, SecurityFocus 2009-03-18
VANCOUVER, B.C. Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference.
Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser more than a year ago and prepped the easier-to-exploit issue for last year's competition, he said. Following an announcement that this year's contest would focus on browsers as well as mobile devices, Miller more fully researched the leftover security flaw and found that it remained exploitable.
"I found this bug ... last year, but like all good researchers, I sat on the issue," he said after being declared the first winner.
Following Miller's reprise, a computer-science student from Oldenburg University in Germany captured a pint-sized Sony Vaio computer and his own $5,000 by exploiting a previously unreported vulnerability in Internet Explorer 8. The student, who would only give his first name "Nils," declined requests for an interview until he also had a chance to attack the other browsers as well.
Nils' attack on Internet Explorer 8, which was running on Microsoft's forthcoming Windows 7 operating system, impressed Aaron Portnoy, a researcher with security firm TippingPoint, who was helping to run the contest. If there was a Best in Show category, Nils' attack would win, Portnoy said.
"This attack worked on a default, out-of-the-box installation of Windows 7 — that's what makes it so neat," he said. "He did a lot of work to make it happen."
The Pwn2Own contest — the brainchild of CanSecWest founder Dragos Ruiu — aims to reward researchers who show off their ability to exploit popular applications and devices. Last year, the contest pitted researchers against three laptops, each running a different operating system: Mac OS X, Ubuntu Linux and Microsoft Windows Vista. Miller won the Mac OS X and $10,000, while researcher Shane Macaulay won the Windows Vista computer. This year's contest has two focuses: the major Web browsers and popular smart phones.
Miller could not discuss the details of the flaw in Safari, he said. Security firm TippingPoint sponsored the contest and any winner must submit their flaw to the Zero-Day Initiative, the company's vulnerability bounty program, to collect their reward.
"The contest brings everyone together," said Terry Forslof, manager of security response for TippingPoint. "How often does the vender get to watch researchers pop their stuff."
Miller agreed. Most security issues require so much time to exploit that most researchers feel the need to be rewarded for their work, he said.
"This kind of contest is a good idea, because I am not going to look for bugs unless I'm going to get paid to look," Miller said.
By Wednesday evening, not one of the six researchers who submitted their names for the contest planned to attack the mobile devices, organizers said. The smart phones included an iPhone, a Nokia phone running Google's Android platform, and a RIM Blackberry. Anyone who successfully attacks the devices would get a $10,000 bounty.
The lack of immediate interest wasn't surprising, said Forslof.
"The laptops are the better prizes, so people are going to try and win those first," she said.
If you have tips or insights on this topic, please contact SecurityFocus.