Pwn2Own 2009 thoughts

[Charles Miller <cmiller () securityevaluators com>]

Pwn2Own is just over 2 weeks away.  Its the only time of year I  
actually bother to look for bugs without a client paying my boss or in  
preparation for a talk.  Its also the time of year I dig in my bag of  
0-days for goodies to give out.  Join me this year!

In the past, it was to researcher's advantage to make sure no one else  
competed since only one person could win at each target.  This year,  
there can be multiple winners for each (only the first pwner gets the  
hardware).  Also, if more than 5 people win, an extra $15k gets put up  
for grabs.  That means I hope lots of people win!  I want my bonus  
bucks :)

Here are my predictions for this year.  It'd be cool if there was a  
Vegas line on this stuff!
Safari: hacked by 4 different people.  Easy pickin's as usual.
Android: hacked by 1 person.  Not too tough but no one owns one.
IE8, Firefox: Survive unscathed.  The bugs to exploit equation is too  
hard for 5k.
iPhone, Symbian: Survive due to non-executable heap.
Blackberry, Windows Mobile, Chrome: I don't know enough to say  
anything intelligent.  That said, they're probably hard/obscure and so  
survive.

Charlie

More info:
http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave