If you’re interested in computer security, you’ve probably heard of PWN2OWN. It’s a competition which has become an annual fixture at the annual CanSecWest conference in Vancouver, British Columbia.
The competition gets its name because, as the CanSecWest organisers explain, “If you can execute arbitrary code (PWN) on these [laptops or mobile phones] through a previously undisclosed browser (Firefox, IE, Safari) exploit, you can go home with one (OWN).”
The browsers under fire this year were: Microsoft Internet Explorer, Apple Safari, Mozilla Firefox and Google Chrome.
The mobile phones up for bombardment were: Dell Venue Pro running Windows 7, iPhone 4 running iOS, Blackberry Torch 9800 running Blackberry 6 OS and Nexus S running Android.
Whether you think the buying of vulnerabilities and exploits (through cash payments or prizes) is morally acceptable or not, it’s a mainstream practice in the security industry these days.
Indeed, the pwn2own competition is run by none other than HP, owners of the TippingPoint Zero Day Initiative (ZDI) brand. ZDI is a programme which pays for vulnerabilities, thus rewarding bug-hunters for results which are fed back into the security community rather than sold to cybercrooks. Pwn2own adds some overt competitiveness into the business of bug-finding!
HP promised to publish the names of the winners “as they (presumably) succeed“, but though the contest ended on Friday last week, no official announcement has yet been made.
But that doesn’t matter – thanks to social networks, the results hit the internet in near-real time, so we already know that the following were pwned:
* Internet Explorer
* iPhone 4
* BlackBerry Torch 9800
Firefox, Chrome, Android and Windows Mobile 7 all remained unpwned.
Apparently, even the most recent version of Safari, 5.0.4, released just a day before the competition, is still vulnerable to the attack.
On the other hand, the most recent iOS upgrade for the iPhone, iOS 4.3, heads off the exploit used at pwn2own. That’s good news for iPhone 4 and 3GS users, who can upgrade, but bad news for earlier Apple devices, which can’t be upgraded.
Technically speaking, Google Chrome didn’t actually survive an attack – the contestant who was due to take it on didn’t turn up. Nevertheless, the rules are the rules, so Chrome wasn’t pwned.
However, the software flaw used in successfully attacking the BlackBerry was present in Google’s Chrome browser, which is based around the same Webkit codebase. In a laudably quick response, Google almost immediately patched the offending code in Chrome.
By the way, we often hear that software is getting worse, because ever more vulnerabilities are being found. But that’s not surprising, now that companies like HP openly pay researchers for finding vulnerabilities and revealing them under controlled conditions.
There’s much more motivation for security researchers to spend several weeks working through from a theoretical vulnerability to a practicable exploit when there is potential revenue at the end of it. That alone is a reasonable explanation for the increase in reported vulnerabilities over the past few years – and since known holes can be fixed, that’s not a bad thing.
So I’d like to think that the outcome of this year’s pwn2own is a Curate’s Egg – good in parts. Half of the browsers and half of the mobile devices went unpwned.
There’s also a potential silver lining in the pwn2own failures: with Apple’s software falling to attackers on both laptop and smartphone devices, perhaps those Apple users who are still in denial about the possibility of malware infections on their beloved MacBooks and iHardware will think again!
(Shameless plug: if you don’t yet have an anti-virus on your Mac, and pwn2own makes you think of getting one, don’t forget that Sophos has a completely free home user version for Mac OS X.)
10 comments on “PWN2OWN – Apple v. Google v. Microsoft v. Mozilla v. BlackBerry!”
I just did a sync with my iPhone 4 via iTunes. It said that I have the most up to date iOS (4.2.6) and no updates were available for my phone. Hmmmmm
I have the Verizon iPhone 4 and encountered the same thing. I did a bit of research and found out that the anticipated update will basically only be applied to AT&T phone with no known release date for the same update for Verizon iPhones; AT&T is a GSM model so it can have the update.
I wish they would release the new update for Verizon, especially given the security breaches mentioned on sophos in previous articles.
Apple: Treat all your customers the same!
I believe the Verizon 4.2.6 update already includes all these features. It will be synced with all other iOS devices on the next point release.
I hadn't heard of the contest until reading this. Thanks! Sounds interesting. The whole pwn to own thing is clever. Anyway, good to know Apple product owners may start to learn that they too are vulnerable. Then again, I am surprised that with the amount of people on Apple products these days there aren't more infections being reported.
"Then again, I am surprised that with the amount of people on Apple products these days there aren't more infections being reported."
My question is what percentage of those people are infected but don't know that they are.
Good question. I have no idea, but I’m sure there aren’t too many. The whole reason behind the fact that there are so many viruses for machines running Windows OSes is because they are most commonly used in corporations and for business use. Until recently Windows systems vastly outnumbered Macs in households as well. No doubt there are viruses for the Mac OS, though. And I bet attackers will give more attention to Macs as time goes on because they are becoming very popular. Check this out for example: http://nakedsecurity.sophos.com/2011/02/26/mac-os…
Yes, I saw that post. I tend to check Naked Security daily.
That is partly my point though. Trojans tend to hide in the OS trying to be inconspicuous. There may be more infected Macs than we really know about due to the lack of people adopting anti-virus software. Either way that number is bound to increase, as is the number of viruses targeting mac. Especially with all the iPhone/Pad hype.
On the whole windows infection rate. Not only has MS been a bigger target but their security conciousness has never been as good as it should be. Look at autorun, its been around for ages and was identified as a vulnerability very early on, yet nothing was done about it for many years. This essentially was an invitation to infections like Conficker etc.
It would appear that in this area we could actually have the rare benefit of foresight. Apple should release something along the lines of Security Essentials to ensure that its users are safe before there is a real threat.
You make a lot of good points.
Trojans are ‘bound to happen’ … Okaaaaay. Of course, pigs flying in formation over Tokyo are bound to happen too, possibly, some day. Sophos sould go out of business, someday, possibly. Lots of things are ‘bound to happen’. No, ‘everything’ is bound to happen given enough time and alternate universes.
Where ARE these attacks on the Mac and IOS? Where? The first, widely successful attack on Apple will be world wide news, something any virus author would covet more than lifetime free beer. The ‘market share’ tune is a canard and patently silly. The fact is NOTHING has been found in the wild that is remotely any threat to Apple products. Anything that has arisen in the past 10 years, even proof of concept attacks that were never found in the wild, were patched away by Apple.
Thanks goodness there are no exploitable vulnerabilities in Apple products. If there were, people would be able to jailbreak their iPhones and iPads and install software of their own choosing, instead of being forced to shop in the Apple AppStore 🙂
As for "worldwide attacks", the strange thing is that they're really rare even on Windows systems these days. We had Conficker (and I can't see how, because the exploit it used in order to spread was "patched away" by MS long before the malware became rampant, and the other "vulnerabilities" it exploited were really user or admin oriented, and easily avoidable). And we had Stuxnet, which was somehat widely reported, possibly because people were really keen to find it.