The 5th annual Pwn2Own zero-day competition starts tomorrow, and hackers are preparing to cash in on huge prize pool of tech and cold hard cash. Last year the main focus was on web browser and mobile devices, and to be honest nothing has changed for Pwn2Own 2011. As some of the best brains in the world of security exploits bang heads in Vancouver, all the major browser and smartphone developers will be watching closely and anxiously as what the organisers refer to as “the current security posture” of their products is scrutinised and in all likelihood broken apart. Last year we witnessed three out of the four leading web browsers and the iPhone all successfully compromised.
Across March 9th, 10th and 11th a total cash pool of some $125,000 (£77,400) and a bunch of hardware spot prizes including an Apple MacBook Air 13″, Google Nexus S smartphone, powered Dell Venue Pro will be up for grabs. Perhaps the most intriguing of all being the $20,000 (£12,400) up for grabs from Google itself should anyone be able to escape the Google Chrome browser sandbox and compromise a Windows 7 PC with the aid of nothing other than vulnerabilities exclusively within the Google-code. Google has good reason to make such a generous prize available: Chrome was the only mainstream browser involved in Pwn2Own 2010 which escaped unscathed. Apple Safari, Microsoft Internet Explorer and Mozilla Firefox were less fortunate last year, and are not expected to survive this year either. But then again, Chrome will do well to stand up against the pressure that comes with the publicity anyone who is successful in their hacking attempt will get. Forget the $20,000 cash, it’s the kudos that these guys will want and will have been working hard to attain.
Browser vendors know this, and both Mozilla and Google have already released major security patches to shore things up as best they can before Pwn2Own starts, although they would probably both deny that the timing of those updates is anything but coincidence. Yet Firefox 3.6.14 and Google Chrome 9.0.597.107 have both arrived in the week before Pwn2Own and patching vulnerabilities which could conceivably have helped the hackers in their efforts. Apple has released an update to iTunes which patches a reported 50 vulnerabilities in the WebKit rendering engine that drives Safari, but Microsoft has decided to stand alone and make no special out-of-band patch preparations for Pwn2Own 2011. The last updates to Internet Explorer happened, as scheduled, on February 8th.
As far as the mobile device hacking front goes, Pwn2Own 2011 sees the Dell Venue Pro (Windows 7 Mobile), Apple iPhone 4 (iOS), BlackBerry Torch 9800 (BlackBerry 6) and a Google Nexus S (Android) all being subject to hacker attack. To be successful, a hacker must compromise ‘useful data’ from the phone but with minimal user interaction. Attacks against the phone baseband are allowed this year for the first time, which should liven things up a bit.
One thing is for sure, it’s going to be an interesting week ahead for security watchers…
Source: itpro.co.uk