Discussion in 'other security issues & news' started by MrBrian, Mar 9, 2011.
Safari/MacBook first to fall at Pwn2Own 2011
Same as before
Wonder what the iSheeps will say.
Yes, social engineering is required for any of these attacks revealed so far at Pwn2Own to execute successfully (i.e., "The victim visits a web page..."), unless, of course, the attacker were to compromise a legitimate website the victim visits in the same window of time as the attack (unlikely).
Assuming the social engineering trick lures the victim to the malware serving website, running the email client or browser in a VM, for example, should contain this type of malware (until flushed out), unless it exploits a critical vulnerability in the VM software that allows it to escape from the guest OS and compromise the host (again, unlikely for most of us currently).
I can't even get to the site right now. Must be fun refreshing that blog for new results, lol.
Apple has now followed Google and Mozilla in releasing browser updates ahead of Pwn2Own.
Uh oh... somebody missed this one -http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/8367
pwn2own day one: Safari, IE8 fall, Chrome unchallenged by Peter Bright.
I wonder what motive is ascribed to security updates done in other months of the year
It would be interesting to know which way he bypassed Protected Mode.
This is why I rather use Chromium with an explicit low integrity mode... or if you prefer - explicit Protected Mode.
Even in the remote chance something could exploit Chromium, it would inherit the low integrity level, and that because both chrome.exe parent and child processes have a low integrity level; no way out of it.
This gives the impression that Firefox survived day 1 -- which is true because it will be tested on day 2 and wasn't scheduled for day 1!
Bad journalism IMO, they're also saying Google Chrome might survive for the third year in a row, but no-one attacked it last year, and same for today as the guy didn't show up today.
There must be a reason why he didn't show up, he could've won quite a sum after all.
Even if the theory provided, that he was going to rely on a recently patched vulnerability, was right, I still would have gone and tried. I really do hope there was a good reason, leaving Chrome un-attacked for two years is a good way to build up a false sense of security.
Google was offering $20K to crack Chrome, the others get $15K. Just as a hypothetical situation, maybe they paid the guy $10K to stay home. That's a win-win situation. This guy rakes in some cash without having to leave his house and doesn't run the risk of not winning. Google saves 50% compared to the prize money for cracking Chrome. At the same time they foster an air of mystique that Chrome is so secure no one even bothers to try and without taking the risk of the guy being smarter than they think he is.
How's that for a conspiracy theory?
The only slight flaw I see in this conspiracy theory is the hypothetical amount offered to stay home. With the figures you used, the guy has more to gain by showing up. The theory becomes more feasible (to me, anyway) if the guy is offered more than the prize money to not show up. Then he has greater incentive to stay home.
You have a point there. If he gets more than the $20K he's a guaranteed no-show and for Google it's peanuts anyway. This is now an open source conspiracy theory
And I want to point out that I really have no opinion about whether or not things actually went down that way.
I just needed to toss in my 2¢ about a more feasible theory.
I don't see any mention of opera, ubuntu and mobile OS.
Only problem with that conspiracy, is that they'd have nothing to gain. The participating researchers, and the many that don't even go to Pwn2Own, don't just throw something at the wall to see what sticks when they get there. Weeks if not months of coming up with attacks and testing are done before the contest. Not to mention attacks are being tested by people around the world when Pwn2Own isn't even close. If Google pulled a stunt like that, they wouldn't get away with it long, and, quite frankly, they're out of feet to shoot themselves in after all of their fumbles.
I was under the impression mobiles were either due at this one (swear I read that someplace), or were going to be in the near future. Opera, well, I'm not sure what the point would be really since it sees so little use. Maybe Opera themselves just don't sign up for it, who knows. Ubuntu would be interesting to see, perhaps someday.
Edit: @Aigle: It's in the very first link of the thread regarding mobile. "iPhone, Blackberry OS, Android, and Windows Phone 7".
Maybe Opera didn't participate. Maybe that guy who's always talking here about everything to do with Opera will chime in.
Ubuntu was tested last year i think. Probably opera was in the contest some time in the past i think.
Oh I'm betting on it. But no, it looks like they didn't participate in this one.
Edit: Looking around, I'm having a hard time finding any info on when they were in the contest. Certainly not in the last 3 years.
Separate names with a comma.