While Apple, Mozilla and Google are patching their browsers before the hackers arrive at the Pwn2Own hacking contest looking for likely targets, Microsoft won't be issuing any patches for Internet Explorer before the contest.
not be updating Internet Explorer before the Pwn2Own hacking contest, despite
the fact that elite hackers will be gunning for the Web browser.
the announcement on March 4 as security researchers are getting ready for
Pwn2Own, a contest that pits hackers against the latest versions of the four
major browsers and four mobile platforms for cash prizes.
browsers include Internet Explorer 8, Apple's Safari 5, Google's Chrome 9 and
Mozilla's Firefox3.6. The mobile platforms include a Dell Venue Pro running
Windows 7, an iPhone 4 running iOS, a Blackberry Torch 9800 running Blackberry
6 OS and a Nexus S running Android.
In contrast, Mozilla and Google
announced a number of patches
in advance of the contest for their respective browsers. Mozilla rolled out
patches on March 1 for 10 security flaws in Firefox, and Google patched 19
flaws in Chrome. Most of the bugs were either high-priority or critical.
tends to update IE in even-numbered months, and already patched the browser as
part of its gigantic Patch Tuesday update on Feb. 8.
patch Safari before the contest begins, according to a post on Twitter by French
security firm Vupen
. "Anti-pwn2own again: Apple fixed a
record of 50 vuln[erabilities] in WebKit (iTunes), and is preparing the update
for Safari/Mac OS X," the company posted.
, security researcher at
Independent Security Evaluators, known for cracking Safari for the last three
years at the contest, doesn't think the potential patch will stop him in his
fourth attempt this year, according to Ars Technica
. Miller has also exploited
vulnerabilities in the iPhone during past contests. He's slated to go fourth in
his attempt to crack Safari, and second to hack the iPhone in this year's
only Apple and Google updated their browsers before Pwn2Own. Mozilla found but
couldn't fix a critical vulnerability in Firefox before the contest, so
organizers ruled that hole off-limits to contestants.
researchers find existing vulnerabilities and create exploits for unpatched
bugs in the existing products before the contest. They then take turns during
the contest to try to be the first at successfully hacking the targeted
platform. All vulnerabilities and exploits used during the competition belong
to Tipping Point, the sponsor of the contest, according to the rules.
organization's Zero Day Initiative bug bounty program then reports the bugs to
the appropriate vendor and gives them six months to fix the problem before
releasing the information to the public. The security researcher who found the
vulnerability is not allowed to publicize the flaw after the contest, per
Ars Technica that as he is slated to go last in the Safari contest, it's likely
the browser will fall to at least one of the other three contestants' attacks.
"So I'm not going to report that vulnerability," he said.
$15,000 cash prizes for each browser or mobile device hacked from a pool of
$125,000. The hacker that takes down Safari will also win a 13-inch MacBook
Air. Google has sweetened the pot by offering an additional $20,000 reward for
the researcher who can take down Chrome, which hasn't been hacked in previous
run March 9 to March 11 in Vancouver, Canada, at the CanSecWest security