Pwn2Own hacking contest 2013 shaping up

[TheAnimus]

http://nakedsecurity.sophos.com/2013...alf-a-million/

So the prize fund for this years pwn 2 own competition has been announced.

What is interesting is this year they have done away with the point system, and instead assigned an amount per exploit.

Why is this interesting? Because JAVA is considered so comparatively easy, an exploit is only worth $20k.

Also IE 9 on Windows 7, is considerably less than Chrome. (IE10 is the same price).

Safari gets an honerable mention being the only browser targetted on OS X.



With java having such a low price attributed to its difficulty, it begs the question again, should anyone be running it whilst oracle dither about.

[scaryjim]

For website plugins, probably not.

Then again, I guess it's not unlike most software - unless you trust the source of the codebase you're running, you probably shouldn't run it. The web's an easy infection vector, because most people think of website as "content", rather than "software" - back when I started out as a web designer that probably wasn't too much of a problem, but given the inexorable drive towards the web as a development and distribution platform (rather than a text-sharing protocol) I'd guess that it's not far off being the majority of software that's now web-delivered and hosted. It makes it a lot easier to slip malicious software onto a system when you don't have to have users download and install it...

[Biscuit]

Does seem bizzare that they would only test safari in OSX, why not test that in windows aswell? Why not test chrome on OSX?

[scaryjim]

Market penetration? I imagine safari on Windows and Chrome on OS X are fairly small percentages. Makes sense that they'd price according to how widespread an exploit could be.

[TheAnimus]

OS X is generally considered to be less secure than windows 8, due to certain issues with key technologies. Apple are really quite new to the secure computing world, instead normally relying on the whole "user privledge" thing.

When you consider how advanced some of the statistics involved in defeating ASLR are becoming, a lot of these attacks amount to the same thing.

Break the Browser, this is actually complex, is it via rendering, via script engine, or what?
Break the sandbox, all browsers now use a sandbox, which in theory is inescapable.
Break the OS, in theory all OSes do not allow you to do anything beyond the privledge of the user.

Increasingly the last one isn't needed. For instance the MacDefender was *very* sucessful when you consider how few there are in the wild.

The rewards are based on the pericieved difficulty of each task, Chrome and IE10on8 are percieved to have the most convoluted and complex security systems.