The 3rd annual Pwn2Own contest kicked off its second day today at CanSecWest this morning. If you missed it, check out yesterday's browser carnage (with pics).
Today, any contestant could attempt to break into a fully patched browser (IE8, Firefox, Chrome, Safari) or mobile device (Blackberry, Android, iPhone, Nokia/Symbian, Windows Mobile) with less strict exploit restrictions than yesterday's rules. As a brief refresher, the full set of rules for this contest are posted here. Our Zero Day Initiative is rewarding $5,000 USD per browser bug, and $10,000 USD per mobile bug.
The first person to crack any of the mobile devices will also get to keep that device along with a one year phone contract. The laptops are all pwned, but you can still take home 5K for your bug.
As it turned out, the day was uneventful, with no attempts made to break the mobile phones- until the very moment we were wrapping up to call it a day! I don't know if it was the depressing weather, the great selection of talks, or the power outage that kept everyone away! Sergio Alvarez did have a go at the BlackBerry Bold for a bit- it looks like he's got something interesting there, but his testing had been on a different model of phone. We hear rumor and rumblings that there are some folks here working hard to create exploits for their mobile bugs, so maybe tomorrow will be more exciting.
We are going to open the contest at 10:00AM, and if we don't have any sign ups by noon, we'll call it a day- so if you are planning to step in for a last minute try (*cough* Sergio *cough*) just be warned that you'll need to sign up before noon, or we'll be tearing down camp, and trying to figure out what to do with all these mobile phones!
The big news of the day is that the MSRC (Microsoft Security Response Center) woke me up before my alarm went off this morning to let me know that they had reproduced and validated IE8 vulnerability discovered by the mysterious Nils. Of course, we can't tell you anything more than that- stay tuned for more information once Microsoft releases an update for it! I continue to be impressed by the dedication of the MSRC team- and was shocked to get the news of verification in less than 12 hours- considering the entire IE team was most likely at the MIX 2009 con down in Vegas for the official launch of IE8!
For those not keeping score, the confirmation of the IE8 vulnerability on the released bits (available just this morning!) marks the first official vulnerability in IE8! Congratulations Nils! We take our collective hats off to you!
We'll keep you posted tomorrow on any new updates or news here- you can also follow along on our twitter stream.