Pwn2Own 2011

Discussion in 'other security issues & news' started by MrBrian, Mar 9, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Same as before :D
    Wonder what the iSheeps will say.
     
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  4. Dogbiscuit

    Dogbiscuit Guest

    Yes, social engineering is required for any of these attacks revealed so far at Pwn2Own to execute successfully (i.e., "The victim visits a web page..."), unless, of course, the attacker were to compromise a legitimate website the victim visits in the same window of time as the attack (unlikely).

    Assuming the social engineering trick lures the victim to the malware serving website, running the email client or browser in a VM, for example, should contain this type of malware (until flushed out), unless it exploits a critical vulnerability in the VM software that allows it to escape from the guest OS and compromise the host (again, unlikely for most of us currently).
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I can't even get to the site right now. Must be fun refreshing that blog for new results, lol.
     
  6. Dogbiscuit

    Dogbiscuit Guest

  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Uh oh... somebody missed this one -http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/8367

     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
     
  9. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  10. Dogbiscuit

    Dogbiscuit Guest

    Yikes!
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It would be interesting to know which way he bypassed Protected Mode. :D

    This is why I rather use Chromium with an explicit low integrity mode... or if you prefer - explicit Protected Mode.

    Even in the remote chance something could exploit Chromium, it would inherit the low integrity level, and that because both chrome.exe parent and child processes have a low integrity level; no way out of it.
     
  12. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Bad journalism IMO, they're also saying Google Chrome might survive for the third year in a row, but no-one attacked it last year, and same for today as the guy didn't show up today.
     
  14. Someheresomethere

    Someheresomethere Registered Member

    Joined:
    Feb 17, 2011
    Posts:
    71
    There must be a reason why he didn't show up, he could've won quite a sum after all.
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Even if the theory provided, that he was going to rely on a recently patched vulnerability, was right, I still would have gone and tried. I really do hope there was a good reason, leaving Chrome un-attacked for two years is a good way to build up a false sense of security.
     
  16. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Google was offering $20K to crack Chrome, the others get $15K. Just as a hypothetical situation, maybe they paid the guy $10K to stay home. That's a win-win situation. This guy rakes in some cash without having to leave his house and doesn't run the risk of not winning. Google saves 50% compared to the prize money for cracking Chrome. At the same time they foster an air of mystique that Chrome is so secure no one even bothers to try and without taking the risk of the guy being smarter than they think he is.

    How's that for a conspiracy theory?
     
  17. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    The only slight flaw I see in this conspiracy theory is the hypothetical amount offered to stay home. With the figures you used, the guy has more to gain by showing up. The theory becomes more feasible (to me, anyway) if the guy is offered more than the prize money to not show up. Then he has greater incentive to stay home. :cool:
     
  18. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    You have a point there. If he gets more than the $20K he's a guaranteed no-show and for Google it's peanuts anyway. This is now an open source conspiracy theory ;)
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Very witty!
    And I want to point out that I really have no opinion about whether or not things actually went down that way.
    I just needed to toss in my 2¢ about a more feasible theory. ;)
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don't see any mention of opera, ubuntu and mobile OS.
     
  21. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Only problem with that conspiracy, is that they'd have nothing to gain. The participating researchers, and the many that don't even go to Pwn2Own, don't just throw something at the wall to see what sticks when they get there. Weeks if not months of coming up with attacks and testing are done before the contest. Not to mention attacks are being tested by people around the world when Pwn2Own isn't even close. If Google pulled a stunt like that, they wouldn't get away with it long, and, quite frankly, they're out of feet to shoot themselves in after all of their fumbles.
     
  22. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I was under the impression mobiles were either due at this one (swear I read that someplace), or were going to be in the near future. Opera, well, I'm not sure what the point would be really since it sees so little use. Maybe Opera themselves just don't sign up for it, who knows. Ubuntu would be interesting to see, perhaps someday.

    Edit: @Aigle: It's in the very first link of the thread regarding mobile. "iPhone, Blackberry OS, Android, and Windows Phone 7".
     
  23. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Maybe Opera didn't participate. Maybe that guy who's always talking here about everything to do with Opera will chime in.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks.

    Ubuntu was tested last year i think. Probably opera was in the contest some time in the past i think.
     
  25. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Oh I'm betting on it. But no, it looks like they didn't participate in this one.

    Edit: Looking around, I'm having a hard time finding any info on when they were in the contest. Certainly not in the last 3 years.
     
    Last edited: Mar 10, 2011
Thread Status:
Not open for further replies.