The highly anticipated Pwn2Own competition came to a close at this year’s CanSecWest conference a couple of days ago. The undisputed winner: Chrome, Google’s newborn web browser.
Apple’s Safari was the first to fall this year, with Microsoft’s IE8 and Mozilla Firefox following shortly after. Chrome was the only survivor, and although bugs were identified in it, competition participants were unable to exploit them due to the browser’s sanbox feature.
One of the winners, Charlie Miller stated in a ZDNet interview that the vulnerability he used was one that he had originally found while preparing for the competition last year. Instead of disclosing it at that time, he decided to save it for this year. This is part of his new philosophy, according to which bugs have commercial value and they shouldn’t be disclosed to vendors for free.
“I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away,” Miller told ZDNet. “Apple pays people to do the same job so we know there’s value to this work.”
This year’s competition also targeted mobile browsers for Windows Mobile, BlackBerry, Android, Symbian, and the iPhone, all of which came through unscathed. The winners got to walk away with a $5000 prize per successful exploit and of course the brand new laptop they managed to hack.
Further Reading:
- Chrome only browser left standing after day one of Pwn2Own
- Browser security: Pwn2Own topples all but Chrome
- Google Chrome, Mobile Browsers Survive Security Challenge
- Pwn2Own 2009 ends: Smartphones & Chrome unbroken
Tags: browser, cansecwest, pwn2own, security
