Three different hackers found 'Pwn To Own' bug
Contest winner not the first to report flaw, but that's OK, says TippingPoint
Computerworld - The Flash vulnerability used to hijack a Windows Vista laptop during last month's "PWN To OWN" hacker challenge was independently uncovered by two other researchers, one who noted it nearly five months ago, the company that paid the contest prize money said today.
"Vulnerabilities are found by multiple researchers all the time, all across the globe," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary. TippingPoint put up the cash prizes awarded during the PWN To OWN contest held March 26-28 at the CanSecWest security conference.
"Here we have three different people with three different motivations," Forslof added.
In a post to the TippingPoint blog, Forslof spelled out the multiple, though not simultaneous, discoveries of the Flash Player bug.
November 12, 2007: David Maynor, a noted security researcher with consulting firm Errata Security, posted screenshots of a crash analysis in Flash. Maynor speculated at the time that it might be an "unexploitable double free," referring to "double free" errors caused when the free() function is called more than once with the same memory address as an argument.
Forslof said that Errata, which produces penetration-testing tools, subsequently uncovered an exploitable Flash bug, then came up with an exploit that it added to its testing tools.
"I confirmed after the release of Adobe's patch that the vulnerability discovered and eluded to on the blog post was, indeed, the same vulnerability used in the PWN to OWN contest," said Forslof.
February 7, 2008: Another researcher submitted the same vulnerability to TippingPoint's Zero Day Initiative (ZDI), one of the two major bug-bounty programs currently in operation. The ZDI advisory, posted Tuesday to coincide with the patched update to Flash Player, identified the researcher as Javier Vicente Vallejo.
"He was the first to report it to us," said Forslof.
March 28, 2008: Shane Macaulay, assisted by two other researchers, used the same vulnerability in Flash to hack a Fujitsu notebook running Windows Vista SP1, one of three machines up for grabs in the PWN To OWN challenge.
But if Macaulay was the third to discover the bug, and the second to report it to TippingPoint, why did ZDI cut him a prize check for $5,000, essentially paying twice for the same vulnerability?
"It was within the rules and realm of the contest," Forslof explained. And even if it hadn't been, it would have been likely Macaulay would have gotten something. "We have this situation all the time, when someone reports a vulnerability that we already have purchased," Forslof said. "What we do, generally we will offer a sum of money [to the second researcher] to turn over the rights to the vulnerability to insure the protection of the information for the vendor."
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts