CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.
However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.
The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:
- Google Chrome on Windows 7 = $100,000
- IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.
- Mozilla Firefox on Windows 7 = $60,000
- Apple Safari on Mac OS X Mountain Lion = $65,000
- Adobe Reader XI and Flash Player = $70,000
- Oracle Java = $20,000
It was assuredly a blast at the competition, no doubt about it.
DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!
(Where’s Safari, right? It survived!)
The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.
Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”
In addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.
The only other exploit was by Nils & Jon, where both successfully exploited Chrome.
The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).
“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.
Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.
DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!
Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.
Who’re the overall prize winners?
- James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000
- VUPEN Security for IE10 + Firefox + Java + Flash – $250,000
- Nils & Jon for Google Chrome – $100,000
- George Hotz for Adobe Reader – $70,000
Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.
Now in its eighth year, Pwn2Own contest had $480,000 in payouts, a record year. Amazing!
Got any vibe on this issue? Post comment below! 🙂
Firefox 19 now has a PDF viewer (Yay, bells and whistles)! Time to kick Adobe Reader, you know, because of all the exploits.
Technically, the tool has been in Firefox for many versions, but you had to manually enable it. The whole point of the built-in PDF viewer is to avoid having to use plugins with proprietary closed source code “that could potentially expose users to security vulnerabilities.””
The new PDF viewer doesn’t even require a secondary plugin or anything! It has its own ability to draw images and text.
A little more explained:
“Firefox for Windows, Mac and Linux introduces a built-in browser PDF viewer that allows you to read PDFs directly within the browser, making reading PDFs easier because you don’t have to download the content or read it in a plugin like Reader. For example, you can use the PDF viewer to check out a menu from your favorite restaurant, view and print concert tickets or read reports without having to interrupt your browsing experience with extra clicks or downloads,” Mozilla said.
In addition to that exciting news, Firefox 19 also fixes an HTTPS phishing flaw, which was reported by Michal Zalewski, Google security researcher. It details an issue with a proxy’s 407 response, where if a user canceled the proxy’s authentication prompt, the browser continues to display the address bar. This can be spoofed by attackers, by telling them to enter credentials. Read more in the Mozilla advisory about this.
In Firefox, if you’re not automatically prompted to update, then do so as soon as possible by clicking the Firefox tab at the top left corner of the browser, hovering over Help >, click on About Firefox. You may also have to click Check for updates in the window that pops up. You should be patched.
Quite a week in the vulnerabilities sector, as Adobe already fixed quite a few flaws in Flash Player and AIR. Now, Apple has fixed nine vulnerabilities in QuickTime. Meanwhile, Adobe has ignored the Reader flaws that are currently pending, and could be exploited soon.
For QuickTime, most of the vulnerabilities were for buffer overflows. QuickTime is Apple’s media playback technology. Only Windows users XP SP2 and Up have to update – Mac OS X was not affected. See the security update from Apple for more information on what was fixed. You can update on QuickTime by visiting http://www.apple.com/QuickTime
As for Adobe Reader…well that’s a long story. Here’s the short version of it… A Moscow-based security firm, Group-IB, has identified a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. The vulnerability has an ability to sidestep Adobe Reader’s sandboxing mechanism, in order to exploit the code. Only working on Windows, the exploit requires users to close the web browser for it to work correctly.
Adobe spokespeople state the problem cannot be identified, and therefore there is nothing to fix.
To keep your computer protected from exploits, please see the following: