Amusing how paranoid the browser developers have become about CanSecWest:
Pwn2Own browser day: March 9th, 2011
Safari 5.0.4 released March 9th
Chrome 10.0.648.127 released March 8th
Firefox 3.6.15 released March 4th
Internet Explorer 8 didn't get a patch this cycle (too cool for school)
Mobile day: March 10th, 2011
iOS 4.3 released March 9th
Nexus S 2.3.3 released Feb 24th
Not sure about WP7 & BB
Besides, if most competitors arrive at the competition with carefully-researched exploits available to use, I'm not sure this sort of last-minute patching would make much difference, even if it was intentional.
To be fair, Chrome gets updated around every two weeks. That it happened to get pushed out the day before CanSecWest may just be a coincidence. Firefox tends to release a new version every month or so as well Though Mozilla did push 3.6.15 four days after 3.6.14, so it may very well play into your point.
Every year the press makes it sound like a race, or that being exploited first is somehow worse than being exploited later in the day. The fact is that time slots are assigned randomly: http://twitter.com/VUPEN/status/40078022325444608
Interestingly, according to http://www.computerworld.com/s/article/9214002/Safari_IE_hac... , the researchers who signed up to hit Chrome have either not shown up or decided to concentrate on Blackberry instead. Seems their sandbox holds up quite well.
Taking down the Mac gets you the best laptop and the most press. Simple.
It would be different if the other OS/browsers didn't go down too, but because the Mac is always first to go just means it's the most desirable target.
I can see how you associate it being the least secure with it being the most awesome. I don't see what could go wrong with your ability to take some legitimate and important criticism about something you like and turn it into something awesome about said thing.
Mac's always go down quickly in these contests. The people who make it happen often say that its considerably easier.
edit:
Charlie Miller: "It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier." - http://www.zdnet.com/blog/security/questions-for-pwn2own-hac...
I think the $15,000 cash prize and PR with being first, regardless of OS/browser, plays larger than the delta between getting a high PC laptop and a MBP. And it's not like they don't already have Macs -- that's how they developed their OS X exploit.
UPDATE: It's actually a MacBook Air 13", not MBP. The other laptops are ASUS G73SW and Alienware M11x.
That's simply not true. Macs are often said to be easier to take down.
However, a vulnerability on the Mac isn't worth as much (on the black-market) as a vulnerability on Windows. So people keep trying to break Windows. Even if you tried to sell a Mac vulnerability, the people who make botnets wouldn't be interested, as they can buy Windows vulnerabilities instead.
pwn2own is the only show in town where a Mac vulnerability is worth roughly the same as a Windows one.
I question the metric used in these contests. Reports always makes it sound like someone just walks up completely unprepared and hacks a machine.
”We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique,”
Obviously there is a fair bit of preparation involved.
They're all prepared in advance. I don't really understand what you mean about the reporting though, as you point out the discussion makes it clear none of this is off the cuff.
"VUPEN won a $15,000 cash prize and an Apple MacBook Air 13″ running Mac OS X Snow Leopard" ... and Calcuator.app, whether he wanted running it or not.
I'm not surprised, this is what the third year in a row now? I hope Apple pays attention to the things Google is doing with Chrome. If I'm not mistaken, Lion will be shipping with WebKit2 and sand-boxing.
I've tried Chrome, but I just always go back strangely to Safari it just feels right at home.
Five years in a row, as cansec west has run pwn2own for five years. OS X/Safari has also always been the first one to drop afaik, though this has at least as much to do with Apple kit being the most desirable as anything else.
[+] [-] trotsky|15 years ago|reply
Pwn2Own browser day: March 9th, 2011
Mobile day: March 10th, 2011[+] [-] neilc|15 years ago|reply
Besides, if most competitors arrive at the competition with carefully-researched exploits available to use, I'm not sure this sort of last-minute patching would make much difference, even if it was intentional.
[+] [-] jjcm|15 years ago|reply
[+] [-] GHFigs|15 years ago|reply
[+] [-] darren_|15 years ago|reply
[+] [-] YooLi|15 years ago|reply
It would be different if the other OS/browsers didn't go down too, but because the Mac is always first to go just means it's the most desirable target.
[+] [-] latch|15 years ago|reply
Mac's always go down quickly in these contests. The people who make it happen often say that its considerably easier.
edit: Charlie Miller: "It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier." - http://www.zdnet.com/blog/security/questions-for-pwn2own-hac...
[+] [-] kenjackson|15 years ago|reply
UPDATE: It's actually a MacBook Air 13", not MBP. The other laptops are ASUS G73SW and Alienware M11x.
[+] [-] trotsky|15 years ago|reply
[+] [-] wisty|15 years ago|reply
However, a vulnerability on the Mac isn't worth as much (on the black-market) as a vulnerability on Windows. So people keep trying to break Windows. Even if you tried to sell a Mac vulnerability, the people who make botnets wouldn't be interested, as they can buy Windows vulnerabilities instead.
pwn2own is the only show in town where a Mac vulnerability is worth roughly the same as a Windows one.
[+] [-] statictype|15 years ago|reply
I suppose being the easiest target couldn't possibly be a reason, could it?
You're one of those people that cause others to label Mac users as zealots suffering from cognitive dissonance, aren't you?
[+] [-] kenjackson|15 years ago|reply
[+] [-] adsr|15 years ago|reply
”We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique,”
Obviously there is a fair bit of preparation involved.
[+] [-] trotsky|15 years ago|reply
[+] [-] mikey_p|15 years ago|reply
[+] [-] bigiain|15 years ago|reply
[+] [-] dailyrorschach|15 years ago|reply
I've tried Chrome, but I just always go back strangely to Safari it just feels right at home.
[+] [-] trotsky|15 years ago|reply
[+] [-] magicofpi|15 years ago|reply
[1] http://venturebeat.com/2011/02/26/apple-wises-up-by-sharing-...
[+] [-] Stormbringer|15 years ago|reply
This is really embarrassing for OS X fans.