Former winners defend titles at Pwn2Own hacking contest

Dutch newcomer may have exploit able to beat Windows 7's DEP, ASLR

Two former winners will line up later today at the Pwn2Own hacking contest to take another crack at thousands of dollars in prizes for exploiting fully-patched browsers.

Charlie Miller, who has taken home cash two years running, and a German hacker known only by the first name Nils are scheduled to try their hands today at breaking into notebooks equipped with Safari and Firefox.

In a videotaped drawing last week to determine the order in which the contestants will try their luck, Miller, an analyst at Baltimore-based Independent Security Evaluators, grabbed the No. 2 spot. Miller will attempt to hack into a MacBook Pro notebook running Mac OS X 10.6, a.k.a. Snow Leopard, equipped with the latest version of Safari. Nils, a computer science student from Germany, drew the No. 3 and No. 9 spots, and will also try to break into the Snow Leopard MacBook if Miller falters. Later in the contest, he's slated to attack Mozilla's Firefox 3.6.2 on a PC running Windows 7.

In last year's Pwn2Own competition, which is in its fourth year at the CanSecWest security conference in Vancouver, British Columbia, Nils walked off with $15,000 after successfully exploiting Microsoft's Internet Explorer 8, Firefox and Safari. Miller took home $5,000.

The rules for this year's contest are slightly different. In 2009, 3Com's TippingPoint security unit, which sponsors Pwn2Own, paid $5,000 for each unknown browser vulnerability exploited, with no limit on the number each hacker could use or how many times one browser could be breached. This year, TippingPoint will pay $10,000 for each of the four browser challenges, with a limit of four winning vulnerabilities and a maximum of $40,000 in prize money.

Pwn2Own newcomer Peter Vreugdenhil will attempt to exploit IE8 on Windows 7 today. Vreugdenhil, a freelance vulnerability researcher from the Netherlands, apparently has an exploit that's capable of bypassing Windows 7's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) security mechanisms, according to both the contest organizer and Vreugdenhil himself. "Let's hope ASLR in Vancouver works the same as in [the Netherlands]," Vreugdenhil teased via Twitter last week after the placement drawing. Vreugdenhil will go fourth in the contest.

Earlier, Aaron Portnoy, security research team lead with TippingPoint and Pwn2Own's organizer, said that a longtime contributor to the company's bug bounty program, whom he didn't name at the time, would be armed with an IE8 exploit he called "impressive... from a technical standpoint."

Miller was suitably impressed. On his own Twitter feed last week, he said, "If he pwns ie8 on win 7 w/o jit spray, he'll deserve [single name status]," Miller wrote, referring to a type of heap spraying attack that has been used to bypass DEP and ASLR. JIT spraying, however, requires Flash, which won't be available on the first day of Pwn2Own.

Winners in the browser track also receive the machine they exploited. This year's models include a MacBook Pro 15-in. notebook, a Hewlett-Packard Envy Beats 15-in., a Sony Vaio 13-in. and an Alienware M11x 11-in.

The second track of Pwn2Own is devoted to mobile operating systems. In that phase of the competition, researchers will try to breach an iPhone 3GS, a BlackBerry Bold 9700, a Nokia E72 and an HTC Nexus One. The latter is the Google-branded phone sold online by the search giant and creator of the Android operating system.

In the mobile competition, each winning individual entrant or team will receive the hacked phone and $20,000.

A pair of hackers, Vincenzo Iozzo and Ralf Philipp Weinmann, drew the No. 1 spot and will attack the iPhone. Iozzo, an Italian college student, works for Zynamics GmbH, the company headed by noted researcher Thomas Dullien, better known as Halvar Flake. Weinmann, a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg, is probably best known for being part of a three-man team that demonstrated how to crack the Wi-Fi security protocol WEP much faster than previously thought possible.

Two more spots, one for the iPhone, the other for the Nokia device, have been reserved for anonymous entrants. TippingPoint's Portnoy said last week that he expected the iPhone to be only smartphone to fall during the contest.

Pwn2Own is scheduled to run through Friday.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon