Oxymoron of the day: Amusing ringtones - Evil Doc Spinola
|
|
|
Pwn2Own winner hacks all
THE WINNER of the Pwn2Own 2010 contest hacked everything in his path to claim £6,700 in prize money yesterday.
The winner Charlie Miller and other contestants were set a challenge to see if they could hack their way into several web browsers and other popular operating systems and applications. Miller eventually claimed the prize by breaking Apple's Mac OS X 10.6 on a MacBook, its Safari browser, Microsoft's PowerPoint, OpenOffice.org and a selection of Adobe's notoriously unsecure apps. Only Google's Chrome is left standing but the contest is still on to take it down.
Apparently Millers' trick was to use a self-styled "dumb fuzzer," that searches for exploits by placing data into a programme to check for potential flaws. What must be infuriating for Microsoft is that it uses a similar technique to scout for vulnerabilities in its own software before releasing it to the market. The Vole also got to watch Internet Explorer 8 bite the dust on a Windows 7 laptop thanks to the efforts of another hacker.
Not only did Miller take the money but he was reported to remain tight-lipped on exactly which flaws he found in his attacks. He claimed that was so companies should redouble their efforts to tighten the security of their software. Probably true but it'll also likely give him a head start this time next year. µ
Share this:
Share
This Pwn2Own didn't test Linux because their goal was to gun after common Desktop platforms. ie: Windows and Mac.
They went after browsers, as that is the most common point of entry.
Still, if any Windows fanatic rants about how awesome DEP and ASLR will protect them; think again!
This contest has proven that Win7 (64bit) with all the latest patches, using either Firefox or IE8; one should NOT rely on DEP/ASLR...And that's on Day 1!
The contest lasts for 3 days. Safari (using OSX), IE8, and Firefox has fallen. Chrome is only left.
Quote: "The winning exploits become intellectual property of the company hosting CanSecWest hence Miller is not allowed to disclose to the public what they are exactly other than the technique used."
This is correct only as it relates to the 'WINNING EXPLOITS.' The others that Mr. Miller has found and decided not to exploit in the competition are owned by him (or anyone else who can find them). He can reveal them publically or keep them to himself (or sell them if he's smart).
He's only required to stay 'mum' on the ones he's used in the competition until the vendors can patch their crappy software. Seems like everyone has taken a hit so most of them will be very busy.
Apple are too busy marketing their iPad to patch anything so maybe it's a good time to work on some hacks for their equipment.
Rock on Google Chrome!
As far as I can see no Linux desktop has been breached?
The winning exploits become intellectual property of the company hosting CanSecWest hence Miller is not allowed to disclose to the public what they are exactly other than the technique used.
Instead of releasing the exploit code to the public, keep it locked away. I think people should stump up money for him to get a 30 second ad during a nightly news program and show all of the computers melting down and put the companies on the spot. Doesn't violate any laws and gets their attention just the same.