Amusing how paranoid the browser developers have become about CanSecWest:
Pwn2Own browser day: March 9th, 2011
Safari 5.0.4 released March 9th
Chrome 10.0.648.127 released March 8th
Firefox 3.6.15 released March 4th
Internet Explorer 8 didn't get a patch this cycle (too cool for school)
Mobile day: March 10th, 2011
iOS 4.3 released March 9th
Nexus S 2.3.3 released Feb 24th
Not sure about WP7 & BB
Besides, if most competitors arrive at the competition with carefully-researched exploits available to use, I'm not sure this sort of last-minute patching would make much difference, even if it was intentional.
Apparently the last weeks code rule was a surprise, I don't think the vendors knew about it.
I'm not sure this sort of last-minute patching would make much difference
Even if the vulnerability is still there, screwing with the way the binary is built and linked could easily make it so they'd have to put it back in a debugger and retune the exploit.
To be fair, Chrome gets updated around every two weeks. That it happened to get pushed out the day before CanSecWest may just be a coincidence. Firefox tends to release a new version every month or so as well Though Mozilla did push 3.6.15 four days after 3.6.14, so it may very well play into your point.
It's definitely a known tactic though, here is a tweet from the people who took down safari:
@VUPEN: Anti-pwn2own again: Apple fixed a record of 50 vuln. in Webkit (iTunes), and is preparing the update for Safari / Mac OS X... (1:43 AM Mar 3rd via web)
Every year the press makes it sound like a race, or that being exploited first is somehow worse than being exploited later in the day. The fact is that time slots are assigned randomly: http://twitter.com/VUPEN/status/40078022325444608
Interestingly, according to http://www.computerworld.com/s/article/9214002/Safari_IE_hac... , the researchers who signed up to hit Chrome have either not shown up or decided to concentrate on Blackberry instead. Seems their sandbox holds up quite well.
Taking down the Mac gets you the best laptop and the most press. Simple.
It would be different if the other OS/browsers didn't go down too, but because the Mac is always first to go just means it's the most desirable target.
I can see how you associate it being the least secure with it being the most awesome. I don't see what could go wrong with your ability to take some legitimate and important criticism about something you like and turn it into something awesome about said thing.
Mac's always go down quickly in these contests. The people who make it happen often say that its considerably easier.
edit:
Charlie Miller: "It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier." - http://www.zdnet.com/blog/security/questions-for-pwn2own-hac...
The existence of the vulnerability itself is now obvious-- no one is arguing against it. (And thus, I don't think anyone's arguing that a fully-patched OS X system is fully impenetrable). But the fact that the winner gets to keep the hardware certainly has a lot to do with which target they choose to attack.
Did Safari fall first because it is the least secure, or because it is the hardware everyone wants to win? It really is difficult, if not impossible to tell.
Personally, I'm quite sure that the Windows machines are at this point far more secure, simply because Microsoft takes so much battering by being in the dominant position. But I wouldn't use this as evidence for it.
EDIT: Question about your quote-- later in that article, Miller suggests that there is no "randomization" in OS X, while this year's article says his exploit bypassed ASLR in OS X-- is this a new feature in OS X that wasn't present in 2009?
It's my understanding that ASLR has been in OSX since 10.5, but its a poor (in comparison) implementation. Interestingly, the recently released iOS 4.3 has it.
I really don't think that these security researchers as prioritizing based on winning a $1200 laptop. Given that this competition is time-based, I'd, again, say that they prioritize based on speed.
ASLR was in 10.5 and 10.6 but it's not a good implementation at all (in particular the dynamic linker isn't randomized, and has plenty of useful code in it to play with, rendering the randomization basically pointless).
Most ASLR bypasses are when someone's found an application that includes one or more images that was compiled without randomization support and thus has a predictable load address and code to use; with OS X you get one for free in every application by default.
10.7 is supposed to have better ASLR, haven't investigated yet though.
>Did Safari fall first because it is the least secure, or because it is the hardware everyone wants to win? It really is difficult, if not impossible to tell.
>But the fact that the winner gets to keep the hardware certainly has a lot to do with which target they choose to attack.
That's just weak, the prizes were $15,000 even for IE8 and Google was offering $20K.
Historically this was more of a factor though - it's definitely something Miller has mentioned as being a part of his decision making. The prize structure has changed a lot: in 2009 Tipping Point offered $5,000 + the machine, in 2010 it was $10,000 + the machine and now it's $15,000 + the machine.
You're looking at it wrong. Why spend $1200 on an Air of the $15000 when you can keep the whole $15k and get an Air. You get $15k with both, difference is if you want the Air on top of that or not.
> I can see how you associate it being the least secure with it being the most awesome
In fact he associated the fact of being the most awesome and generating the most media coverage with the fact it would be the first to fall, regardless of how secure or not the computer is.
I think the $15,000 cash prize and PR with being first, regardless of OS/browser, plays larger than the delta between getting a high PC laptop and a MBP. And it's not like they don't already have Macs -- that's how they developed their OS X exploit.
UPDATE: It's actually a MacBook Air 13", not MBP. The other laptops are ASUS G73SW and Alienware M11x.
That's simply not true. Macs are often said to be easier to take down.
However, a vulnerability on the Mac isn't worth as much (on the black-market) as a vulnerability on Windows. So people keep trying to break Windows. Even if you tried to sell a Mac vulnerability, the people who make botnets wouldn't be interested, as they can buy Windows vulnerabilities instead.
pwn2own is the only show in town where a Mac vulnerability is worth roughly the same as a Windows one.
I question the metric used in these contests. Reports always makes it sound like someone just walks up completely unprepared and hacks a machine.
”We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique,”
Obviously there is a fair bit of preparation involved.
They're all prepared in advance. I don't really understand what you mean about the reporting though, as you point out the discussion makes it clear none of this is off the cuff.
Each day the rules get looser making the compromise easier. I can't find the 2011 rules easily but here they are from 2009:
Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link
iirc it's only the last year or two that most of them have been falling on day 1
"VUPEN won a $15,000 cash prize and an Apple MacBook Air 13″ running Mac OS X Snow Leopard" ... and Calcuator.app, whether he wanted running it or not.
I'm not surprised, this is what the third year in a row now? I hope Apple pays attention to the things Google is doing with Chrome. If I'm not mistaken, Lion will be shipping with WebKit2 and sand-boxing.
I've tried Chrome, but I just always go back strangely to Safari it just feels right at home.
Five years in a row, as cansec west has run pwn2own for five years. OS X/Safari has also always been the first one to drop afaik, though this has at least as much to do with Apple kit being the most desirable as anything else.
It's not a race. The exploits are prepared far in advance, and whichever is hacked first is determined by the random order in which the challengers get to demonstrate their hacks.
It's not surprising because he [Charlie Miller] was fourth or fifth in line.
Everyone who signs up for this has exploits already in the bag that they've been working on for weeks, it's not like it's hackers showing up and racing each other to discover exploits from scratch (which, incidentally, renders the whole "first to fall"/"browser X pwned in seconds" style of headline asinine)
Pwn2Own browser day: March 9th, 2011
Mobile day: March 10th, 2011