Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


08:18 PM

Lesson From Pwn2Own: Focus On Exploitability

Talented programmers can create attack code quickly, suggesting that firms need to focus on patching easily exploitable -- not just exploited -- flaws

The Pwn2Own contest earlier this month at the CanSecWest Conference showed off the speed with which knowledgeable security professionals can code exploits for known vulnerabilities.

While only two teams competed, it took them less than a day to create a workable exploit for each vulnerability selected by HP TippingPoint, which ran the competition. In some cases, the coders required only an hour or two. On the second day of the contest, for example, a team of researchers from security and offensive technology firm VUPEN boasted on Twitter: "Here we go, another on-site exploit have been written by our team for IE (Internet Explorer) -- this one was challenging, it took us 4 hrs."

The speed that vulnerabilities could be exploited holds a lesson. While vulnerabilities that are actively being exploited should receive the highest priority for patching, the contest shows that the exploitability of a vulnerability -- not just the existence of an exploit -- should be considered as well, says Aaron Portnoy, manager of security research for HP TippingPoint.

"The whole point of the public exploit part of Pwn2Own is to show that, yes, it really doesn't take that long to write an exploit for these," Portnoy says. "Before the contest, there really wasn't any good data on how long it takes for someone to code an exploit. People now actually have that information."

While patching is an important security task, companies are overwhelmed by the deluge of vulnerabilities that they have to track on a regular basis, Portnoy says. Finding some metric to help prioritize which updates to test and deploy is important. While some researchers have suggested a focus on finding weaknesses in attack tools or attacker methodology that can inform defense, the working security manager needs a more immediate indicator of patch criticality.

Companies should obviously patch software that is being targeted by a publicly available exploit, Portnoy says. Yet, after emergency fixes, focusing on software vulnerabilities that vendors expect to be exploited quickly is the next step. The performance of teams such as VUPEN's at Pwn2Own shows that it doesn't take long to go from zero to exploit.

"We created six different exploits in less than 24 hours, which demonstrates that with enough resources and expertise, a team of motivated researchers can write reliable exploits in a very short time," says Chaouki Bekrar, CEO and head of research for VUPEN.

Moreover, companies need to assume that attackers may have already created attacks that use easy-to-exploit vulnerabilities and just have not released the details publicly, Bekrar says.

"As functional exploits are often privately available but not public, companies should not take into account the availability ... of a public exploit in their patch management process," he says.

One major caveat: The systems that Pwn2Own contestants pitted themselves against were not the most secure. The contest used older versions of the targeted operating systems to make coding the exploits easier. Windows XP and the older version of the Mac OS X used in the competition did not have the same software hardening features, such as sandboxing and address space layout randomization (ASLR), built into the more modern version of those operating systems.

"If they were going to go after a real target, they will have to overcome a lot of mitigation," HP TippingPoint's Portnoy says.

Yet VUPEN's demonstration of successful attacks against Chrome and Internet Explorer suggests that companies would be best-served by assuming attackers have the ability to overcome operating system defenses.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...