That didn't take long. One day into the
Pwn2Own hacking competition at CanSecWest and already Apple, Microsoft, and Mozilla have been sent packing to their respective labs to work on security issues in their browsers. In a repeat performance,
Charlie Miller pocketed a $5,000 cash prize and a fully-patched MacBook by splitting it wide, and gaining full control of the device after a user clicked on his malicious link. Another white-hatter by the name Nils (pictured) toppled Internet Explorer 8 running on a Windows 7 laptop -- again, the five grand and compromised VAIO P laptop are now his to keep as compensation for turning over the malicious code. So much for "
protection that no other browser can match," eh Mr. Ballmer? Nils then demonstrated a second Safari exploit before hacking Firefox later in the afternoon netting him a cool $15k by the close of day one. Only Google's Chrome was left unscathed -- Opera isn't part of the contest. This year's contest will also offer a $10,000 prize for every vulnerability successfully exploited in Windows Mobile, Android, Symbian, and the iPhone and BlackBerry OSes. In other words: this contest that runs through Friday isn't over by any stretch.
[Via
ZDNET]
posted March 19th 2009 5:59AM
In fairness it's also acknowledged that Safari has unrivaled security although in this case that means that everyone knows it's the worst one out there by miles.
Its also rude to constantly insult editors.
seriously, knock it off.
Sadd Rabia the Microsoft Evangelist, everybody let's give him a hand full of "-"
Really?
A couple of days ago he was talking about getting an iPhone, so he was a hero.
Now, not so much?
I agree with Saad: they were hacking IE 8 BETA, that's beta, not the gold version released today.
And to Thomas Ricker: I think you have problems with your logic: when Ballmer said "protection that no other browser can match", it doesn't mean zero vulnerabilities in IE, but he meant that IE is the most secure, even if it DOES HAVE vulnerabilities. And using biased phrases like "So much for "protection that no other browser can match," eh Mr. Ballmer?" just show the low level of your "professionalism".
So is Google Chrome save or didn't they try to hack it?
Safe my friend. Safe.
OK forget it, i read it. He's yet to try to hack it...
that was day 1 michael sooo im sure it will get hacked in time :)
Somebody please hack the iphone.
Is it me or does anyone else think these competitions are a bad idea? It seems to me that they encourage security researchers to find flaws in products (not a bad thing) and then to sit on them until the next competition rolls around so that they can cash-in (a bad thing). How does this help us? According to CNet the Safari flaw was discovered last year (it does not give the specific date) and only now has it been reported to Apple for patching.
http://news.cnet.com/8301-1009_3-10199652-83.html
it's good because people would do this anyways and this just gets them paid for what they do so they don't need to ruin the internets for fun.
The browser companies just buy the exploits and learn how to counteract them.
I think what you mean is that it is good that researchers get paid for their work but do you really think that an annual competition is the way to do it? I'd have thought that something like a $ per flaw system might be a better idea.
The exploits will be found by those who profit, it's up to Apple / MS to figure out a way how to compensate white hat hackers.
They could, for example, offer $5k for every bug found no matter when it was found and by who. That would probably encourage enough white hat hackers to find all the exploits, squeezing out the black hat hackers. Some black hats might actually turn white. Why don't they do it? I have no idea. Maybe because they don't really give a damn about security, unless the press makes a big stink.
@nikster
Right... Because:
1) 5K is a lot more than what black hats think they could potentially get out of hacking/cracking malicious intent
2) The said companies are eager to pony up the money, because they value the consumer's safety above profits margins, and satisfying their shareholders.
3) this approach is much cheaper than the current way they are doing things, i.e., patch exploits when they are critical/cause much bad PR, or are discovered internally
No offense, but I think it is unrealistic to expect companies to start doing this. Also, note that these exploits rely on the USER clicking on a malicious link, i.e., inadvertently execute the malicious code. This is the critical part imho. You can patch things/fix security holes all you want, but until the end user understands the intricacies of software security and raise better awareness on how to avoid these phishing attacks, a robust secure system is just an illusion
safari/mac went down in seconds. http://blogs.zdnet.com/security/?p=2917
Just to note, in the context of this competition the time required to perform the hack is fairly immaterial since the code was already written and deployed in advance. What would be more interesting is to know how long it took to actually find the exploit and write code that would successfully take advantage of it.
Circle the wagons! Remember last year: if the Mac loses first, attack the premise of the competition.
Yeah, I read that blog just before coming here. Somehow I knew that the ZDNet title, "Pwn2Own 2009: Safari/MacBook falls in seconds" would NOT be reflected here.
Engadget's title: "It was a hard day, eventually everyone went down, no one much quicker than any other. Oh, and Steve Ballmer said something stupid."
Regardless of the premise of the contest, yada yada yada, two (or it it three?) years in a row Apple went down first and very quickly. That is what happened, so it would seem noteworthy to me.
@Kelmon
Excellent point!
The rules of the contest seem set up to encourage this type of behavior. Even gainfully employed white-hat researchers are unlikely to score a $5-15k bonus (plus a laptop) for finding an exploit. Disclosing the vulnerability to the vendor right away does nothing for their checking accounts. This contest seems like a great way for them to cash in on their work and encourages undesirable behavior by skilled researchers.
It is sad that the guy sat on a year-old 0-day because this contest was the only way he could legitimately get paid for his work. I wonder how long this flaw has been known and used by criminals to exploit Macs while this guy was sitting on it.
