Posted on March 11, 2011 by buu
I’ve been attending CanSecWest for the last two days. I’m lucky for two reasons: Not only is this internationally renowned security conference held right here in Vancouver, but this isn’t normally a conference I am sent to and we happened to score me a free pass this year.
You may not have heard of CanSecWest but a bit more people will have heard of Pwn2own, the contest where over $100,000CAD and the target hardware is given out as prizes for compromising browsers and smart phones.
So far, IE, Firefox, Safari, iOS and Blackberry OS have been compromised. Windows Phone 7, Chrome and Android have so far survived.
What I found interesting was Blackberry OS, touted to be very secure was compromised due to a webkit vulnerability. Now before the attempt was made, I watched a battle begin at the pwn2own area, where a representative from RIM Security was trying to make certain that the Blackberry Torch that was targeted would be patched with a recent OS patch, which it had not been yet. The patch was released with Canadian carriers recently but not other countries. RIM works with carriers on their OS updates as they each get OS’s flavored to their liking.
Well the Blackberry got pwned. RIM didn’t get to apply that latest patch. But, it wouldn’t have mattered. The webkit patch hadn’t yet been implemented in the latest Blackberry OS anyways!
Google on the other hand, is fairly quick with patches to Chrome. You barely even know they’ve done it. It hasn’t fallen over so far at the contest. That webkit bug Blackberry fell to was patched by Google long ago.
But I don’t really like what I see. RIM has to maintain so many flavors of OS, across so many of their platforms and then multiply that by all the carriers they work with. This is obviously slowling down the patching process. As if it wasn’t already slow enough considering they have to encourage users to take the time to update their firmware in the first place.
iOS has its faults but at least they’re pretty quick with their updates. And while many are critical of iTunes, it is pretty nice that it tells you right away if there is a software update available and encourages you to upgrade – even making the process super easy with a simply backup and then restoring your settings after the update. And yes, Apple’s security folks were on site today as well and said they’ll be implementing patches in order to plug the holes found by the famous Charlie Miller, who pwned the iPhone 4.
Perhaps now that Blackberry has to be even more aware of vulnerabilities of their phones now that they’ve added a webkit browser, they should re-evaluate the efficiency of their patching.
UPDATE: Well, looks like Google may be eating their words. The bug that pwned Blackberry OS might be in Chrome. I’ll try to find a valid link with info.
UPDATE2: Ok, here is a link http://www.zdnet.com/blog/security/google-first-to-patch-pwn2own-webkit-vulnerability/8427