The annual CanSecWest conference, currently running in Vancouver, Canada features the PWN2OWN 2008 competition which gives attendees the chance to win a Sony Vaio VGN-TZ37CN (Ubuntu 7.10), a Fujitsu U810 (Vista Ultimate SP1) or a MacBook Air (Mac OS X 10.5.2).
How does the competition work? "You hack it, you get to keep it." The task set is to extract a specific file from the chosen system via the Ethernet port (RF attacks are acceptable "by special arrangement"). Each system is patched and in a "typical" configuration, and successful completion will require the execution of code on the laptop.
Contestants have just 30 minutes to do the deed, and they have no physical access to the targets.
All three systems survived the first day of the competition, which limited attacks to "Remotely exploitable Pre-Auth vulnerabilities which require no user interaction." That meant TippingPoint's $20,000 cash prize was safe.
The second day widened the scope to "any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website."
CONTINUED
The MacBook Air was the first to fall. Charlie Miller, Jake Honoroff and Mark Daniel from Independent Security Evaluators exploited a newly discovered vulnerability in Safari to win the Apple notebook plus $10,000 cash.
Details of the vulnerability will not be published until Apple releases a patch. Even if the vulnerability is also present in the Windows version of Safari, competition rules mean it cannot now be used to win the Fujitsu. That suggests that the ISE team wanted to win the MacBook Air rather than the Windows notebook - a possibility that is borne out by the fact that the winning attack was carried out from a MacBook.
The third day will add a selection of popular third-party programs to the mix, with the cash prize dropping to $5000.