You guys crack me up - do you really think a vuln like this is worth a piddling $1-5K?! The amount of work involved to find such things makes $5K look like chicken feed and if it's found easily it can certainly be sold for more. These guys did this to get "known" and on the radar, perhaps because it was fun. Ask someone like Greg Hoglund, who has publicly stated he sells vulns for $100K, if he thinks these guys were ripped off. Sites like PacketStorm and Milw0rm used to have truly 0-day stuff being released, not so much anymore and it's not because they aren't still finding things.
As for vendors offering bounties - yeah right. The very LAST thing they want to encourage is people looking that closely at their code. Microsoft and Apple especially do not want to encourage anyone to point out that the emperor is frequently naked. Even if these were reported companies, Adobe, sit on bugs for ages before they do anything about them. Even Microsoft who has begun to take this more seriously isn't patching them all. Kripes Microsoft was one of the ones that shut down the freeflow of information on vulns with their programs that would only offer benefits to companies if they kept their mouths shut about what they found. This has turned into a business and not to the public's benefit either. Contests like this simply all the public a glimpse as to just how bad it is.
very good point... If they (M$, Google, Apple who evers exploit it is) offered say a sum of $1k for the exploits any time of year. This wouldnt be a huge 15k bonus but still would encourge handing in right away incase someone else handed it in before you and claiming your 1k.
Good idea. Perhaps they can promise more money depending on how critical the exploit is, and require an NDA in exchange for the cash.
That might work for the closed source world, but I somehow doubt that the open source world will care as much. "Submit a patch", as they say.
Or they could do a payment per exploit and then a grand prize for the most at the end of the year, so the hackers keep trying to up their total to win the grand prize, maybe have the grand prize be x times the number of the highest number of exploits, If 10 was the most exploits then the prize amount is multiplied by 10.
Go Chrome
Are all of these exploits worth it for animated ads? Can we just go back to pictures and links? I don't need to run ANYTHING. I'll even fill in my shipping address every time!
Let me guess, you're using an iPhone and hate flash because besides all the videos, games, cartoons, and interactive web applications all flash is used for is advertisements some of the times. Then when Apple finaly anounces flash it will be like the second coming of Christ, and it shall be declared "The reason Apple is at the top is because they "get" what the consumer wants". Even though the consumer said flash was evil. Yes I do know flash is really horrible at a lot of the stuff people are trying to make it do these days but it's still an integral part of the interne. Also just because it crashes your browser all the time doesn't nescisarrily mean it's all flash's fault. I didn't blame it on flash when the first beta of Chrome would crash because of Google's poor implementation of flash.
Sent by an HTC Touch Pro with delicious delicious flash advertisements.
click here
I always wished I had the skillset to do this contest. It seriously makes me drool. I have always been ludicrously fast at the things I do, being competitive by nature, so I know if I only knew what I needed to know, the contest would be a lot of fun even without having to win anything.
I feel the same way, man. (assuming you are in fact a man).
I'm a computer science major, but I never really got a chance to learn things like this, that are not only incredibly interesting, but matter in the real world today.
I wish I knew how to do this stuff too. I think I'd be good at it as well.
Safari was hacked in seconds, but you had to pick Microsoft, uh?
Well, given that their CEO was trumpeting IE8 security this morning it seems reasonable to make a point, do you not agree?
I think it's good to expose all of them. Face it ... the browser, if one is to have a certain amount of "out of the box" functionality, is exploitable. This will probably sadden fanboys on all sides, especially corporation-loving applets, but it's just a fact of life.
Well, given that the browser and the OS were both in beta at the time of the competition it seems unreasonable to claim that the final releases will be identical to what was hacked, do you not agree?
I read another article that said all the browsers were hacked, which would have included Google Chrome. Anybody know if Chrome actually was included?
What they fail to mention is that to hack safari he was given Administrator access to the system. Its like saying 'If you can steal my car you can keep it' then providing them with the keys.
uhhhh. If that's the default install, that's what it is.
Day 1: Default install no additional plugins. User goes to link
Some people are missing that the Safari/Mac was hacked TWICE (different ways) on the same Day 1.
All operating system installations make the first user account an admin because they have to, but all of them have documentation recommending that a non-privileged account be created and used for normal use. Ideally, the installers should just ask for an admin password and then allow the user to create their own unprivileged account, but just because they don't (one good reason might be that the user may forget it by the time he or she needs to use it) is not an excuse for not following directions. If you just started running things off the default install like in this contest on any BSD, you'd be always running as root!
Since Safari was hacked but Chrome not yet hacked, does that mean the vulnerability lies outside of the WebKit rendering engine?
Or does that mean the security lies outside of the Webkit rendering engine?
Cue the rabid Mac fanboys claiming that the Macbook "wasn't really hacked" or that "it doesn't count since you had to click a link" in 3...2...1...
Its just a light hearted article on a light hearted competition,you insufferable Tools-Go outside or something...
Way to go Engadget, you conveniently left out the most important detail of that news tidbit, that Safari was the first one hacked, AGAIN, and exploited within a matter of seconds, just 8 of them in fact.
This is 2 years back-to-back now that OSX/Safari has fallen first and this time within a matter of seconds, and yet Apple continues to profess and perpetuate this errant belief that their systems/wares are the most secure.
Your synopsis failed to highlight this small fact, but we wouldn't want that to come in the way of sponsorships now would we...
um, I thought you couldn't install internet explorer 8 on windows 7..