“2010 Pwn2Own” is an annual contest wherein contestants are invited to hack a variety of Web applications and platforms such as Web browsers and mobile phones for cash prizes and benefits. Successful hackers include Dutch hacker Peter Vreugdenhil for Internet Explorer (IE) 8, German hacker “Nils” for Firefox, and Charlie Miller for Safari.
What About Security?
As the only researcher to boast of three consecutive wins in “Pwn2Own,” Miller comments on security (or the lack thereof) in an article in ComputerWorld. He refuses to hand over the vulnerabilities, instead he will demonstrate how he found them in hopes of encouraging software companies to improve their processes.
According to Trend Micro researcher Rajiv Motwani, “Windows/IE has been the target of hackers for years. Microsoft has thus adopted a multipronged approach to deal with vulnerabilities. It encourages responsible disclosure, follows a security development life cycle, organizes Microsoft BlueHat events, has the so-called Microsoft Active Protections Program (MAPP), and fixes vulnerabilities in a predictable manner so that life is a little easier for people who patch.”
This approach definitely helped raise the bar in terms of the complexity of vulnerabilities found. However, attackers still found ways to bypass new technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
But in the end, Microsoft is banking on its holistic approach to address vulnerabilities found on Microsoft products. “Microsoft hopes that because of its multipronged strategy, at least simpler vulnerabilities will be patched. Security is all about raising the bar, after all,” adds Motwani.
On Using Alternative Browsers
While other browsers have been somewhat “safe” because of the attention they get from customers, Motwani does not discount the fact that this notion is changing. “Their market shares are increasing and with that comes hacker attention,” he says.
Motwani predicts the increased adoption of mobile phones for new applications and tasks, which is a likely choice for hackers as well. In fact, a fully patched iPhone was also hacked in “2010 Pwn2Own.” He adds, “Updating one’s phone with the latest software updates is not hassle free. Data usage is increasing and connectivity is also no longer a big issue. There is going to be increased attention in this space.”
Steps Toward Security
Trend Micro encourages responsible disclosure—the decision to give vulnerability information to vendors. Motwani advises, “In the interest of end users, it is better if these bugs are responsibly disclosed and if patches are released as soon as possible so that no one else finds out about and exploits them. If these become public or are actively exploited then vendors will have to rush out patches, which is not necessarily a good thing, and customers (administrators) will have to plan for out-of-band patches.”
Read more on keeping systems safe by patching alternative browsers in “Keep Systems Safe: Patch Alternative Browsers.”
If there is anything we can learn from “Pwn2Own,” the matter at hand does not only go as far as questioning platform security. Rather, it should be acknowledged that software and OSs are prone to vulnerabilities. In fact, recent news even report a security researcher who managed to exploit .PDF files without a vulnerability. From a user’s standpoint, continue following security best practices and be aware of safety measures to protect systems.
Update as of April 1, 2010, 10:00 p.m. (GMT +8:00):
The Mozilla Foundation has announced that a patch for the Firefox flaw found at “Pwn2Own” has been released. According to the security advisory, the flaw has been fixed in the latest version (i.e., Version 3.6.3).
Update as of April 14, 2010, 11:32 a.m. (GMT +8:00):
Apple released a security update, which resolves the drive-by vulnerability used to hack a fully patched MacBook via Safari. More details can be found here.