IE8, iPhone will fall first day of hacking contest, predicts organizer
Pwn2Own sponsor bets researchers will hack Windows 7, Microsoft's browser, Apple's phone
Computerworld - Microsoft's Internet Explorer 8, not Apple's Safari, will be the first browser to fall in next week's Pwn2Own hacking challenge, the contest organizer said today.
Aaron Portnoy, security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own, also predicted that Apple's iPhone will be the only smartphone hacked during the contest, which starts March 24.
Portnoy, who organized the fourth annual Pwn2Own, changed his predictions from earlier bets he made a month ago because of new information he received from researchers who have registered for the contest. Previously, Portnoy said that Apple's browser would crumble before rivals from Google, Microsoft and Mozilla; he had also declined to speculate on which mobile phone, if any, would collapse under attack.
Researchers will compete for $100,000 in cash prizes next week at CanSecWest, the Vancouver, British Columbia, security conference that has been the home of Pwn2Own. The dual-track contest -- one for browsers, the other for mobile operating systems -- will pit hackers against the latest versions of Chrome, Firefox, Internet Explorer (IE) and Safari running on Windows 7 or Mac OS X. The smartphone track will set hackers against Apple's iPhone 3GS, a Blackberry Bold 9700, a Nokia phone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google's Android.
"I have discovered that one of our very own ZDI researchers is armed and ready to take on [IE8] on the very first day," said Portnoy in an e-mailed explanation of why he changed his browser prediction. "This will indeed be an impressive exploit from a technical standpoint."
ZDI, for Zero Day Initiative, is TippingPoint's bug bounty program, which purchases the vulnerabilities and exploits used during Pwn2Own. ZDI reports the vulnerabilities to the appropriate vendors during the contest, but keeps technical details secret until the bugs are patched.
In a post to the TippingPoint blog Tuesday, Portnoy said that attempts to hack IE8 would be especially difficult because of Windows 7 security mechanisms such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). TippingPoint has also barred researchers from exploiting third-party plug-ins the first day of the three-day contest, making it tougher to carry out a successful attack.
"I have seen the prowess of the researcher in question and I have no doubt they will be able to pull off a DEP- and ASLR-bypassing exploit on Day 1," said Portnoy about the impending IE8 attack.
Safari will fall the second day, Portnoy said; last month, he had put his money on Safari to drop first, in part because he said Mac OS X 10.6, aka Snow Leopard, wasn't "on the same level as Windows 7" when it came to security. "I believe that Safari will indeed go down, just not on Day 1," Portnoy said today.
- Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions IT security decision-makers from companies with 100 to 5,000 employees evaluates the current endpoint security solution market based on Forrester's own market data,...
- Case Study: Intuit Turns to Self-Service IT Intuit empowered its users to resolve their own IT issues with a consumer-like experience to free IT to focus on more strategic initiatives....
- Automation for a Better Tomorrow Check out the five most common annoyances facing enterprise IT service desks today, and how automation can resolve all of them. Download the...
- Beyond the Enterprise App Store Leverage proactive, secure and automated IT Service delivery to move beyond the traditional App Store and empower your users. Read the white paper...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!