Microsoft will not be updating Internet Explorer before the Pwn2Own hacking contest kicks off at CanSecWest conference in Vancouver, Canada, despite the fact that elite hackers will be gunning for the Web browser.
Microsoft made the announcement on March 4 as security researchers are getting ready for Pwn2Own, a contest that pits hackers against the latest versions of the four major browsers and four mobile platforms for cash prizes.
The targeted browsers include Internet Explorer 8, Apple’s Safari 5, Google’s Chrome 9 and Mozilla’s Firefox3.6. The mobile platforms include a Dell Venue Pro running Windows 7, an iPhone 4 running iOS, a Blackberry Torch 9800 running Blackberry 6 OS, and a Nexus S running Android.
Microsoft tends to update IE in even-numbered months, and already patched the browser as part of its gigantic Patch Tuesday update on February 8.
Apple may patch Safari before the contest begins, according to a post on Twitter by French security firm Vupen. “Anti-Pwn2Own again: Apple fixed a record of 50 vuln[erabilities] in WebKit (iTunes), and is preparing the update for Safari/Mac OS X,” the company posted.
Charlie Miller, a security researcher at Independent Security Evaluators, known for cracking Safari for the last three years at the contest, does not think the potential patch will stop him in his fourth attempt this year, according to Ars Technica. Miller has also exploited vulnerabilities in the iPhone during past contests. He is slated to come fourth in his attempt to crack Safari, and second to hack the iPhone in this year’s competition.
Last year, only Apple and Google updated their browsers before Pwn2Own. Mozilla found but could not fix a critical vulnerability in Firefox before the contest, so organisers ruled that hole off-limits to contestants.
Security researchers find existing vulnerabilities and create exploits for unpatched bugs in the existing products before the contest. They then take turns during the contest to try to be the first at successfully hacking the targeted platform. All vulnerabilities and exploits used during the competition belong to Tipping Point, the sponsor of the contest, according to the rules.
The organisation’s Zero Day Initiative bug bounty program then reports the bugs to the appropriate vendor and gives them six months to fix the problem before releasing the information to the public. The security researcher who found the vulnerability is not allowed to publicise the flaw after the contest, per contest rules.
Miller told Ars Technica that as he is slated to go last in the Safari contest, it is likely the browser will fall to at least one of the other three contestants’ attacks. “So I’m not going to report that vulnerability,” he said.
Winners get $15,000 (£9,219) cash prizes for each browser or mobile device hacked from a pool of $125,000 (£76,820). The hacker that takes down Safari will also win a 13-inch MacBook Air. Google has sweetened the pot by offering an additional $20,000 (£12,290) reward for the researcher who can take down Chrome, which has not been hacked in previous contests.
Pwn2Own will run March 9 to March 11 at the CanSecWest security conference.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…