That is my topic today, Pwn2Own. Do you know what it is? I would say that most people don’t. Of course I will fill you in on the exact details. Pwn2Own is a computer hacking contest held at the annual CanSecWest security conference, which began in 2007. Contestants are challenged to exploit specific software (especially web browsers and web related software).
Contestants receive the device or computer that was successfully exploited and a cash prize. For each successful exploit, the contest’s sponsor, TippingPoint provides a report to the applicable vendor, detailing the vulnerability and how it was exploited. The details are not released to the public until the vendor has corrected the vulnerability.
This contest is a three day event. This year the event takes place March 9th, 10th, and 11th . This year the first two browser’s to be exploited was Microsoft’s IE8 and Apple’s Safari browser. Even though Apple updated Safari to 5.0.4, plugging 62 security holes in the process, it only took French security firm Vupen just 5 second’s to exploit the browser and take home the $15,000 dollar bounty from TippingPoint for doing so. I do believe that Apple definitely needs to make some changes to Safari, it clear has a lot of vulnerabilities and not very safe, to say the least.
This was the first time in four years that Charlie Miller, an analyst with Security Evaluators, wasn’t the first to be able to hack the Safari web browser. Just what about Microsoft’s IE8 browser? Guess what? It didn’t fare much better. Microsoft chose not to update the IE8 before the contest, and they paid for it. The IE8 also fell at the hands of it’s first attacker as well, Stephen Fewer, founder of Harmony Security. He bypassed IE8’s Protected Mode, which is sort of a sandbox mode ( another topic, another time), intended to isolate the browser from the OS in case a website install’s malicious software. If there is one thing that I know, I’m sure glad that I don’t use either browser to surf the web. As for Mozilla Firefox and Google Chrome, it’s their turn later today. Now I want you to get out there and enjoy your day!
Contestants receive the device or computer that was successfully exploited and a cash prize. For each successful exploit, the contest’s sponsor, TippingPoint provides a report to the applicable vendor, detailing the vulnerability and how it was exploited. The details are not released to the public until the vendor has corrected the vulnerability.
This contest is a three day event. This year the event takes place March 9th, 10th, and 11th . This year the first two browser’s to be exploited was Microsoft’s IE8 and Apple’s Safari browser. Even though Apple updated Safari to 5.0.4, plugging 62 security holes in the process, it only took French security firm Vupen just 5 second’s to exploit the browser and take home the $15,000 dollar bounty from TippingPoint for doing so. I do believe that Apple definitely needs to make some changes to Safari, it clear has a lot of vulnerabilities and not very safe, to say the least.
This was the first time in four years that Charlie Miller, an analyst with Security Evaluators, wasn’t the first to be able to hack the Safari web browser. Just what about Microsoft’s IE8 browser? Guess what? It didn’t fare much better. Microsoft chose not to update the IE8 before the contest, and they paid for it. The IE8 also fell at the hands of it’s first attacker as well, Stephen Fewer, founder of Harmony Security. He bypassed IE8’s Protected Mode, which is sort of a sandbox mode ( another topic, another time), intended to isolate the browser from the OS in case a website install’s malicious software. If there is one thing that I know, I’m sure glad that I don’t use either browser to surf the web. As for Mozilla Firefox and Google Chrome, it’s their turn later today. Now I want you to get out there and enjoy your day!