No Patch For IE Browser Before Pwn2Own Hackfest

Microsoft will not be updating Internet Explorer before the Pwn2Own hacking contest kicks off at CanSecWest conference in Vancouver, Canada, despite the fact that elite hackers will be gunning for the Web browser.

Microsoft made the announcement on March 4 as security researchers are getting ready for Pwn2Own, a contest that pits hackers against the latest versions of the four major browsers and four mobile platforms for cash prizes.

The targeted browsers include Internet Explorer 8, Apple’s Safari 5, Google’s Chrome 9 and Mozilla’s Firefox3.6. The mobile platforms include a Dell Venue Pro running Windows 7, an iPhone 4 running iOS, a Blackberry Torch 9800 running Blackberry 6 OS, and a Nexus S running Android.

Patching Frenzy For Other Targets

In contrast to Microsoft, Mozilla and Google announced a number of patches in advance of the contest for their respective browsers. Mozilla rolled out patches on March 1 for 10 security flaws in Firefox and Google patched 19 flaws in Chrome. Most of the bugs were either high-priority or critical.

Microsoft tends to update IE in even-numbered months, and already patched the browser as part of its gigantic Patch Tuesday update on February 8.

Apple may patch Safari before the contest begins, according to a post on Twitter by French security firm Vupen. “Anti-Pwn2Own again: Apple fixed a record of 50 vuln[erabilities] in WebKit (iTunes), and is preparing the update for Safari/Mac OS X,” the company posted.

Charlie Miller, a security researcher at Independent Security Evaluators, known for cracking Safari for the last three years at the contest, does not think the potential patch will stop him in his fourth attempt this year, according to Ars Technica. Miller has also exploited vulnerabilities in the iPhone during past contests. He is slated to come fourth in his attempt to crack Safari, and second to hack the iPhone in this year’s competition.

Last year, only Apple and Google updated their browsers before Pwn2Own. Mozilla found but could not fix a critical vulnerability in Firefox before the contest, so organisers ruled that hole off-limits to contestants.

Security researchers find existing vulnerabilities and create exploits for unpatched bugs in the existing products before the contest. They then take turns during the contest to try to be the first at successfully hacking the targeted platform. All vulnerabilities and exploits used during the competition belong to Tipping Point, the sponsor of the contest, according to the rules.

The organisation’s Zero Day Initiative bug bounty program then reports the bugs to the appropriate vendor and gives them six months to fix the problem before releasing the information to the public. The security researcher who found the vulnerability is not allowed to publicise the flaw after the contest, per contest rules.

Miller told Ars Technica that as he is slated to go last in the Safari contest, it is likely the browser will fall to at least one of the other three contestants’ attacks. “So I’m not going to report that vulnerability,” he said.

Winners get $15,000 (£9,219) cash prizes for each browser or mobile device hacked from a pool of $125,000 (£76,820). The hacker that takes down Safari will also win a 13-inch MacBook Air. Google has sweetened the pot by offering an additional $20,000 (£12,290) reward for the researcher who can take down Chrome, which has not been hacked in previous contests.

Pwn2Own will run March 9 to March 11 at the CanSecWest security conference.