Thursday, March 19, 2009

Pwn2Own Trifecta: Safari/MacBook, IE8 and Firefox

CanSecWest is underway in Vancouver, British Columbia. A part of CanSec is the Pwn2Own contest. In order to be owned, the competitor must demonstrate both loss of information (user data) and that financial cost would be incurred.

As described by Sarah Blankinship, Microsoft Senior Security Strategist, she said that it is
"a contest that pits researchers against technologies to see whether technology or human wins. It’s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem – it’s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams’ efforts. You can’t hide from the truth (wishing doesn’t make it so) and every issue is an opportunity to learn and improve."
Interestingly, it took seconds for a fully patched MacBook with the Safari browser to be hacked. As described by Ryan Naraine at Pwn2Own 2009: Safari/MacBook falls in seconds:
"Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.

“It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment."
It took longer to perform a clean drive-by download attack against Internet Explorer in what was described as a “brilliant IE8 bug!”, that in the wake of the release of IE8 today at the Mix Conference today. Ryan Naraine's report can be found at Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari.

In accordance with the contest rules, Tipping Point will be the owners of the vulnerabilities and will not release the details until a patch is ready. Tipping Point will also work with security vendors on expediting patches.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: