Three different hackers found 'Pwn To Own' bug
Contest winner not the first to report flaw, but that's OK, says TippingPoint
Computerworld - The Flash vulnerability used to hijack a Windows Vista laptop during last month's "PWN To OWN" hacker challenge was independently uncovered by two other researchers, one who noted it nearly five months ago, the company that paid the contest prize money said today.
"Vulnerabilities are found by multiple researchers all the time, all across the globe," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary. TippingPoint put up the cash prizes awarded during the PWN To OWN contest held March 26-28 at the CanSecWest security conference.
"Here we have three different people with three different motivations," Forslof added.
In a post to the TippingPoint blog, Forslof spelled out the multiple, though not simultaneous, discoveries of the Flash Player bug.
November 12, 2007: David Maynor, a noted security researcher with consulting firm Errata Security, posted screenshots of a crash analysis in Flash. Maynor speculated at the time that it might be an "unexploitable double free," referring to "double free" errors caused when the free() function is called more than once with the same memory address as an argument.
Forslof said that Errata, which produces penetration-testing tools, subsequently uncovered an exploitable Flash bug, then came up with an exploit that it added to its testing tools.
"I confirmed after the release of Adobe's patch that the vulnerability discovered and eluded to on the blog post was, indeed, the same vulnerability used in the PWN to OWN contest," said Forslof.
February 7, 2008: Another researcher submitted the same vulnerability to TippingPoint's Zero Day Initiative (ZDI), one of the two major bug-bounty programs currently in operation. The ZDI advisory, posted Tuesday to coincide with the patched update to Flash Player, identified the researcher as Javier Vicente Vallejo.
"He was the first to report it to us," said Forslof.
March 28, 2008: Shane Macaulay, assisted by two other researchers, used the same vulnerability in Flash to hack a Fujitsu notebook running Windows Vista SP1, one of three machines up for grabs in the PWN To OWN challenge.
But if Macaulay was the third to discover the bug, and the second to report it to TippingPoint, why did ZDI cut him a prize check for $5,000, essentially paying twice for the same vulnerability?
"It was within the rules and realm of the contest," Forslof explained. And even if it hadn't been, it would have been likely Macaulay would have gotten something. "We have this situation all the time, when someone reports a vulnerability that we already have purchased," Forslof said. "What we do, generally we will offer a sum of money [to the second researcher] to turn over the rights to the vulnerability to insure the protection of the information for the vendor."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts