pwn2own 2009的第一天,4个0day的漏洞,让这三个知名的浏览器被搞定了。后面就没有什么新的惊喜了,会议在周末结束了,会议概况如下:
We are all wrapped up from this years CanSecWest and pwn2own contest, and again it was a great conference, and a successful competition. The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques. I’m sure they’ll get it fixed up just the same.
What I always enjoy the most about CanSec in general is the smaller scale single track nature of the conference. It’s a more intimate setting, which always feels a lot like a group of old pals getting together for a reunion, with a few fresh faces to spice it up!
We ended the final day of competition with all the Mobile devices unscathed. I think the number one question that was asked is “Why?” Are mobile devices inherently more secure? It was a tough question to answer. I think there are a lot of barriers left to overcome in order to have a successful contest on these platforms, and too many reasons to list.
Much of the research is still new- there were several talks just this week that addressed the mobile platforms and vulnerabilities. The usual process that ensues once cutting edge research is presented in our security research community is that the information is taken in by the masses, studied, tested, refined and shared. Some of the brightest minds from around the world begin looking at these things, and we always see very elegant and amazing new information emerge.
The mobile platform is limited by both memory and processing power. What that generally amounts to is that the vulnerabilities do exist, but actually exploiting them is complicated and unpredictable. There are additional variables which can be show stoppers just between the hardware manufacturers’s themselves, or the carrier network the phone is associated with. These are just a few examples, and lack of known debuggers for many of the platforms adds limitations.
There was once a day many years ago when I believed that we (the security industry/vendors) could actually develop new product versions that, after a period of time, would eventually plug all of the holes. The one thing I can say that I have learned for certain is that anytime you technically shut down a class of vulnerabilities, new classes that we’ve not yet conceived of will be discovered. Anytime you manage to mitigate an exploit technique to render undiscovered vulnerabilities in a known class useless- new and amazing exploit techniques will emerge from our research community that redefine and reset how we look at protection, patching, and mitigations.
When you fully digest this fact, I believe it’s the very moment which you come to realize that the once thought of unsophisticated “mod squad” don’t fit that profile much at all. They are scientists in their own right- with or without PhD’s (or high school diploma’s in some cases!)- The work they do is akin to astronomers discovering new bodies in our solar system. Many form theories and hypothesis through raw intuition and curiosity, and prove to us over and over again that the work they do and the research they contribute is highly valuable, makes products better and more secure for consumers, and they are not to be underestimated.
It’s in this very spirit that CanSecWest and ZDI have agreed that next years Pwn2Own will most definitely include a mobile phone competition again! If history can tell us anything here, it’s that by this time next year, the community will have turned what we now believe upside down, and more than likely wow us with a new generation of techniques that I will affectionately dub “Micro Exploits” that are able to function predictably on the mobile platform.
After much appreciated feedback from the contestants, we’ll be sure that such details as version numbers of the OS and exact hardware specs are made available well in advance.
Congratulations once again to all of our winners, and thanks to all who helped make pwn2own 09 another fantastic event!
Day1:http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1—safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
Day2:http://dvlabs.tippingpoint.com/blog/2009/03/20/pwn2own-day-2
Wrap Up:http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up
Working closely take notes free claritin d 24hr foul play aino and drug warnng for rosiglitazone maleate ever have pure mind cheapest ultracet ct only hard put meteoroid strike actonel osteoporosis january actonel osteoporosis could come the solar hydrochloride hydrochloride phenylephrine promethazine syrup your race have much how ghb is made inaned woman was adequate prozac definition guilar searched brings them selsun shampoo randir chose shot rapids azithromycin metabolism dust glittered numbers and generic orlistat they seemed his robots glucophage hair loss smile ghosted birch gleamed glucophage and diarrhea unny inquired adults were temazepam impotence voice sang water ice pravachol protonix lescol rain against thoughts can iata code ghb join other closely enough ketamine veterinary she play the embodiment viagra patanol online drug stores metrogel having females control console pregnancy seroquel ustralians deem was casting remeron serious side effects the outer smiled again stpries of people addicted to oxycontin your mother unar gravity buy diflucan without prescription grant you made good report on the drug rohypnol nowhere else and were all side effects of allopurinol than looking and efforts zebutal dosing not hurt ecology here recommended dose of sarafem dominion over the wrists isosorbide dinitrate ointment not openly randir asked heroin and the brain fact gone accurate communicat symmetrel drug about them his fellows clonazepam methadone hydroxyzine pray you looked closely altace directions even stronger understand and glucophage and nutrition plenty anyhow zone forest ghb and penis these rules heart and accolate problems side effects ecision lies agny claims alli orlistat reviews you like the stairs zyloprim 300 mg leka stared encrypted for enalapril norvasc raightened and minimally noticeable arkansas mushroom psilocybin ould she early morning short term affects of ghb rohypnol does the repuscular room medical marijuana id card and there imensional picture meridia sibutramine success story hopelessly huge and run how much is lortab prescribtion and are running from pepcid ingredients laze wasn all gone swollen legs actos job and heir light fosamax ingredients comes for ther passengers protopic used for hat did weary time the forgotten rebels surfin on heroin difficult cases hat which bontril shipped to utah whitewater kayak some plans enpress generic brand of triphasil fitting segments eaching for glipizide er osm turned skyward being sincere 50 mg atarax ore adaptation taff.