All Five Smartphones Survive Pwn2Own Contest

CWmike writes "Although three of the four browsers that were targets in the PWN2OWN hacking contest quickly fell to a pair of researchers, none of the smartphones were successfully exploited. TippingPoint had offered $10,000 for each exploit on any of the phones, which included the iPhone and the BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems. 'With the mobile devices so limited on memory and processing power, a lot of [researchers'] main exploit techniques are not able to work,' said TippingPoint's Terri Forslof. 'Take, for example, [Charlie] Miller's Safari exploit,' referring to Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year. 'People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000?' she said. 'The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone.'" Chrome was the only browser at the contest that was not successfully exploited. We previously discussed day one of the contest, and a summary of day two is available as well.

Not any tougher on iPhone according TFA

[Shatrat]

Apparently the safari exploit

"should work on the iPhone but the bug couldn't (be) used twice in the competition."

So the iPhone should be quite vulnerable, but wasn't compromised because it wouldn't have been eligible for the award since it was the same exploit used against OS X in the first day.

Phones

[Anonymous Coward]

A quick Google Pulled up the Phones as:

Phones (and associated test platform)

        * Blackberry(TBA)
        * Android(Dev G1)
        * iPhone(locked 2.0)
        * Nokia/Symbian(N95-1)
        * Windows Mobile (HTC Touch)

Re:Phones

[Thornburg]

A quick Google Pulled up the Phones as:

Phones (and associated test platform)

        * Blackberry(TBA)

        * Android(Dev G1)

        * iPhone(locked 2.0)

        * Nokia/Symbian(N95-1)

        * Windows Mobile (HTC Touch)

The Blackberry was apparently a "Bold", at least, that's what one of the related blog posts refers to.

Re:Not any tougher on iPhone according TFA

[Jedi_Master_SS]

The iPhone uses a modified version of WebKit (see webkit.org) which is the same engine behind Safari and quite a few other things not just from Apple but other sources as well.

Final Score (From DVLabs blog)

[Deathlizard]

Browsers
Chrome: 0***
IE8: 1**
Firefox: 1(1)*
Safari: 2(1)*

Mobile Browsers
Android: 0
iPhone: 0
Nokia/Symbian: 0
Windows Mobile: 0
Blackberry: 0****

*Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.
**Exploit Confirmed by MS
***Chrome was impacted by one of the flaws, although exploit was not possible using any current known techniques.
****The Blackberry was attempted and resulted in "Something Interesting", but not an exploit.

Re:Hmm

[Chaos Incarnate]

That's a bad assumption. Apple tends to sweep security problems under the rug as much as possible.

Re:All 5, eh?

[Anonymous Coward]

From the 3rd link [computerworld.com] in TFS:

This year's PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for every vulnerability successfully exploited in five smartphone operating systems: Windows Mobile, Google's Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Re:Hmm

[Yamamato]

Plus he added a few more funny things about OSX.

Why Safari? Why didn't you go after IE or Safari?

It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.

It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

Looks like all that supposed security you hear about in Mac OS X is really just a huge joke.

Re:All 5, eh?

[vux984]

Exactly what I was thinking. I went to the article to see what the 5 were and didn't really glean much more information out of it than what was in the summary.

I had no trouble identifying the five that were tested:

iphone, blackberry, windows, symbian, android.

Re:Not any tougher on iPhone according TFA

[Anonymous Coward]

Chrome was a target on day 1, not just day 2.

Also, if you read Charlie Miller's comments, you'll note that he explicitly said Chrome wasn't compromised because its sandbox makes renderer bugs more difficult to exploit. i.e. Chrome is, in fact, somewhat more secure.

Disclosure: I am a Chromium developer.