Three different hackers found 'Pwn To Own' bug
Contest winner not the first to report flaw, but that's OK, says TippingPoint
Computerworld - The Flash vulnerability used to hijack a Windows Vista laptop during last month's "PWN To OWN" hacker challenge was independently uncovered by two other researchers, one who noted it nearly five months ago, the company that paid the contest prize money said today.
"Vulnerabilities are found by multiple researchers all the time, all across the globe," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary. TippingPoint put up the cash prizes awarded during the PWN To OWN contest held March 26-28 at the CanSecWest security conference.
"Here we have three different people with three different motivations," Forslof added.
In a post to the TippingPoint blog, Forslof spelled out the multiple, though not simultaneous, discoveries of the Flash Player bug.
November 12, 2007: David Maynor, a noted security researcher with consulting firm Errata Security, posted screenshots of a crash analysis in Flash. Maynor speculated at the time that it might be an "unexploitable double free," referring to "double free" errors caused when the free() function is called more than once with the same memory address as an argument.
Forslof said that Errata, which produces penetration-testing tools, subsequently uncovered an exploitable Flash bug, then came up with an exploit that it added to its testing tools.
"I confirmed after the release of Adobe's patch that the vulnerability discovered and eluded to on the blog post was, indeed, the same vulnerability used in the PWN to OWN contest," said Forslof.
February 7, 2008: Another researcher submitted the same vulnerability to TippingPoint's Zero Day Initiative (ZDI), one of the two major bug-bounty programs currently in operation. The ZDI advisory, posted Tuesday to coincide with the patched update to Flash Player, identified the researcher as Javier Vicente Vallejo.
"He was the first to report it to us," said Forslof.
March 28, 2008: Shane Macaulay, assisted by two other researchers, used the same vulnerability in Flash to hack a Fujitsu notebook running Windows Vista SP1, one of three machines up for grabs in the PWN To OWN challenge.
But if Macaulay was the third to discover the bug, and the second to report it to TippingPoint, why did ZDI cut him a prize check for $5,000, essentially paying twice for the same vulnerability?
"It was within the rules and realm of the contest," Forslof explained. And even if it hadn't been, it would have been likely Macaulay would have gotten something. "We have this situation all the time, when someone reports a vulnerability that we already have purchased," Forslof said. "What we do, generally we will offer a sum of money [to the second researcher] to turn over the rights to the vulnerability to insure the protection of the information for the vendor."
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Cybercrime and Hacking White Papers | Webcasts