don't they just type the hack really fast at a moments notice just like in the movies?

This requires two people typing really fast on the same keyboard simultanously

Re:"In minutes"

[Anubis IV]

Exactly. What all of these headlines neglect to mention is that these folks have created automated suites that oftentimes make use of zero-day or recent exploits. It's not as if they sit down and start putting something together once they get there. Rather, they carefully crated these tools in advance in order to allow them to make the headlines by hacking things in mere minutes or even seconds.

Re:

[the_B0fh]

Does anyone seriously expect someone to just walk up to a machine, and search for a new vulnerability and hack it in 30 minutes?

Re:

[Anubis IV]

Have you talked to any of the types of folks that are regular watchers of CSI and its ilk? For most of them, computers are still magic boxes. A mother I was talking with yesterday was asking me if they still made computers with floppy drives, since she still uses them on a regular basis, and she was shocked to learn that not only have all of the major manufacturers stopped putting them in, but that the industry is even starting to move away from CD/DVD drives at this point towards download-only distribution

Re:

[wile_e_wonka]

A mother I was talking with yesterday . . .

I know; mothers are the worst. Completely technologically illiterate. Did you know that the average mother still uses her uterus to produce a child?

Re:

[Anubis IV]

To be clear, I wasn't generalizing about mothers. I was generalizing about the sort of folks who watch shows like that. The two sets may intersect for a large portion of their members, but they are by no means identical. I'm friends with a mother who has a doctorate, has flown in space four times, is one of the leading experts on certain types of robotics, does occasional stints as a university professor, and could run circles around me when it comes to anything technological. On the other end of the spectr

Re:

[wesk]

What's the basis for your generalization of those who watch CSI "and its ilk"? I used to watch one of those shows, and while I realize that the technical abilities portrayed might not be realistic or even possible, I enjoyed the show for other reasons.

Re:

[Anubis IV]

I actually enjoyed CSI for the first few seasons as well, but I think we all have a mental picture of the sorts of people I'm talking about when I make a comment along those lines. That is, people who think that technology is much more capable than it actually is, that scientists and the like catch all of the finest details every single time, and that even the slightest thing out of place is sufficient for dismissing the entire idea. I've heard that prosecutors have been having a really hard time since CSI

Re:

[operagost]

They could at least use 9 uteruses to get it done in 1 month!

Enhanced Mitigation Experience Toolkit

[BisuDagger]

From GHacks.net "It is by no means a catch-all security application, but it mitigates many common attack types and forms on the system. " The review on their website had led me to believe that the best of hackers could still get through EMET security. It will still be exciting to see how quickly the victor can make it into the heavily defended IE.

Re:

[Anonymous Coward]

It's a little more challenging to get into the NSA's holes than your mom's.

Re:

[cavreader]

Not to mention your mom will not be monitoring for break-ins on quite the same level of the NSA.

Snowden already did

[tepples]

I thought Ed Snowden already got into the NSA through the most effective method: social engineering. Heck, his name rearranges to Ends Owned.

Re:

[Videospike]

Actually, his name is Edward, not Ed, which rearranges into "Wanded Wonders". So there you have it. Snowden is a wizard, and he hacked the NSA with magic. Any other explanation is absurd.

Re:

[Ralph Wiggam]

Any data classified as Secret or higher is stored on computers that are physically separate from the public internet. So before anyone could hack into the NSA or a similar agency, they would have to bypass physical security involving many men with guns.

Re:

[tepples]

Why would hackers care about Windows 8.1? What is the market share now?

I'd guess well over 90% of newly manufactured desktop and laptop PCs not made by Apple and sold to homes and small-business users in the first world.

Re:

[Threni]

If true, that's the percentage of a vanishingly small sector of the total internet connected devices. You've basically said "well over 90% of 0.7% of the market" which proves the OP's point entirely.

Re:

[tepples]

The comparison isn't to "Internet-connected devices". Not all devices that connect to the Internet even run a web browser. The comparison I intended was to other devices on which a web browser is commonly used. This includes at least desktops, laptops, tablet PCs, smartphones, and tablets running a smartphone operating system. I imagine that Windows 8.1, Windows RT 8.1, and (soon) Windows Phone 8.1 combine to cover a lot more than 0.7% of these markets.

Re:

[gl4ss]

well, the 150 000 is to make them care.

Re:

[Immerman]

For now maybe.
For now Windows 8.1 is such a small part of the installed base that the botnet controllers are probably unwilling to pay much more than that for exploits to make it more accessible. Eventually that will change and the value may become much higher, but if you're an amoral hacker trying to wait until then to cash in you run the risk that some other hacker will discover the exploit and cash in with Microsoft, which renders your work valueless.

But come on, how many man-hours do you suppose are go

Re:

[im_thatoneguy]

Presumably only one person wins. If it's a task that the average security researcher could accomplish ($150k is not a very high wage). Then you have to estimate how many *other* people will enter. You also have to estimate that all 'average' security researchers will be equally successful.

That means you spend $150k and you are 1 of let's say 1,000 entrants and your average payout is $150 for a year's work. About 2 hours of your hourly rate. Even if you were only one of 100 contestants then your pa

Re:

[Immerman]

Yes, but do you suppose an "average security researcher" would bother to enter one of these things unless just for the sport of it? I suspect these competitions appeal more to the fringe types who aren't content to work as a cog within the machine - refusing to be a well-oiled cog does tend to take its toll on earning potential.

"seemingly bulletproof" ?

[ljw1004]

I was curious about this "seemingly bulletproof" sandbox as described in the summary. But the opening paragraph on Microsoft's website [microsoft.com] explains:
These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited

So much for the hyped-up summary...

Re:

[Richard_at_work]

Of course they dont guarantee, as that would be an issue if it were exploited.

What EMET is - and isn't

[daboochmeister]

At the risk of introducing information into the discussion ... some of the other respondents have taken oblique cue shots off this info, but to get it out on the table ... EMET is a software package that enforces otherwise existing security protections on programs that may not have them in place. For example, DEP, ASLR, SEHOP (very Windows-specific mitigation), heapspray prevention, and in 4.1 they added certificate pinning, to detect mitm attacks. (looking up acronyms left as an exercise for the reader)

The good news - these mitigations can be applied from outside the apps involved (as of 4.1, no more app recompiling or special-versions needed). The somewhat bad news - there are compatibility issues, and many apps are not compatible with the whole list of protections (see the MS KB article [microsoft.com] for more info). I also wonder if there are performance impacts from doing so, as opposed to compiling in the mitigations that can be compiled in - but don't quote me on that, I'm not sure

More bad news - it won't work with certain app features, e.g. any code that accesses certain system services at too low a level, so for example DRM-using apps (so many videogames are off the table); and it only intended for desktop apps (so they "do not advise" you use it with system services or server apps).

We tested the 3.0 version, focusing solely on the mitigations that could be imposed from outside the code even in that version - and found that many apps had issues with most, and some with all, of the mitigations (and, a killer for us, it wouldn't work with virtualized apps). Maybe that's improved, not claiming to know.

All in all - it has value if you're deploying legacy apps over which you have no control to a broad array of desktops, and it doesn't break your apps. Frankly, I don't know why the emphasis on IE11 ... I think the only protection that wouldn't already be compiled in is the certificate pinning, but maybe that alone is enough - or it makes it doubly difficult to break out of IE11 if you have the compiled in e.g. ASLR as well as the imposed-sandbox ASLR ... not sure.

To be clear ... it's NOT comparable to mandatory access control - it's more mitigation-specific than that. And also, by way of information, the open source operating systems often enforce the same kinds of mitigations on the apps that they support from their repositories (e.g., the Canonical Ubuntu team compiles every app in their repo with all possible mitigations -- see the Ubuntu security features page [ubuntu.com] for more info). That's one of the big advantages of open source - you don't have to try to impose really-meant-to-be-compiled-in security features from outside.

"perfect security"

[v1]

typically attracts people that already have a stable full of unicorns, especially if you're foolish enough to put a big bounty on it. Announcing you have "perfect security" just brings the embarrassment to your door that much faster.

And try as you might, even actual "perfect security" on your part will usually fail miserably at someone else's hands. Look at Safai, and how often flash or java (or the user themselves) is used to compromise it. (approaching 100%?)

We'd Like to Thank! Our Pwn2own Platinum Sponsors

[DroneWhatever]

215 of The Patriot Act, The NSA, The CIA, The FBI, DHS and the following individuals who shall remain nameless. Without whose contributions, there would be no "ethical" paid hacking as a career, endless amounts of American civil liberties, no war on ter-r. Think any agencies will be doing some recruiting there?

not worth it

[Gravis Zero]

it's clear that the amount offered is very little compared to what you could get by selling the info. if you can get a browser hack that can highjack the OS then it's worth a shitload more than the pennies they are offering. they need to start offering real cash for these deep level hacks.

unicorn hunting?

[corbettw]

Here I thought this would be about talking to single ladies at couples clubs.

Why Hunt Unicorns?

[El_Oscuro]

... When you can just order it online? [thinkgeek.com]