Dr. Charlie Miller says the Pwn2Own event is managed in a way that has dangerous exploits “left over”
Q: A recent article in Computerworld quoted you as being critical of the competition for encouraging the “weaponization” of exploits en masse – can you briefly reiterate your concerns?
A: This is still a concern for me. There is a difference between vulnerabilities and exploits. The former are problems that need to be patched. But an exploit is something that can actually take advantage of the vulnerability to get code running on the system. The biggest difference is that a bad guy can’t do anything with knowledge of a vulnerability by itself, a bad guy needs an exploit.
Normally, researchers report vulnerabilities and don’t bother to actually write exploits. Writing an exploit is hard, time consuming work and doesn’t help the vendor’s patch the bug, so isn’t necessary to make.
However, at pwn2own, you need an exploit that works reasonably well if you hope to win. But, not everyone get’s a chance to win, even if they have an exploit. For each target the names of the people who want to compete are drawn at random. For example, for Safari on OS X this year, 4 people signed up.
After the random drawing, I was fourth in line. So, four of us showed up with Safari exploits, but the first team won (from VUPEN). Now, the contest is over for that target and there are three of us with exploits but nothing to do with them.
I see his point but it is interesting to think that winning somehow de-“weaponizes” an exploit. Even if all the exploits brought to the contest are used in the contest they still would be left over — researchers could say they have “nothing to do with them” afterwards whether they are used or not. The question I would ask is whether they always report the vulnerabilities related to an exploit, even if they do not use the exploit. Perhaps he is really saying that the lottery — not allowing all exploits the chance to win a prize — discourages contestants from disclosing all known vulnerabilities.
Update: Vendor announces fixes for vulnerabilities that were not selected in the lottery:
Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines, as part of 2011’s first broad update of Mac OS X.
Among the fixes was one for a vulnerability that four-time Pwn2Own winner Charlie Miller didn’t get a chance to use at the hacking contest earlier this month.