March 18th, 2008

CanSec West '08 - Pwn2Own contest rules announced

Posted by Nathan McFeters @ 6:13 pm

Categories: Apple, Black Hat, Exploit code, Hackers, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Competition, Patch Management, Patches, Security, Nathan McFeters

The Pwn2Own contest rules were announced recently for CanSecWest ‘08 coming up next week.

Unfortuantely, or fortunately (depending on how you look at it), I won’t be able to join in the fun as I will be presenting at Black Hat Europe next week, although you can rest assured I’m going to take a stab at the contest from remote! I’ve got a couple of interesting things I’ve been looking at in each of the target environments (well, not Ubuntu yet, but I’ll start looking tonight), although I doubt I’ll get something exploitable in time. It’ll be interesting to see if anyone comes up with something this year… it sort of makes me wish I would’ve sat on the iPhoto format string flaw I discovered awhile back, but then that wouldn’t have been very responsible of me.

In any case, you can see that Apple was hot on the patch releases today, as referenced by my co-blogger Larry Dignan here and here. It had me wondering, was there something special about the day after St. Patrick’s Day? Did everyone get done drinking Guiness last night and decide it would be a good time to push out those 80-85 patches they were sitting on? It seems a bit too coincidental that this major security conference is coming up with a Pwn2Own competition involving that fancy new MacBook Air and the next thing you know 80-85 patches are coming out of Cupertino. Ok, ok, so maybe I’m a conspiracy enthusiast and the patch had nothing to do with that at all, but it does make for interesting discussion.

Someone stands to get a lot of props, a new computer, and potentially up to $25,000 from ZDI for the new vulnerability. For those unfamiliar with the competition, Dino Dai Zovi won the competition last year, and was rewarded with a new Mac and also $10,000.

All I’ll say for a prediction for this year is:

Lock the women, children, and MacBook Air up because Dino is coming to town!

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.