Safari, IE8, & Firefox Hacked in Pwn2Own Contest
Not only was Miller the first contestant to produce a successful browser exploit, but he was also the first contestant of the day. There were so many contestants that the folks managing the contest picked the contestant order randomly from of a hat. Within two minutes of the official start of the contest, Miller had completed his Safari exploit. For his zero-day exploit of Safari, Miller won $5,000 and he will also get to keep the MacBook that was the target of the attack.
"Both winners Charlie Miller (left) and Nils (right)
receiving a round of applause from the crowd as
Aaron Portnoy from TippingPoint (middle) wraps
up day one of the judging."
(Credit: TippingPoint DVLabs)
There are still two days left to go with the Pwn2Own contest, and plenty time for more browser exploits. Perhaps Google Chrome will fall next? As each day passes with the three-day contest, the possible means by which exploits can be conducted get expanded. In other words, with each day of the contest, the hacking gets potentially "easier":
"Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link
What is owned? - code execution within context of application"
In addition to the browser exploit portion of the Pwn2Own contest, there is also a contest for hacking smartphones. The candidate phones are a Blackberry, Android, iPhone, Nokia/Symbian, and a Windows Mobile device. As of yet, no one has completed a successful exploit of one of the phones, but contestant, Julien Tinnes, showed a Java vulnerability that had "already been disclosed to the vendor," so it was not eligible for a prize. As with the browser competition, the smartphone hacking contest adds more hacking options each successive day of the contest. A phone is considered successfully exploited if the hacker can demonstrate "loss of information (user data)" or can "incur [a] financial cost."
"Day 1 (Raw functionality out of the box, users configured for service) post phone, post email
- Email (arrival only)
- wifi on if default
- bluetooth on if default
- Radio stack
- All of Day 1
- Email/SMS/MMS (reading only - no secondary actions)
- wifi on
- bluetooth on (not accept pairing by default. Paired with a headset. pairing process not visible)
- All of Day 1 and 2
- one level of user interaction with default applications
- bluetooth on (not accept pairing by default. Paired with a headset/other devices upon request. pairing process visible)"
In order to collect their prizes, the winners must sign a non-disclosure agreement stating that they will not publicly disclose their exploits. TippingPoint then provides the exploited data directly to the affected vendors, so that the vendors can presumably patch the bugs.