| |
chachazz
Premium Member
2013-Mar-6 11:36 pm
CanSecWest 2013/Pwn2Own 2013 - Mar 6-7-8quote:
The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. This blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.
Tipping Point: » dvlabs.tippingpoint.com/ ··· own-2013 |
|
chachazz
1 edit |
chachazz
Premium Member
2013-Mar-6 11:54 pm
Wednesday: 1:30 - Java (James Forshaw) PWNED 2:30 - Java (Joshua Drake) PWNED 3:30 - IE 10 (VUPEN Security) PWNED 4:30 - Chrome (Nils & Jon) PWNED 5:30 - Firefox (VUPEN Security) PWNED 5:31 - Java (VUPEN Security) PWNED [edit- to update]Thursday: 12pm - Flash (VUPEN Security) PWNED 1pm - Adobe Reader (George Hotz) PWNED 2pm - Java (Ben Murphy via proxy) PWNED » h30499.www3.hp.com/t5/HP ··· /5981157 |
|
1 recommendation |
to chachazz
Apparently despite all the last minute patches the vendors put out, everyone came loaded for bear and it was a clean sweep for the hackers today and not a single Chinese Military hacker in the bunch. Listening to comments with the exception of Java, exploits are getting harder to come by which is good news, but its obvious they aren't impossible, so security concerns remains. Congrads to everyone involved for a good showing thus far.
Blake |
|
1 edit |
chachazz
Premium Member
2013-Mar-7 5:58 pm
Researchers rake in $280K at Pwn2Own hacking contest» www.computerworld.com/s/ ··· _contest(Google's own contest, Pwnium 3, kicks off Thursday at CanSecWest when Chrome OS -- the search giant's browser-based operating system -- will be targeted by researchers.) |
|
| |
to chachazz
$100,000 is a cheap exploit cost, so I don't understand why the fruit company is being so cheap and only offered $65,000, like who cares and on top of that you don't have to be first to get the cash as they are paying out for every exploit and you know there are going to be extra perks as well like paid trips to meet with the dev teams etc to describe your exploit and finding processes etc (unless your hacking the fruit company then they just try to puke on you, just ask Charlie Miller).
Some companies understand that good research costs good money, others maybe not.
Blake |
|
| |
to chachazz
i would like to read more about vupen's cracking "flash player", if they did.. |
|
 siljalineI'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC |
Vupen also managed to exploit a vulnerability in Java, as did researchers from Accuvant Labs and Contextis. Praising Adobe's effort to secure Flash and Reader, Chaouki Bekrar Vupen's CEO told threatpost: "Writing exploits in general is getting much harder. See also: » h30499.www3.hp.com/t5/HP ··· /5981157 |
|
|
2 edits |
said by redwolfe_98:i would like to read more about vupen's cracking "flash player" "On Thursday, the team from French security firm VUPEN jumped through a series of hoops, chained together three separate zero-day vulnerabilities and successfully compromised the latest patched version of Flash as part of the contest. That feat won the company another $70,000" / / / / / / / / / / / "Flash is a different thing and it's getting updated all the time and Adobe did a very good job securing it," Bekrar said. "It's more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure." » threatpost.com/en_us/blo ··· n-030713 |
|
| |
FF4m3 to chachazz
Anon
2013-Mar-8 7:31 pm
to chachazz
From The Register: "VUPEN Security's crack on IE 10 running on Surface Pro was an eye-opener," Gorenc said. "The vulnerability was so elegant it didn't even crash the browser. They launched the process from outside the sandbox so the user wouldn't even know if they had been hacked."
Meanwhile, two researchers from MWR Lab managed to subvert Google's Chrome browser so completely that they compromised the entire target system it was installed on, which Gorenc praised as "highly skilled." |
|
| |
chachazz
Premium Member
2013-Mar-8 9:18 pm
Chrome OS undefeated at Pwnium 2013 event At this year’s Pwnium event hosted by Google, hackers would unable to exploit Chrome OS. However, partial exploits are currently being reviewed. » www.omgchrome.com/chrome ··· 3-event/ |
|
| |
to Link Logger
Well, "The Fruit Company" was the only one beside the Chromebook left standing. It's not like folks haven't had a blast going after Safari first and having it fall in minutes in previous years.
Looks like "The Fruit Company" knows something about security. |
|
| |
said by unavailable :Well, "The Fruit Company" was the only one beside the Chromebook left standing. It's not like folks haven't had a blast going after Safari first and having it fall in minutes in previous years.
Looks like "The Fruit Company" knows something about security.
They know how to be ignored, the only reason it was left standing is no one bother to work for peanuts. Blake |
|
| |
unavailable
Anon
2013-Mar-9 11:56 pm
Bull. Nobody had anything in their pocket for it. If they could. They would. To believe anything else is just being an anti-Apple troll. |
|
| |
to chachazz
Did anybody even try (and the answer to that would be No)? And if you think that no one trying equals unhackable, that's just Apple Fanboy talk. Security researchers saw what Apple did to Charlie Miller so they just don't care about Apple as its clear they don't appreciate the help, hell Charlie is working for Twitter anymore so even he stopped caring about Apple and had a chuckle about this years Pwn2Own, and the lack of interest in Apple.
Think about it for a moment when Chaouki Bekrar of Vupen says the weakest point of Chrome is Webkit, quick name another browser that uses Webkit and perhaps you can explain why that wouldn't be a problem.
Blake |
|
evoxllx
join:2007-06-07
Winter Park, FL |
to unavailable
said by unavailable :Looks like "The Fruit Company" knows something about security.
Nothing about transport security it would seem. Even after being publicly criticized about not having HTTPS for their app store, they still manage to royally screw over their configuration when it's finally implemented. » www.ssllabs.com/ssltest/ ··· .219.171» www.ssllabs.com/ssltest/ ··· pple.com» www.ssllabs.com/ssltest/ ··· pple.com |
|
| |
to Link Logger
said by Link Logger:Think about it for a moment when Chaouki Bekrar of Vupen says the weakest point of Chrome is Webkit, quick name another browser that uses Webkit and perhaps you can explain why that wouldn't be a problem.
Blake
I quoted the only relevant part of your reply. And, it's damning... If not for the fact that WebKit is open like Mozilla's base. So, anyone can wrap their brand around WebKit and give it away or sell it off. The fact of the matter is that even with a "great weakness" like an open browser base such as WebKit... ZERO hackers had anything in their pocket to compromise it on OS X Mountain Lion. Anyone who is more than a casual observer realizes that even the years when Safari was taken down in "2 minutes" that the attack was in the works for many months beforehand. What you're saying is that no intermediate level hacker could make an easy $65,000 on the "weak" WebKit based Safari on Mountain Lion. I wholeheartedly agree.  It was left standing, and the only other browser/os that was, was a different beast altogether. The Chrome Book. /Pwn2Own |
|
