Inevitably, CanSecWest 2010 kicked off with the promised and eagerly-awaited Pwn2Own hacking contest, in which a number of effective protection strategies (DEP, code signing, ASLR [1]) failed to prevent determined vulnerability researchers making loadsamoney by circumventing them with attacks on Firefox and IE8 on Windows 7, Safari, and the iPhone.
For details and extensive comment see:
- http://macviruscom.wordpress.com/2010/03/25/and-the-firewalls-came-tumbling-down/
- http://kevtownsend.wordpress.com/2010/03/25/sacred-cows-fall-at-pwn2own/
- http://www.theregister.co.uk/2010/03/25/pwn2own_2010_day_one/
- http://macviruscom.wordpress.com/2010/03/24/cansecwest-go-west-young-mac-but-fuzzily/
- http://macviruscom.wordpress.com/2010/03/19/touching-base/
- http://threatpost.com/en_us/blogs/iphone-hacked-pwn2own-sms-database-stolen-032410
The take-home message from all this, though, is that there is a difference between mitigation and invulnerability. What software can do to protect you can be undone by other software: in the last analysis, whether those software attacks are actually worth implementing is a matter of Cost/Benefit Analysis. $100,000 in prize money is a good incentive, but so is a moneyraking botnet.
[1] DEP: Data Execution Protection
ASLR: Address Space Layout Randomization
David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/