Thursday, March 27, 2008

pwning pwn2own and the system


So someone pwned2own a safari vulnerability to win a macbook air at cansecwest.

couple of bloggers did writeups on it:

dre over at TS/SCI
David Maynor over at Errata Security

I'm sure there is more.

The winner was Charlie Miller of Independent Security Evaluators

Checking out the site it looks like they have been doing work on OS X vulnerabilities and research into selling 0day. Interesting.

Link: The legitimate vulnerability market: the secretive world of 0-day exploit sales
Charles Miller, Independent Security Evaluators

To me it was brilliant marketing on behalf of ISE. I don't really deal with 0day with the exception of begging for them, but I imagine that a remote preauth on any of the 3 OS's involved in the pwn2own contest is worth way more than $20k on both the "dark side" and "good side" of "responsible" disclosure. On the other hand, ISE gets to be on the front page of every security mag and blog for the next few days for the price of giving up one client side exploit and they get $10,000 on top of it. Cheers guys. Job well done. Bonus points for pwning the system.

and more fun from: http://www.securityevaluators.com/independent_eva.html

Services we do not provide:

Don't pay us to run nessus

At ISE, we offer specialized expert security services. Therefore, we do not perform commodity services such as automated networks scans and firewall configuration.

Common Criteria

ISE also does not do Common Criteria evaluation.
Life is too short.

Nice!!

CG

No comments: