I have been following this contest and was wondering which OS would be first to fall (if any) seen as though they were all fully patched and the latest versions. For those that don’t know Pwn2Own is a contest at CanSecWest open to anyone to hack a Windows, Linux or Mac OSX box with a varying set of conditions.
Not one person entered the first day, perhaps they don’t want to divulge those heavy exploits…or perhaps no one had any. The second day had a lot more entrants. It’ll be interesting to see what the 3rd day turns up when everything is open to attack.
A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.
Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. The feat won him a $10,000 prize paid by Tipping Point, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities.
Interesting the exploit came in Safari, but gave full control. Still $10,000 is not bad for a days work (I’d imagine though he’s probably prepared the exploit earlier).
I was somehow expecting Mac to fall first.
At time of writing, the Windows and Linux machines were still standing.
Under contest rules, Miller was forbidden from providing specifics of his hack. He said he chose Apple over the other machines because “I thought of the three it was the easiest”. He said he didn’t test the exploit on any other platform. As a Mac user, he added, he felt an incentive to exploit the system because he believes it will help make the platform stronger.
Miller’s win came on day two of the contest, which gradually eases the rules for what constitutes as qualifying exploit. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine’s operating system, drivers or network stack. Winners were eligible for a $20,000 prize.
On day two, the attack surface was expanded to include browsers, mail applications and other common applications, and the bounty was reduced to $10,000. Contestants on day three will be allowed to attack still more applications, such as Skype, QuickTime and browser plugins for a $5,000 prize.
I wonder if any of our readers are attending CanSecWest, any of you guys there? Having a go at the contest?
I think more things should be organized like this, at the end of it – it really does make all the OSes more secure. Saying that though just because no-one exploited it, doesn’t mean the vulnerability isn’t there and the bad boys aren’t already using it.
It’s been shown before, the underground is always ahead…and a vulnerability with exploit for a fully patched Windows machine is worth way more than $20,000!
Source: The Register