TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs and our Zero Day Initiative were credited with discovering 17 Microsoft vulnerabilities in 2006 alone.

Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

The 3rd annual Pwn2Own contest kicked off today at CanSecWest around 3:00pm PST. For the first time, we had so many people register for the contest that we had to draw names from a hat- literally! In typical techie format, Aaron wanted to take a moment and write a quick program to randomly select order- but I stopped that nonsense, and we used a real hat.

Today, any contestant could attempt to break into a fully patched browser (IE8, Firefox, Chrome, Safari) or mobile device (Blackberry, Android, iPhone, Nokia/Symbian, Windows Mobile) with strict exploit restrictions that are eased on days two and three of the contest. As a brief refresher, the full set of rules for this contest are posted here. Our Zero Day Initiative is rewarding $5,000 USD per browser bug, and $10,000 USD per mobile bug. The first person to crack any of the mobile devices will also get to keep that device along with a one year phone contract. The first person to crack any of the browsers will get to keep the laptop it was running on.

Today's first day of Pwn2Own contest is now officially over, and we can report all mobile devices are still left standing unscathed. The browsers did not fare so well however. Between two winning contestants, they were able to compromise Safari (twice), IE8, and Firefox.

Charlie Miller got the luck of the draw, and had the first time slot for the browser competition. His target- Safari on Mac OS X. Before I could even pull my camera out, it was over within 2 minutes- and Charlie (coincidentally also last year's first winner of the day) is now the proud owner of yet another MacBook, and $5,000 from the Zero Day Initiative.

Next up, Nils. Just Nils- you know, like “Prince” or “Madonna”. With a little tweaking, he ran a sleek exploit against IE8, defying Microsoft’s latest built in protection technologies- DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization) to take home the Sony Vaio and $5,000 from ZDI.

If that wasn’t enough, Nils pulled a Safari exploit out of his hat (perhaps the same one used for the drawing?) and wowed us a second time- quickly taking down Apple’s browser for another cool $5,000. As a reminder, even though a browser may have been exploited once, anyone else is free to use a different zero-day exploit in order to cash in again.

We were ready to call it a day, but Nils signed up for another time slot, and took a shot at Mozilla Firefox. Lo and behold, another zero-day exploit of his was able to crack Firefox.  At this point, I had to pull out my calculator, and tally up another $5,000 ($15K total for Nils today!).

Will Nils produce a Chrome exploit tomorrow, turning his trifecta into a clean sweep of all browsers? Stay tuned!

Honorable mention goes out to Julien Tinnes, who successfully exploited both Firefox and Safari though unfortunately his efforts fell outside the contest criteria and therefore could not be rewarded.

Now that our first day is wrapped, and the attack surface for the mobile devices and browsers opens up and becomes a little less restricive, we hope to have another day full of excitement!

All winners are asked to sign and agree to the general ZDI Non Disclosure Agreement, and the bugs will be turned over directly to the affected vendors. If there are more than 5 winning entries by the end of the contest, we will offer additional “Bonus” prizes of an extra $5,000 USD that will be awarded this year for Most Interesting Browser flaw, Most Interesting Mobile Device Flaw, and Best in Show.

Check back on our blog tomorrow for Pwn2Own day 2 wrapup, or follow the event live on twitter.

Some photos of the winners below! Please credit TippingPoint DVLabs if you copy them.



First winner of the day Charlie Miller (left) breaks Safari while TippingPoint judge Aaron Portnoy officiates




Charlie Miller enjoying the sweet spoils (i.e the Macbook) of victory.




Nils with his first successful win of the day against IE8 as Aaron proclaims him the second, third, and fourth winner of the day




Nils showing off his newly won Sony Vaio!


Julien Tinnes (left) is captioned above owning both Firefox and Apple's Safari web browser.


