1. Este site usa cookies. Ao continuar a usar este site está a concordar com o nosso uso de cookies. Saber Mais.

Segurança Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

Discussão em 'Windows Desktop e Surface' iniciada por portos, 20 de Março de 2009. (Respostas: 3; Visualizações: 1322)

  1. portos

    portos Banido

    The 3rd annual Pwn2Own contest kicked off today at CanSecWest around 3:00pm PST. For the first time, we had so many people register for the contest that we had to draw names from a hat- literally! In typical techie format, Aaron wanted to take a moment and write a quick program to randomly select order- but I stopped that nonsense, and we used a real hat.

    Today, any contestant could attempt to break into a fully patched browser (IE8, Firefox, Chrome, Safari) or mobile device (Blackberry, Android, iPhone, Nokia/Symbian, Windows Mobile) with strict exploit restrictions that are eased on days two and three of the contest. As a brief refresher, the full set of rules for this contest are posted here. Our Zero Day Initiative is rewarding $5,000 USD per browser bug, and $10,000 USD per mobile bug. The first person to crack any of the mobile devices will also get to keep that device along with a one year phone contract. The first person to crack any of the browsers will get to keep the laptop it was running on.

    Today's first day of Pwn2Own contest is now officially over, and we can report all mobile devices are still left standing unscathed. The browsers did not fare so well however. Between two winning contestants, they were able to compromise Safari (twice), IE8, and Firefox.

    Charlie Miller got the luck of the draw, and had the first time slot for the browser competition. His target- Safari on Mac OS X. Before I could even pull my camera out, it was over within 2 minutes- and Charlie (coincidentally also last year's first winner of the day) is now the proud owner of yet another MacBook, and $5,000 from the Zero Day Initiative.

    Next up, Nils. Just Nils- you know, like “Prince” or “Madonna”. With a little tweaking, he ran a sleek exploit against IE8, defying Microsoft’s latest built in protection technologies- DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization) to take home the Sony Vaio and $5,000 from ZDI.

    If that wasn’t enough, Nils pulled a Safari exploit out of his hat (perhaps the same one used for the drawing?) and wowed us a second time- quickly taking down Apple’s browser for another cool $5,000. As a reminder, even though a browser may have been exploited once, anyone else is free to use a different zero-day exploit in order to cash in again.

    We were ready to call it a day, but Nils signed up for another time slot, and took a shot at Mozilla Firefox. Lo and behold, another zero-day exploit of his was able to crack Firefox. At this point, I had to pull out my calculator, and tally up another $5,000 ($15K total for Nils today!).

    Will Nils produce a Chrome exploit tomorrow, turning his trifecta into a clean sweep of all browsers? Stay tuned!

    Honorable mention goes out to Julien Tinnes, who successfully exploited both Firefox and Safari though unfortunately his efforts fell outside the contest criteria and therefore could not be rewarded.

    Now that our first day is wrapped, and the attack surface for the mobile devices and browsers opens up and becomes a little less restricive, we hope to have another day full of excitement!

    All winners are asked to sign and agree to the general ZDI Non Disclosure Agreement, and the bugs will be turned over directly to the affected vendors. If there are more than 5 winning entries by the end of the contest, we will offer additional “Bonus” prizes of an extra $5,000 USD that will be awarded this year for Most Interesting Browser flaw, Most Interesting Mobile Device Flaw, and Best in Show.

    Check back on our blog tomorrow for Pwn2Own day 2 wrapup, or follow the event live on twitter.

    Some photos of the winners below! Please credit TippingPoint DVLabs if you copy them.

    First winner of the day Charlie Miller (left) breaks Safari while TippingPoint judge Aaron Portnoy officiates

    Charlie Miller enjoying the sweet spoils (i.e the Macbook) of victory.

    Nils with his first successful win of the day against IE8 as Aaron proclaims him the second, third, and fourth winner of the day

    Nils showing off his newly won Sony Vaio!

    Julien Tinnes (left) is captioned above owning both Firefox and Apple's Safari web browser.

    Both winners Charlie Miller (left) and Nils (right) receiving a round of applause from the crowd as Aaron Portnoy from TippingPoint (middle) wraps up day one of the judging.

  2. wviegas

    wviegas Power Member

    e assim nascem os hackers... :-D
  3. Excelente iniciativa.
  4. costapt

    costapt Power Member

    Fonte: http://www.baboo.com.br/absolutenm/templates/content.asp?articleid=34551&zoneid=221&resumo

Partilhar esta Página