Browers
This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.
- Microsoft Internet Explorer
- Apple Safari
- Mozilla Firefox
- Google Chrome
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.
Mobile Devices
The following are the target mobile devices for the contest:Interestingly, an RF enclosure box will be used for the mobile targets as there seems to be the possibility thatAs mentioned previously, we’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD. While HP TippingPoint is funding $105,000 of that, we’ve partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser.
- Dell Venue Pro running Windows 7
- iPhone 4 running iOS
- Blackberry Torch 9800 running Blackberry 6 OS
- Nexus S running Android
The Results of Pwn2Own 2011
Browsers
“Safari goes down first at #pwn2own”“Stephen Fewer @stephenfewer just successfully compromised Internet Explorer (complete with a Protected Mode bypass) at Pwn2Own.”
The exploit used to exploit IE8 is not present in IE9, which ships on Monday.
Chrome and Firefox, the other browsers in the contest, went unchallenged.
MOBILE PHONES
the Apple iPhone 4 and RIM’s Blackberry Torch 9800 were both successfully compromised on day 2 of the contest.
Android and Windows Phone 7 based devices survived the challenge.
It was a vulnerability in WebKit that allowed the Blackberry to be compromised. Google has responded by patching the exploit in their WebKit-based Google Chrome.
REPORTS
Ars Technica has good write-ups on Day 1 and Day 2 of Pwn2Own 2011. In those write-ups you’ll find a lot more details of the winners and some of the compromises.
No comments:
Post a Comment