Yes, it's that time of the year again.
So what have we learnt so far ?
This is obviously a competition to win money, and competitors are very selective in what they choose to attack and/or focus on... but it still reveals exploits.
Safari... 5 secs... oh dear... but of course creating the exploit was not easy.
IE8 can also be broken, including escaping protected mode, but is apparently harder to do.
Firefox, still to come at this point.
So far nobody seems keen to take on Chrome... which may or may not mean anything.
-
elmer
I'm on my very last life.
-
We learned you can sometimes exploit security issues that haven't been patched yet.
-
JoshRoss
:::METRO:::
We also learnt that writing secure software is difficult, especially more so if you have to write software that utilizes a series of tubes.
-Josh
-
Proton2
There... Are... Four... Lights!
I think the contestants in this contest can only use unpublished security vulnerabilities.
-
magicalclick
remember the flow
To my understanding, the casual virus that most people encountered don't even exploits security flaws.
Hell, people check the agreement box and willingly give out their account and password. And you start seeing them talking random stuff on their messenger. Exploiting human is so much easier after signing the user agreements.
-
Trying to game the system by releasing patches hours before the contest doesn't actually help.
And yes, you can only win pwn2own with a previously unpublished vuln.
-
These are the current high level 'security approaches' I see being in work:
1. Trying to protect the ignorant from doing ignorant things where they're obviously bad and recognizeable algorithmically (IE smart screen falls into this category, though every time I've seen it pop it's a false positive so I suspect it will/has suffered from the UAC-problem of too many pop ups)
2. Trying to keep those who care about security secure but can't afford to spend every minute of day being totally paranoid and locking everything down completely, this usually is the stuff patched monthly.
(3. cases where more security than 1&2 provide is needed, but then it's up to the user/admin to be lot more pro-active about it. This involves isolated computers, networks or atleast a lot of virtual machine use. Things like Sandboxie is light-weight approach to this but I'm not convinced that actually does much about security, to me it seem more like protecting the system from getting all kinds of crap into it but uncertain how well if at all it protects against exploit code, nevermind if the app running in it is under attacker control)
Features/activities in #1 and some in #2 (automatic updates) can help everyone. The less ignorant users take more advantage of #2 by updating also apps that may not update automatically and do infrequent security updates. and #3 is where all the actual work is.
So of course I'd like to see some of the stuff falling into #3 coming more into the category #2 so less work is needed to say create secure execution environment and instead of having to take care of virtual machines and whatnot, you could just click some box in properties and have a guarantee that anything that app does won't affect the system permanently even if it is an installer for a rootkit.
On my personal computer the biggest annoyance with #3 is I have several Vmware snapshots with different things being worked on. And when Windows Updates come, all of the snapshots have to be updates separately. MADNESS I say. I want the benefits of Vmware without vmware, straight in the OS. It can be done that's for sure.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.