Less than 48 hours ago, I was sitting on a plane watching the movie “Blackhat,” and crying a little on the inside every time another hacker cliché or security buzzword was used. I suppose I should give the writers some credit as they clearly made an attempt to learn something about the industry and apply it in the film. Overall though, it was just about as cringe-worthy as my wife (a PICU nurse) tells me she feels when watching ER or Grey’s Anatomy. Anyway, flash-forward to the last couple of days where we saw the real world of hacking at CanSecWest’s annual Pwn2Own contest. Granted, if you filmed this and tried to sell it to the masses (even with Chris Hemsworth), it would probably gross less revenue than “Zyzzyx Road“. All that aside, for those of us lucky enough to have chosen this industry, it’s been another groundbreaking year for InfoSec.
One exciting change for DVLabs and the Zero Day Initiative (ZDI) is Trend Micro’s strategic acquisition of TippingPoint. Though our parent company has changed, our process has stayed relatively the same. At Pwn2Own, DVLabs has the unique opportunity of sitting directly with some of the top ethical hackers in the world to learn the cutting-edge techniques demonstrated live at the contest. After working with the ZDI to confirm the bugs, we analyze the techniques and immediately start the filter development process. The upcoming Digital Vaccine package, available next Tuesday March 22nd, will contain filters for ALL of the network-exploitable vulnerabilities used in the competition.
Over the years, a few things have changed at this benchmark hacking contest. Vendors are now more aggressive with their mitigations prior to Pwn2Own, and ZDI has upped the ante required to achieve a successful attack. This has resulted in increases in both the number of vulnerabilities required for exploitation as well as the complexity of techniques used. The malicious hackers are also out there, constantly developing similar attack vectors and using them to exploit a wide range of victims. For Trend Micro TippingPoint customers, this means the virtual patch story is even more relevant than ever. The filters that will be released in next week’s DV package provide exclusive coverage not only for the vulnerabilities shown during the contest, but also for the security mitigation bypass techniques.
Pwn2Own featured five contestants this year, exploiting over 20 vulnerabilities in the most ubiquitous products in the world. The targets included Microsoft Edge, Google Chrome, Apple Safari and Adobe Flash with extra incentives for SYSTEM or ROOT level privileges. Mozilla’s Firefox browser was intentionally dropped from the competition due to its complete lack of a sandbox, a critical security feature which raises the bar for exploitation.
Although nearly one fourth of the total attempts failed this year, I’m happy to report that each of the targets were successfully owned, with the exception of a late addition “unicorn” category, the VMWare escape – though we did hear rumors that next year some of the contestants were planning on bringing an exploit. The 2016 contest featured a new point-based system, awarding incremental points for the number and complexity of bugs used to achieve code execution. The following table demonstrated the point values and the clear winner at the end of two packed days was the Tencent Security Team Sniper.
If you are a current TippingPoint customer and subscribe to automatic DV updates, you will see the filters come through in your next package update, searchable by the text “Pwn2Own” in the filter name field. Expanded details for the filters will be available once ZDI discloses the vulnerabilities, pending vendor patches. Until then, these filters are the sole method of defeating exploitation of some of the most impactful zero-days we’ve ever seen.
Congratulations to all of the contestants with a special shout out to the sole winner Tencent Security Team Sniper!