Third annual Pwn2Own competition closes, conclusions

The third annual Pwn2Own competition has wrapped up recently, showing off some interesting events throughout the event. If you've been following the contest at Neowin, you may have seen Microsoft flaunting a very speedy response time to a bug, as well as Google's Chrome being the only browser to survive the first day. That's all well and good, but what else happened?

Firstly, none of the mobile devices at the competition were exploited. Why was this? According to the TippingPoint blog, "'Why?' Are mobile devices inherently more secure? It was a tough question to answer. I think there are a lot of barriers left to overcome in order to have a successful contest on these platforms, and too many reasons to list." Essentially, mobile devices have a limited amount of memory and processing power, so they can be exploited "but actually exploiting them is complicated and unpredictable."

Four new major flaws were discovered in the three main browsers tested; IE, Firefox and Safari. Following up from Chrome's first day of attack, the browser never suffered any major vulnerabilities. Apparently one flaw was found in it, yet any of the current known techniques are unable to exploit it. A small victory for Google, but remember Chrome is in early days still. As the blog mentions, the moment you patch one flaw in a browser new exploits are quickly discovered. It's this fact that powers these types of competitions, and rightly so.

This year's Pwn2Own was a great success and it's good that the fixes for the flaws are being worked on so quickly. Stay alert for this time next year, when the fourth Pwn2Own kicks off.

Report a problem with article
Previous Story

Review: Resistance Retribution for PSP

Next Story

Pressure mounts on Google's UK street view service

7 Comments

Commenting is disabled on this article.

whats i found awesome is that a couple of the hackers said Windows is a very secure and advanced OS, leaps beyond OS X, Chrome on Windows was a challange, if it were on OS X, not so much, same for Firefox

gotta give MS props where they are due

While they may have said that, it seems that the majority of exploits still occur on Windows systems. I have no doubt that OS X and Linux would have their share of exploits discovered, but as of yet nothing has happened. Sure, Windows' user base is huge, but OS X and Linux have a sizable user base as well. According to some reports about black market prices, Windows machines taken by a rootkit are quite cheap, while Linux machines fetch a nice price. The reason mostly had to do with the fact that the Linux machines aren't rebooted often and are quite reliable, but I'd imagine that there's also a bit of supply-and-demand economics that go into it as well. The people making use of these exploits are, in general, going for the low-hanging fruit, as well.

This is not meant to be a dig at Windows. I'm miffed that I still receive spam mail, and I'm well aware that nearly all (if not all) of it is coming from compromised machines. It irks me to hear that people are claiming that something is so superior in terms of security, yet we know very well that a disproportionately high percentage of compromised machines are running that very operating system.

Every OS maker (or community, for the Linux boys and girls) should be quick to respond to security issues, and they should be designing their stuff with security in mind.

More vulnerabilities will be found in Chrome as it gains more features. Anyways, on at least more than one of my computers (clean installs), Chrome's sandbox model is broken (that infamous Aw...snap) error and I've to disable the sandbox feature using -no-sandbox to use Chrome.

I think that it's good for Chrome to be relatively secure so early on. Of course, this could be from a lack of extensions and the underlying, probably exploitable, framework for them.