Apple’s Safari will be the first browser to fall next month at the Pwn2Own hacking challenge, the contest organizer predicted Wednesday.
A researcher who has won at Pwn2Own the last two years wasn’t so sure.
“Safari will be the first to go,” said Aaron Portnoy, security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own. Portnoy is the organizer of the contest. “[Safari will] be on Snow Leopard, which isn’t on the same level as Windows 7,” he added as he predicted Apple’s browser would crumble when the action starts March 24.
Now in its fourth year, Pwn2Own has made headlines for hacks of Apple’s Mac OS X and Safari, as well as Microsoft’s Windows and that company’s Internet Explorer (IE) browser. In 2009, for example, researcher Charlie Miller hijacked a Mac in less than five seconds through Safari to win $5,000, while a German student knocked down three browsers on Windows to walk off with $15,000.
Miller, who works as a principal analyst at Independent Security Evaluators, a security consulting firm, plans to again compete at Pwn2Own and hopes to “three-peat” as a contest winner. In 2008, Miller won $10,000 by hacking a MacBook Air in less than two minutes , again by exploiting a Safari bug.
But he’s not as certain as Portnoy that Apple’s browser will tumble first. “Unlike previous years, I’d say Safari isn’t significantly easier than the browsers on Windows,” Miller said Wednesday in an e-mail reply to questions about his Pwn2Own plans and predictions. “I say this because Snow Leopard finally has DEP [Data Execution Prevention]. Also, because at Black Hat DC, Dion Blazakis showed how to defeat DEP in [Windows] browsers. The only difference is that Safari has a bigger attack surface, and includes, for example a PDF reader (Preview) and Flash.”
Miller’s bottom line? “I’ll predict that two to three browsers will go down, including Safari for the fourth straight year,” he said.
Last year, Firefox, IE and Safari all fell to attack; only Google’s Chrome went unscathed.
The first day of Pwn2Own’s browser challenge this year will pit researchers against the latest versions of Chrome, Firefox and Internet Explorer 8 (IE) on Windows 7, and Safari on Mac OS X 10.6, aka Snow Leopard. The operating systems will have their attack defenses configured to their default settings.
If a browser goes down on day 1, its attacker will be awarded $10,000—double last year’s reward—and the notebook it was running on. Once hacked, a browser is removed from competition. Untouched browsers continue into day two, when Chrome, Firefox and IE7—the 2006 predecessor to the newer IE8—are installed on laptops running the older Windows Vista. Any browser that survives to the third day is installed on Windows XP. (Safari remains on Snow Leopard throughout.)
Because of the changing OS landscape for Chrome, Firefox and IE, Portnoy predicted that none of those browsers would fall the first day, when each will be running on Windows 7. “Anything on Windows 7 will not be compromised the first day,” Portnoy said. “DEP and ASLR [address space layout randomization] make exploiting vulnerabilities much more difficult.”
Researchers will likely wait until the second or third day to take a crack at the Windows browsers, he said. The payout, $10,000, is the same no matter when a browser is successfully exploited.
Pwn2Own’s other hacking track will feature an iPhone 3GS, a Blackberry Bold 9700, an unspecified Nokia smartphone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google’s Android. A successful hack must result in code execution with little to no user-interaction.
Portnoy refused to predict which smartphone would fail first, although having spent months organizing the mobile side of the contest, he said he has “a fairly good idea of what will come out of the mobile exploits.”
If he had to pick the phone easiest to attack, he would lay his money on Apple’s iPhone. Why? “Because it runs Safari, which [is built] on the notoriously buggy WebKit [engine],” Portnoy said.
Miller, who also has a reputation on the mobile side— he was one of the three researchers who discovered the first iPhone security bug and found the first Android vulnerability on his own—was convinced that the smartphones would remain untouched, as they did during 2009’s Pwn2Own.
“I predict none of the phones will be successfully attacked,” Miller said. “Phones are much harder than browsers to attack, there isn’t the well-known knowledge out there for attacking phones as there is for browsers. Attacking phones is still pretty cutting edge.”
Portnoy hopes Miller is wrong. “We’ll see more competitors on mobile than last year,” Portnoy said. “I know some researchers have vulnerabilities ready to go, as they always do.”
Part of the problem last year with the mobile part of Pwn2Own was the last-minute nature of that competition, Portnoy argued. This year, he set the stage with an advisory group of about 15 security researchers who worked out the contest’s ground rules. TippingPoint has also boosted the mobile rewards from 2009’s $10,000 to $15,000 this year, and added additional enticements to all winners that include enough points in TippingPoint’s Zero Day Initiative (ZDI) bug-bounty program to qualify for another one-time payment of $5,000.
Pwn2Own will run March 24-26 at the CanSecWest security conference in Vancouver, British Columbia, and could award as much as $100,000 in cash. TippingPoint purchases the rights to the vulnerabilities and exploit code used during the contest, reports the bugs to the vendors and uses the information to bolster the security systems it sells.