Monday, March 22, 2010

'Tis The Season For Pwn2Own!


This is the time of year when, historically, anti-Apple security FUD is at its highest pitch. The great event begins March 24th. Our dubious hacking heroes Dr. Charlie Miller and Nils will be participating.
Pwn2Own 2010
MON 15 FEB 2010 16:41PM

The TippingPoint Zero Day Initiative (ZDI) is proud to announce that the annual Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is our 4th year running and to commemorate we have increased the total cash prize amount to $100,000 USD. If you're unfamiliar with the past history of this competition check out the archived 2008 and 2009 blog entries.
When the contest starts, you can follow the results at TippingPoint's blog HERE. The favorite to lose this year is Microsoft Internet Explorer, either or both versions 7 and 8. Here is the schedule posted by ZDNet:
Day 1:
Microsoft Internet Explorer 8 on Windows 7
Mozilla Firefox 3 on Windows 7
Google Chrome 4 on Windows 7
Apple Safari 4 on Mac OS X Snow Leopard

Day 2:
Microsoft Internet Explorer 7 on Windows Vista
Mozilla Firefox 3 on Windows Vista
Google Chrome 4 on Windows Vista
Apple Safari 4 on Mac OS X Snow Leopard

Day 3:
Microsoft Internet Explorer 7 on Windows XP
Mozilla Firefox 3 on Windows XP
Google Chrome 4 on Windows XP
Apple Safari 4 on Mac OS X Snow Leopard
ZDNet also reports that a number of mobile devices are part of a second set of hacking contests:
Apple iPhone 3GS
RIM Blackberry Bold 9700
A Nokia device running Symbian S60 (likely the E62)
A Motorola phone running Android (likely the Droid)
Apple, apparently in preparation for Pwn2Own, released Safari v4.0.5 on March 10, 2010. It patched 16 security vulnerabilities. You can read about it HERE and HERE. Six patches were specifically for the Windows version of Safari. The other ten patches affected both Mac and Windows versions of Safari. Nine of the patches were specifically for WebKit, which is an Open Source project used in a number of web browsers, including Safari, OmniWeb, Chrome, Shiira, Midori, S60, Android and the Palm Pre web browser. Four of the patches patched the ImageIO used in the version for Windows. Does this cover the gamut of security vulnerabilities in Safari? The hackers at Pwn2Own consistently have surprises up their sleeves.

You can read the details of this year's Pwn2Own contest HERE.

The general concept of the contest is to gather contestants and provide them with a hacking events schedule well ahead of time. The contestants typically come to the contest prepared with a specific hack or set of hacks they will use on the target computers via interaction with the accompanying web browser. This year the contest is somewhat different in that each successive day will include the hacking of older versions of Internet Explorer with older versions of Windows. But the general contest provides three days of hacking using three pairings of web browsers and operating systems. Day 1 does not allow any access to applications on the target computer. Day 2 allows what I call 'LUSER sabotage' access to the target computers via default installed applications for each operating system. Day 3 provides popular third party applications on each computer that can be used as part of 'LUSER sabotage' hacking.

In years past the FUD mongering contingent have danced around like village idiots pointing out how quickly Macs have been hacked on Day 2. In reality, the speed of any hack is nearly irrelevant. This is due to the weeks of preparation provided to all contestants, who presumably have already proven their zero day hacks before the contest has begun. What is relevant is the existence of the hack and how much 'LUSER sabotage' is required to apply it.

This year two senior contestants, Dr. Charlie Miller and Nils, will be using Safari v4.0.5 to hack into Mac OS X 10.6.2 Snow Leopard. Vincenzo Iozzo and Ralf Philipp Weinmann, as well as an 'anonymous' human, will be hacking into the iPhone.

One concern I have this year is that Safari is not being used to hack into any version of Windows. Instead only IE 7 & 8, FireFox 3 and Chrome 4 are being tested. Presumably the choices of Windows browsers were made according to market share as well as hacker interest. I'm also a bit annoyed that no Windows Mobile phones were included in the contests. Microsoft have announced the dumping of their current mobile OS for an entirely new mobile OS. But there is no reliable time line for this change, making the hackability of current Windows Mobile devices entirely relevant.

Hack and Enjoy!

No comments:

Post a Comment