Pwn2Own Hackers Try to Take Down Browsers
This year's hacking contest will put Google Chrome, Apple Safari, Microsoft Internet Explorer, and Mozilla Firefox on the firing line. Should we be worried?
As if things weren't tough enough in the Internet security space, Web browser vendors will have a big target painted on their backs this week at the 2010 Pwn2Own competition.
Taking place at the CanSecWest security show in Vancouver, Pwn2Own is a contest sponsored by security firm Tipping Point in which researchers square off against each other to win up to $100,000 in prize money for exploiting fully patched Web browsers, as well as mobile platforms.
In past years, the results of the contest have proven that most of the targeted Web browsers -- thought to have been secure -- contained exploits that the researchers were able to find. While the event serves to demonstrate the insecurity of software, it actually also helps to improve security: As part of Pwn2Own, exploits are kept private and provided to the affected vendor for patching.
"We hope that the Pwn2Own contest reveals the hard truths about the security of the most popular hardware and software devices on the market," Aaron Portnoy, TippingPoint Security's research team lead, told InternetNews.com. "I believe it is well known that the software we run on a daily basis is insecure; Pwn2Own is intended to showcase how true this really is, driving the point home for the vendors and the public alike."
While Pwn2Own participants try and exploit Safari, IE, Firefox, and Chrome, they are not trying to exploit those browsers on every possible platform: The contest only includes Windows 7, XP, and Mac OS X, and does not include Chrome or Firefox running on Linux.
"We do not include a Linux platform simply because no distribution holds a large end-user market share in the enterprise," Portnoy said.
As it is, the Pwn2Own event may have led to a flurry of activity in recent weeks, with browser vendors releasing updates to patch open holes. Mozilla Firefox, Google Chrome, and Apple's Safari have all been patched in recent weeks ahead of the event.
"As with the past Pwn2Own contests, vendors involved generally attempt to patch as many issues as possible prior to the event," Portnoy said. "Apple has consistently done this for the past couple of years. The vendors are hoping to squash a vulnerability before a competitor uses it to win Pwn2Own."
Shoring up browser vulnerabilities
Portnoy noted that Tipping Point works with the major browser vendors on a regular basis to help them deal with security vulnerabilities.
"While we cannot force a vendor to rush a patch, I think they realize that it is in their best interests to patch prior to our contest, and thus they are very cooperative in that regard," Portnoy said.
Lucas Adamski, director of security engineering at Mozilla, will be at the Pwn2Own event and is well aware that Firefox is a targeted browser.
"While ideally we would like to be notified confidentially about vulnerabilities, Mozilla values all security research, independent of how the research is reported," Adamski told InternetNews.com. "This is one of the main reasons we created our bug bounty program five years ago."
At Pwn2Own 2009, one of the biggest surprises was that a security researcher -- who identified himself only as 'Nils' -- was able to successfully exploit vulnerabilities in Safari, IE 8, and Firefox.
Could the feat be replicated this year?
"I believe there is more competition this year, and as such, there won't be an opportunity for a single researcher to attack all browsers like that," Portnoy said. "However, keep an eye out for Nils this time around: He has already pre-registered."