Web Browsers Get “Owned” in “2010 Pwn2Own”

“2010 Pwn2Own” is an annual contest wherein contestants are invited to hack a variety of Web applications and platforms such as Web browsers and mobile phones for cash prizes and benefits. Successful hackers include Dutch hacker Peter Vreugdenhil for Internet Explorer (IE) 8, German hacker “Nils” for Firefox, and Charlie Miller for Safari.
What About Security?
As the only researcher to boast of three consecutive wins in “Pwn2Own,” Miller comments on security (or the lack thereof) in an article in ComputerWorld. He refuses to hand over the vulnerabilities, instead he will demonstrate how he found them in hopes of encouraging software companies to improve their processes.
According to Trend Micro researcher Rajiv Motwani, “Windows/IE has been the target of hackers for years. Microsoft has thus adopted a multipronged approach to deal with vulnerabilities. It encourages responsible disclosure, follows a security development life cycle, organizes Microsoft BlueHat events, has the so-called Microsoft Active Protections Program (MAPP), and fixes vulnerabilities in a predictable manner so that life is a little easier for people who patch.”
This approach definitely helped raise the bar in terms of the complexity of vulnerabilities found. However, attackers still found ways to bypass new technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
But in the end, Microsoft is banking on its holistic approach to address vulnerabilities found on Microsoft products. (continue reading...)