Both winners Charlie Miller (left) and Nils (right) receiving a round of applause from the crowd as Aaron Portnoy from TippingPoint (middle) wraps up day one of the judging.
Tags: pwn2own,cnsecwest
Published On: 2009-03-18 22:51:01

Comments post a comment

  1. Anonymous commented on 2009-03-19 @ 08:09

    We need more contests like these to encourage white hatters ! Who knows what lies ahead from some of our ill-intended soviet and asian counterparts...

  2. Anonymous commented on 2009-03-19 @ 11:14

    I'm glad that I use Opera. Apparently it's too good (and obscure) for people to even attempt to exploit it.

  3. Oswald commented on 2009-03-19 @ 12:20

    Can someone explain briefly how the contest worked. Did they have to set up a web server to exploit the browser while sitting there, or did they construct a local file to do it? If neither, were they just supposed to break the browser through the user interface itself? I just don't quite understand how they developed an exploit just sitting in a room in a few seconds. I don't want details, of course, I'm just curious about the contest setting.

  4. roblock commented on 2009-03-19 @ 13:37

    Great contest, guys! Can we get actual times to pwnage? I'd like to see times in minutes for each browser to fall.

  5. carl commented on 2009-03-19 @ 15:39

    Just wondering. I am under the impression that ASLR is available only on 64-bit Vista, so the Vaio was running Windows 7 x64?

  6. Anonymous commented on 2009-03-19 @ 17:16

    Yes we need more contests like this, but we also need a browser which isn't constantly adding features and changes, so that more work can be done on securing the browser.

  7. Anonymous commented on 2009-03-19 @ 18:23

    Teaching the BIG GUYS. AWESOME!

  8. Kelson commented on 2009-03-19 @ 18:32

    @Anonymous, we had a browser like that for *years*. It was called Internet Explorer 6.

  9. Anonymous commented on 2009-03-20 @ 05:23

    wow,no one cracked Chrome yet?

  10. gigicu commented on 2009-03-20 @ 09:28

    quite scarry ;)

  11. Anonymous commented on 2009-03-20 @ 13:42

    Wow, these guys could have sold their exploits through legitimate sources and probably got around a quarter million dollars.. oh, but i guess showing them off to zdi and getting a macbook and sony garbage was so much better.. hahahahaha

  12. Anonymous commented on 2009-03-20 @ 19:52

    No linux this time?

  13. Anonymous commented on 2009-03-27 @ 17:34

    Firefox 3.0.8 is now at www.mozilla.com so no worries.


Links To This Post

  1. The Pwn2Own trifecta: Safari, IE 8, and Firefox exploited on day 1 | Gadgetorium!
    linked on 2009-03-19 @ 05:52 Show Comment

    The Pwn2Own trifecta: Safari, IE 8, and Firefox exploited on day 1 Posted by Inspector Gadget on March 19, 2009

  2. The Pwn2Own trifecta: Safari, IE 8, and Firefox exploited on day 1 | RSS For Gadgets
    linked on 2009-03-19 @ 05:43 Show Comment

    The Pwn2Own trifecta: Safari, IE 8, and Firefox exploited on day 1 By Gadget Guru

  3. Technology » Pwn2Own 2009: Nils takes down IE8, Firefox and Safari
    linked on 2009-03-19 @ 12:20 Show Comment

    And as the DVLabs report says: “Will Nils display a Chrome utilise tomorrow, motion his trifecta into a comely sweap of every browsers? Stay tuned!”

  4. [MIX09] Day 2 Internet Explorer 8 To Officially Launch; But Security Already Breached « TechPulse 360
    linked on 2009-03-19 @ 12:35 Show Comment

    The exploit was part of the PWN2OWN hacking contest held at CanSecWest and sponsored by security company TippingPoint.

  5. Questions for Pwn2Own hacker Charlie Miller | Zero Day | ZDNet.com
    linked on 2009-03-19 @ 17:00 Show Comment

    * Image credit: TippingPoint Zero Day Initiative. Ryan Naraine is a security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.


Trackback