Three different hackers found 'Pwn To Own' bug
Contest winner not the first to report flaw, but that's OK, says TippingPoint
April 10, 2008 12:00 PM ETComputerworld - The Flash vulnerability used to hijack a Windows Vista laptop during last month's "PWN To OWN" hacker challenge was independently uncovered by two other researchers, one who noted it nearly five months ago, the company that paid the contest prize money said today.
"Vulnerabilities are found by multiple researchers all the time, all across the globe," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary. TippingPoint put up the cash prizes awarded during the PWN To OWN contest held March 26-28 at the CanSecWest security conference.
"Here we have three different people with three different motivations," Forslof added.
In a post to the TippingPoint blog, Forslof spelled out the multiple, though not simultaneous, discoveries of the Flash Player bug.
November 12, 2007: David Maynor, a noted security researcher with consulting firm Errata Security, posted screenshots of a crash analysis in Flash. Maynor speculated at the time that it might be an "unexploitable double free," referring to "double free" errors caused when the free() function is called more than once with the same memory address as an argument.
Forslof said that Errata, which produces penetration-testing tools, subsequently uncovered an exploitable Flash bug, then came up with an exploit that it added to its testing tools.
"I confirmed after the release of Adobe's patch that the vulnerability discovered and eluded to on the blog post was, indeed, the same vulnerability used in the PWN to OWN contest," said Forslof.
February 7, 2008: Another researcher submitted the same vulnerability to TippingPoint's Zero Day Initiative (ZDI), one of the two major bug-bounty programs currently in operation. The ZDI advisory, posted Tuesday to coincide with the patched update to Flash Player, identified the researcher as Javier Vicente Vallejo.
"He was the first to report it to us," said Forslof.
March 28, 2008: Shane Macaulay, assisted by two other researchers, used the same vulnerability in Flash to hack a Fujitsu notebook running Windows Vista SP1, one of three machines up for grabs in the PWN To OWN challenge.
But if Macaulay was the third to discover the bug, and the second to report it to TippingPoint, why did ZDI cut him a prize check for $5,000, essentially paying twice for the same vulnerability?
"It was within the rules and realm of the contest," Forslof explained. And even if it hadn't been, it would have been likely Macaulay would have gotten something. "We have this situation all the time, when someone reports a vulnerability that we already have purchased," Forslof said. "What we do, generally we will offer a sum of money [to the second researcher] to turn over the rights to the vulnerability to insure the protection of the information for the vendor."
PWN To OWN
Additional Resources



White Papers & Webcasts
Mastering eDiscovery: The IT Manager's Guide to Preservation, Protection & Production
Get this paper now!
Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!
Not Just Words: Enforce Your Email and Web Acceptable Usage Policies
Get this paper now!
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Email Archiving: A Business-Critical Application
Get this paper now!
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
IBM ISS X-Force Threat and Risk Report
Learn about all aspects of threats that affect Internet security.
Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Register for this webcast!
The New World of eCrime: Targeted Brand Attacks and How to Combat Them
Download This Whitepaper Now!
The Commercialization of ITIL: Lessons Learned
Register for this event today!
