CanSecWest Pwn2Own – Off To An Amazing (ly Insecure) Start!
It’s the third annual Pwn2Own contest held at CanSecWest, and it’s already off to an amazingly insecure start! Sponsored by TippingPoint, the Pwn2Own contest is relatively simple, in concept. Hack a computer, win that computer … and some cash. The hacking starts at the internet browser(s) typically used on said computer, and all software is the latest up-to-date installs and patches. This year the two computers up for grabs were the Apple MacBook (running Safari and Firefox) and the Sony Vaio (running IE8, Firefox, and Chrome).
And right from day one, down the browsers fell!
First to topple the security was Charlie Miller, who you may remember from last year as the day 2 winner (there were no day 1 winners last year) of the Apple MacBook Air. This year he did it again, in day one! He absolutely nailed Safari on Mac OS X to a wall in just two minutes! Ouch! And so he got to take home his second Pwn2Own MacBook and a nice $5000 cash prize from the Zero Day Initiative.
Charlie Miller showing off his well-won MacBook.
Next to bat was Nils. Just Nils. Keeping up the mystery of his name must have given him some awful dark powers, for he was able to hack up the latest Microsoft Internet Explorer 8 even with its mighty DEP (Data Execution Prevention) and as ASLR (Address Space Layout Randomization). Winning Nils the Sony Vaio and $5000.
But that wasn’t enough for Nils. Oh no. He went on to further crack through Safari for another $5000. And then again he hacked Firefox for another $5000. Making Nils a winner of a total of 1 Sony Vaio and $15,000!
The infamous Nils proudly displaying his Sony Vaio.
It was a good day for Nils, but a bad day for internet security everywhere.
So while Charlie and Nils were this year’s CanSecWest Pwn2Own winners, that makes this year’s loser Apple’s Safari web browser. On day one it was hacked twice, using two separate vulnerabilities to exploit Safari. And all for a measly single laptop and five grand per hack. Where as to the black hats of the nefarious computer hacking world, such vulnerabilities can sell for much more than that.
It just goes to show, there’s no such thing as a safe computer. Apple’s Safari, Microsoft’s Internet Explorer 8, and Mozilla’s Firefox all went down.
And it also goes to show, that once again, Apple’s “security” is not so much a matter of actual security, but in their small market share making them less desirable to broad attacks. Because even with such a small incentive, Apple was hacked not just once like everyone else, but twice.
Web Mirror | CanSecWest Pwn2Own - Off To An Amazing (ly Insecure) Start!:
[...] It’s the third annual Pwn2Own contest held at CanSecWest , and it’s already off to an amazingly insecure start! Sponsored by TippingPoint, the Pwn2Own contest is relatively simple, in concept. Hack a computer, win that computer … and some cash. The hacking starts at the internet browser(s) typically used on said computer, and all software is the latest up-to-date installs and patches. This year the two computers up for grabs were the Apple MacBook (running Safari and Firefox) and the Sony V Visit link: CanSecWest Pwn2Own – Off To An Amazing (ly Insecure) Start! [...]
March 19, 2009, 10:16 amCaliforniaSuperLoto:
just out of curiosity, there was something for hacking the Chrome?
March 19, 2009, 10:33 amPosts about Apple Macbooks as of March 19, 2009:
[...] MO was the same, bring the target MacBook to its knees and pocket $10k (and the MacBook CanSecWest Pwn2Own – Off To An Amazing (ly Insecure) Start! – insanit.net 03/19/2009 It’s the third annual Pwn2Own contest held at CanSecWest , and it’s [...]
March 19, 2009, 10:47 amArah:
If anyone had hacked Chrome before the Sony Vaio was won, then they’d have won that laptop. But Nils nabbed the Vaio pretty early on by hitting IE8, so that incentive is missing now.
But even with the two laptops won, anyone who hacks a browser also wins $5000. So even with the laptop prizes gone, five grand is still there to win.
It was kind of unexpected that Chrome was the only browser not hacked in the first day. But then again it’s actually supposed to be rare to hack even one browser in the first day. That Safari was hacked twice, and IE8 and Firefox once each, made it a pretty oddly spectacular day 1.
Chrome likely was spared only because it’s such a new browser. We’ll have to see if anyone cracks it in day 2 or 3.
March 19, 2009, 11:16 amCaliforniaSuperLotto:
I suppose that also because is so new, there is not a lot of ways to know how to find a particular vulnerability. Without been an expert, I think they must be working on this, because Chrome is taking a lot of the browser share of the others.
March 20, 2009, 1:43 pmArah:
So far I haven’t seen any real evidence that Google’s Chrome is taking any noticeable amount of browser market share. You’re right in that it’s too new. A lot of people are trying it, but market-wise it’s still an incredibly small niche. Which, small segment combined with newness is likely why no one even tried to exploit it. (Heck, for the same reason I was amazed that two whole people even tried Safari on a MacBook.) No one even bothered trying to crack Chrome on days 2 or 3 either. No one touched it, at all, in the entire Pwn2Own competition this year. Google Chrome is too much of an unknown still. It’s just too new.
March 23, 2009, 11:39 amAladdinHotelLasVegas:
You know what version of IE they break? the new 8? or the older 7?
March 23, 2009, 11:52 amArah:
In every single place in this blog and in the comments it has always been specifically named IE8 or Internet Explorer 8.
So yeah, I dare think I know what version of IE they broke.
Wanna guess which version it was? :p
March 24, 2009, 10:39 am