TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... TippingPoint customers were protected against 0-day exploitation of MS07-017 two years prior to the exploit being discovered in the wild.

Pwn2Own Wrap Up

  • By Terri Forslof
  • Sat 21 Mar 2009 09:30am
  • 18054 Views
  • 6 Comments
  • Link

We are all wrapped up from this years CanSecWest and pwn2own contest, and again it was a great conference, and a successful competition. The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques. I’m sure they’ll get it fixed up just the same.

 

What I always enjoy the most about CanSec in general is the smaller scale single track nature of the conference. It’s a more intimate setting, which always feels a lot like a group of old pals getting together for a reunion, with a few fresh faces to spice it up!

 

We ended the final day of competition with all the Mobile devices unscathed. I think the number one question that was asked is “Why?” Are mobile devices inherently more secure? It was a tough question to answer. I think there are a lot of barriers left to overcome in order to have a successful contest on these platforms, and too many reasons to list.

 

Much of the research is still new- there were several talks just this week that addressed the mobile platforms and vulnerabilities. The usual process that ensues once cutting edge research is presented in our security research community is that the information is taken in by the masses, studied, tested, refined and shared. Some of the brightest minds from around the world begin looking at these things, and we always see very elegant and amazing new information emerge.

 

The mobile platform is limited by both memory and processing power. What that generally amounts to is that the vulnerabilities do exist, but actually exploiting them is complicated and unpredictable. There are additional variables which can be show stoppers just between the hardware manufacturers’s themselves, or the carrier network the phone is associated with. These are just a few examples, and lack of known debuggers for many of the platforms adds limitations.

 

There was once a day many years ago when I believed that we (the security industry/vendors) could actually develop new product versions that, after a period of time, would eventually plug all of the holes. The one thing I can say that I have learned for certain is that anytime you technically shut down a class of vulnerabilities, new classes that we’ve not yet conceived of will be discovered. Anytime you manage to mitigate an exploit technique to render undiscovered vulnerabilities in a known class useless- new and amazing exploit techniques will emerge from our research community that redefine and reset how we look at protection, patching, and mitigations.

 

When you fully digest this fact, I believe it’s the very moment which you come to realize that the once thought of unsophisticated “mod squad" don’t fit that profile much at all. They are scientists in their own right- with or without PhD’s (or high school diploma’s in some cases!)- The work they do is akin to astronomers discovering new bodies in our solar system. Many form theories and hypothesis through raw intuition and curiosity, and prove to us over and over again that the work they do and the research they contribute is highly valuable, makes products better and more secure for consumers, and they are not to be underestimated.

 

It’s in this very spirit that CanSecWest and ZDI have agreed that next years Pwn2Own will most definitely include a mobile phone competition again! If history can tell us anything here, it's that by this time next year, the community will have turned what we now believe upside down, and more than likely wow us with a new generation of techniques that I will affectionately dub “Micro Exploits” that are able to function predictably on the mobile platform.

 

After much appreciated feedback from the contestants, we’ll be sure that such details as version numbers of the OS and exact hardware specs are made available well in advance.

 

Congratulations once again to all of our winners, and thanks to all who helped make pwn2own 09 another fantastic event!



Tags:
Published On: 2009-03-21 09:30:14

Comments post a comment

  1. Collin commented on 2009-03-21 @ 15:07

    First, thanks for putting up mobile pwn2own and for planning to keep it for the next years.

    I agree with many of your points, especially about the lack of (good) debuggers for many of the mobile platforms, this is indeed a problem.

    I hope you will keep or better extend the non-code execution policy for mobile/smart phone vulnerabilities/attacks since I believe there are many attacks that don't necessarily need code execution to cause harm or financial damage.

    The point about hardware/devices and OS/firmware versions is really important really!

    I didn't attend CanSecWest this year but I plan to in the future.

  2. Manuel commented on 2009-03-23 @ 14:17

    That's a nice event, what I wonder is that if the prize is fair enough, It suppose they are BIG companies with people being paid to detect this kind of issues, so if 1 person can break the job of the company's security team and even tell them whats wrong... well, also no idea about the involved work on the exploits creation. Anyway it's a good strategy, who knows if they show all vulnerabilities found. I'm pretty sure we will see the same winners for some years using old exploits. XD.

  3. JOG commented on 2009-03-24 @ 12:05

    To the Tipping Point Team and especially Charlie Miller,

    On behalf of many Windows users who have been ridiculed by Mac Fanboys for latter part of 16 years, I thank you for shatter the illusion of Apple Macintosh Security Invulnerability. I thank you for showing that Apple along with Microsoft and Mozilla clearly have work to do. The service you guys have done for all PC users is beyond words. However, you've help show publically and without a doubt, that Macs are just as vulnerable as Windows machines.

    On the Supersite for Windows hosted by Paul Thurrott, many Windows enthusiasts and fans are verbally attacked by Apple fans. It would be nice if you guys came on the site to bolster the truth that Macs do have some major security issues. Instead of being ridiculed, it would be nice to have some professionals back up the claims, and eventually force Apple to change their security model. To make the entire world wide web a safer place for browsing and future activities, I will continue to keep any eye on both Tipping Point and the CanSecWest conference in the future. I'll also be picking up Charlie Miller's book, as a personal thank you.

    God bless you all and good luck in your future endeavours.

  4. JOannah commented on 2009-03-25 @ 00:24

    I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.

    Joannah

    http://2gbmemory.net

  5. n0thing commented on 2009-03-25 @ 12:17

    The blog says that Chrome was impacted by a flaw but exploit has not been achieved. Can anyone elaborate on this?

  6. Terri Forslof commented on 2009-03-26 @ 21:26

    @Collin
    "I hope you will keep or better extend the non-code execution policy for mobile/smart phone vulnerabilities/attacks since I believe there are many attacks that don't necessarily need code execution to cause harm or financial damage."

    We welcome community input and feedback for next years mobile contest at pwn2own- if you have suggestions on attack types/vectors that we should consider- or may have excluded this year- we welcome them, and would love to hear from you at dvlabs_at_tippingpoint_dot_com. Thanks for the feedback!

    @N0thing: One of the vulnerabilities used by Nils is present on Chrome. Due to Chrome's sandboxing feature, the exploit would not work. We gave the vulnerability details to Google, and I would imagine that they will probably issue a fix for this as well.


Trackback