Pwn2Own is an annual hacking competition held at the annual CanSecWest security conference.
Pwn2Own encourages experts to hack devices and exploit software for various platforms in an effort to win the device that was hacked and a cash prize. Once a device has been hacked, TippingPoint compiles a detailed report of how the hacker exploited the software and provides it to the product vendor. The report alerts the vendors and guides them in fixing the vulnerable components of their software.
At Pwn2Own 2010, hackers successfully hacked the Apple iPhone and Internet Explorer 8. TippingPoint does not divulge any information about how the software was hacked until after the vendors have fixed the problems.
–>>Vupen Security and Sergey Glazunov independently managed to penetrate Google Chrome’s security defenses at the Pwn2Own and ‘Pwnium’ contests respectively. The annual competition, which invites ethical hackers from around the world to attempt hacking into the most popular web browsers and in the process expose vulnerabilities and loopholes in the browser’s security, while grabbing a handsome reward.
At this year’s competition, the co-founder and head of research of Vupen, Chaouki Bekrar and his team managed to break into Google Chrome in less than 5 minutes, in the process quashing talks about the browser’s unquestionable security. They used “a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine.” For the successful break-in, Vupen has won itself 32 points.
Google Chrome security knew that the Flash Player plugin sandbox is significantly weaker and that an exploit against Chrome’s Flash Player would have to go through a certain path.Having figured out that Vupen used that technique (from the May video), Google decided to add a specific protection for Flash. The hack qualifies him for one of the top $60,000 prizes that are part of Google’s $1 million Pwnium challenge, and could be the launch of a new security career.
VUPEN co-founder Chaouki Bekrar, an outspoken exploit writer who insisted the team deliberately targeted Chrome to prove a point, was uncharacteristically coy when asked if the faulty Chrome code came from Adobe.”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.” Bekrar told, Zdnet reports.
–>>”Google offered a separate “Pwnium” contest with a $1,000,000 prize purse for Chrome specific exploits.
Sergey Glazunov earned $60,000 for an exploit that bypassed the security sandbox.
Google issued a fix to Chrome users in less than 24 hours.Chrome was successfully exploited for the first time.”