While Apple, Mozilla and Google are patching their browsers before the hackers arrive at the Pwn2Own hacking contest looking for likely targets, Microsoft won't be issuing any patches for Internet Explorer before the contest.
Microsoft will
not be updating Internet Explorer before the Pwn2Own hacking contest, despite
the fact that elite hackers will be gunning for the Web browser.
Microsoft made
the announcement on March 4 as security researchers are getting ready for
Pwn2Own, a contest that pits hackers against the latest versions of the four
major browsers and four mobile platforms for cash prizes.
The targeted
browsers include Internet Explorer 8, Apple's Safari 5, Google's Chrome 9 and
Mozilla's Firefox3.6. The mobile platforms include a Dell Venue Pro running
Windows 7, an iPhone 4 running iOS, a Blackberry Torch 9800 running Blackberry
6 OS and a Nexus S running Android.
In contrast,
Mozilla and Google announced a number of patches
in advance of the contest for their respective browsers. Mozilla rolled out
patches on March 1 for 10 security flaws in Firefox, and Google patched 19
flaws in Chrome. Most of the bugs were either high-priority or critical.
Microsoft
tends to update IE in even-numbered months, and already patched the browser as
part of its gigantic Patch Tuesday update on Feb. 8.
Apple may
patch Safari before the contest begins, according to a post on Twitter by French
security firm
Vupen. "Anti-pwn2own again: Apple fixed a
record of 50 vuln[erabilities] in WebKit (iTunes), and is preparing the update
for Safari/Mac OS X," the company posted.
Charlie Miller, security researcher at
Independent Security Evaluators, known for cracking Safari for the last three
years at the contest, doesn't think the potential patch will stop him in his
fourth attempt this year, according to
Ars Technica. Miller has also exploited
vulnerabilities in the iPhone during past contests. He's slated to go fourth in
his attempt to crack Safari, and second to hack the iPhone in this year's
competition.
Last year,
only Apple and Google updated their browsers before Pwn2Own. Mozilla found but
couldn't fix a critical vulnerability in Firefox before the contest, so
organizers ruled that hole off-limits to contestants.
Security
researchers find existing vulnerabilities and create exploits for unpatched
bugs in the existing products before the contest. They then take turns during
the contest to try to be the first at successfully hacking the targeted
platform. All vulnerabilities and exploits used during the competition belong
to Tipping Point, the sponsor of the contest, according to the rules.
The
organization's Zero Day Initiative bug bounty program then reports the bugs to
the appropriate vendor and gives them six months to fix the problem before
releasing the information to the public. The security researcher who found the
vulnerability is not allowed to publicize the flaw after the contest, per
contest rules.
Miller told
Ars Technica that as he is slated to go last in the Safari contest, it's likely
the browser will fall to at least one of the other three contestants' attacks.
"So I'm not going to report that vulnerability," he said.
Winners get
$15,000 cash prizes for each browser or mobile device hacked from a pool of
$125,000. The hacker that takes down Safari will also win a 13-inch MacBook
Air. Google has sweetened the pot by offering an additional $20,000 reward for
the researcher who can take down Chrome, which hasn't been hacked in previous
contests.
Pwn2Own will
run March 9 to March 11 in Vancouver, Canada, at the CanSecWest security
conference.
Print
