Posted by The Blogging Desk on Tue, Mar 22, 2011
- by Chad, "Dream", Weaver
This month was one of my favorite events in the internet security field, the annual Pwn2own contest. This is where the companies that produce all the different operating systems and web browsers from old standards like Apple and Microsoft, to the phone OS makers including RIM and Google, put up money to see if their respective systems get compromised. This organized event also gives the complete details of the exploits to the vendor providing them information on how it was completed and time to patch the holes before the details of the exploit are released to the general public. This like always was filled with successful attacks and some interesting ones too. I just want to recap the results now that the event is over and some of the implications and general thoughts that come out of an event like this.
This is the 5th year for this contest all the big players had different systems lined up to see if anyone could compromise them, prize money is awarded to the person or team that can complete a successful exploit and they get to keep the device, hence the name of the contest. The very first one to fall was Apple’s Safari, running on a fully patched MacBook Pro, it was 5 seconds after having a user directed to a specially crafted link that the exploit was able to escape the sandbox mode. This has some important implications and should stand as a reminder that because you own a Mac you are no safer than a Windows user, just because there are few viruses and bad programs now does not mean that they can’t be created. The false sense of security that owning a Mac provides a user needs to be addressed in the near future, as they grow in popularity so too will exploits such as this, and unlike MS which has been under fire for years forcing them to create and maintain a patch schedule to address these exploits, Apple does not have the same system.
Don’t think that MS made it out unscathed either, though. IE 8 also fell after the winner used 3 separate exploits. Two to execute code with in the browser, but the most interesting part was the third helped escape Internet Explorers protected sandbox mode. This was unexpected as there is only one publicly known way to do this, and Microsoft is very interested in the details. This was running on Windows 7 64 bit which also increased the difficulty.
The other two big browsers escaped unscathed, Chrome and Firefox with Google offering even more money to anyone that could compromise its browser. This doesn’t mean that they are any safer just that no one attempted to attack these browsers; some contestants opted to try other systems or pulling out before the contest for various reasons. This is the 3rd year that Chrome has left the contest without anyone successfully compromising it.
Lastly was the mobile OS part of the contest. The iPhone and RIM’s blackberry both fell in the contest, surprisingly Android was not compromised in the contest. It would have fallen, as a successful exploit was pulled just before the contest because the creator thought that it would violate the rules of the contest and reported it to Google instead. Google did rule that it would not have violated the rules and would have won but patched it before the contest, he did win the “1337” that Google awards the community for alerting them to security holes, although not as good as the 15k he would have won if he had entered the contest with the exploit. Important other items to note, that the iPhone that was hacked was not running IOS 4.3. Also as a result of the exploit found on the Blackberry Torch, RIM is recommending that users disable JavaScript for the near future until a patch can be crafted to address the security hole. If you have questions about your the security for your own business, don't hesitate to contact Trigon!
