TippingPoint"s PWN2OWN contest has only been around for a short while, but is already very popular for testing the security of certain software and mobile devices.
This year has already shown significant security breaches on Apple"s Safari, Mozilla"s Firefox and Microsoft"s Internet Explorer, but one browser did make it through the first day of testing: Google"s Chrome. That"s right, the youngest of all previously mentioned browsers was the only one not be breached via a range of exploits during the tests, although remember, this is only day one.
During the first day of testing, competitors are set a goal to breach the security of browsers without using such plug-ins as Flash or Java, which are common entry points for attackers. One of the people competing, Charlie Miller (prior champion of PWN2OWN) said that he found the bug he used this year whilst preparing last year, but chose not to tell anyone until the 2009 competition. Why? "I never give up free bugs. I have a new campaign. It"s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller said to ZDNet. "Apple pays people to do the same job so we know there"s value to this work." He mentions this because the competition only pays for one bug per year of the competition, and he used a different one in 2008.
He also said that Apple"s Safari was the easiest to exploit, whilst on Mac OS X, whereas it"s harder to do so on Windows. Chrome, though, had one bug identified by Miller, yet he had been unable to exploit it "because the browser"s sandboxing feature and the operating system"s security measures together pose a formidable challenge," said Ars Technica.
Keep an eye out to see how day two goes, when competitors are allowed to use plug-ins to breach security of the browsers.