Pwn2Own – 2010

April 6, 2010, by | Start Discussion

For all those of you who have been living under a rock or busy with the evils of the real world, it is time to wake up and see the perils of the Cyber-World. It is time to stop ignoring the e-thieves and read about the singular competition that attracts some of the best hackers in the industry.

This is one contest that not only shatters the myths, people around the globe seem to have, about their favorite browsers, but also brings the hackers out in the lime-light in a non-evil forum. At the end of the day, it is a win-win situation, where the vendors get to learn how they can secure their products better and the hackers go back home with some fame and money.
History

It all started back in 2007, when TippingPoint Zero Day Initiative (ZDI) started this annual contest for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Back in the day, the target was to hack into two Apple MacBook Pro out of the box machines. The winner got to keep the pwned machine as his/her award.

Tip: Pwn is a leetspeak slang term derived from the verb "own", as meaning to conquer or win

Over the years, the contest has grown to see more participation with more targets and much more juicer awards. However, the basic intent remains the same. Browser vendors often make strong claims about their responsiveness to vulnerability reports and their ability to proactively prevent exploits. Security is becoming one of the most significant fronts in the new round of browser wars, but it is also arguably one of the hardest aspects of software to measure or quantify. This contest brings the brightest minds in the industry to test these tall claims. 
2010 War of The Titans

This year, the contest was held at CanSecWest Security Conference held in Vancouver, BC starting 24-Mar-10. The bounty was the hacked hardware and cash prizes totaling a whopping $200,000..!!

In the first phase of the competition, the contestants were required to exploit in default browser installations without plugins such as Flash or Java, which are commonly used as vectors for attacks. The targets were Mozilla Firefox, Apple Safari, MS Internet Explorer and Google Chrome.

The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. The data stored and communicated across these devices is increasing in value to attackers. Which lead the organizers to also include Apple iPhone, RIM Blackberry Bold, Nokia Symbian E72 and HTC Nexus One Android, in this year's competition.
Competition Results

Some interesting final results:
 

  • Safari was the first to fall, followed by Internet Explorer 8 on Windows 7
  • Charlie Miller competed successfully for the third year in a row, taking home the MacBook Pro via a Safari exploit which delivered a full command shell payload. The only person to take down Mac in under a minute – three consecutive times..!!
  • Peter Vreugdenhil succeeded in leveraging two vulnerabilities in Internet Explorer 8 on Windows 7 64-bit to execute and reliably run arbitrary code, bypassing Microsoft’ latest security defenses
  • Vincenzo Iozzo and Ralf Philipp Weinmann were able to grab key data in an iPhone. The researchers used a vulnerability in Safari that pulled the SMS database. Data included deleted messages, contacts, pictures, and iTunes music files. Even though the exploit crashed the iPhone’ browser session, Weinmann said that he could have a completely successful attack with the browser running, with some additional effort

For the complete set of results, please visit:  http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010
 
 
So, who won?

Google's Chrome browser was the only one left standing – a victory that security researchers attribute to its innovative sandbox feature. Charlie Miller did mention that he did discover any vulnerability in Chrome. However, he was not able to exploit it due to its sandbox-model.

 

Conclusion: What does all of this mean to the internet users?

So, does the average user need to be concerned about these findings? Well, to me this contest is not to alarm the end users. The intent is to make the vendors more diligent, and to make them realize that they need to keep security at top priority. There are plenty of hackers out there who are busy figuring out ways to break into the popular browsers. It may not be possible for any vendor to make their product rock-solid with no vulnerability at all, but the aim should be to make reliable, secure products – just to make the job of the hackers really difficult.
 

For the casual internet user, my advice would be to take contests like these as a learning experience, to understand why they should keep their OS patched and their internet browsers updated.
 

For my technically savvy friends out there, I would like to suggest that probably this would be a good time to switch over to Google's Chrome. However, lets not forget that there is no silver bullet to kill every possible security loophole, but as on today, Chrome does seem to be better than the rest. So, it would definitely be wiser to use it, along with the other security precautions.
 

Remember, security is all about

Defence in Depth…!

Kunal got into the IT Security industry after completing the Cyberspace Security Course from Georgian College, Canada and has been associated with financial companies since. This has not only given him experience at a place where security is really crucial, but has also provided him with some valuable expertise in this field. He has over 5 years of experience and a number of certifications to his name, including Backtrack's OSCP, CompTIA's Security+, Cisco Router Security, ISO 27001 LA, etc.

Leave a Reply