[7] The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.
[10] At the time, there was a widespread belief that, despite these public displays of vulnerabilities in Apple products, OS X was significantly more secure than any other competitors.
[8] On March 20, roughly three weeks before CanSecWest that year, Ruiu announced the Pwn2Own contest to security researchers on the DailyDave mailing list.
[5] ZDI has a program which purchases zero-day attacks, reports them to the affected vendor and turns them into signatures for their own network intrusion detection system, increasing its effectiveness.
[21] Pwn2Own continues to be sponsored by Trend Micro's Zero Day Initiative, with ZDI reporting vulnerabilities to vendors before going public with the hacks.
[8] Concerning rules, only two MacBook Pro laptops, one 13" and one 15", were left on the conference floor at CanSecWest and joined to a separate wireless network.
In order to win the 15" MacBook Pro, contestants would be required to further escalate their privileges to root after gaining access with their initial exploit.
After the $10,000 prize was announced by ZDI, Shane Macaulay called up former co-worker Dino Dai Zovi in New York and urged him to compete in the second day.
[2] In one night, Dai Zovi found and exploited a previously unknown vulnerability in a QuickTime library loaded by Safari.
[24] The following morning, Dai Zovi sent his exploit code to Macaulay,[56] who placed it on a website and e-mailed the contest organizers a link to it.
Targets included three laptops running the default installation of Windows Vista Ultimate SP1, Mac OS X 10.5.2, or Ubuntu Linux 7.10.
Contestants could target popular third-party software[12] such as browsers, Adobe Flash, Java, Apple Mail, iChat, Skype, AOL, and Microsoft Silverlight.
It added another category of mobile devices which contestants were challenged to hack via many remote attack vectors including email, SMS messages, and website browsing.
In writing this exploit, Nils had to bypass anti-exploitation mitigations that Microsoft had implemented in Internet Explorer 8 and Windows 7, including Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).
[32] Near the end of the first day, Julien Tinnes and Sami Koivu (remote) successfully exploited Firefox and Safari on OS X with a vulnerability in Java.
[33] Peter Vreugdenhil exploited Internet Explorer 8 on Windows 7 by using two vulnerabilities that involved bypassing ASLR and evading DEP.
[74] The web browser targets for the 2011 contest included Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, and Google Chrome.
Microsoft Internet Explorer teams included Stephen Fewer, VUPEN, Sam Thomas, and Ahmed M Sleet.
[35] Security researchers Charlie Miller and Dion Blazakis were able to gain access to the iPhone's address book through a vulnerability in Mobile Safari by visiting their exploit-ridden webpage.
The team of Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann took advantage of a vulnerability in the Blackberry's WebKit-based web browser by visiting their previously prepared webpage.
[35] Firefox, Android, and Windows Phone 7 were scheduled to be tested during day 2, but the security researchers that had been chosen for these platforms did not attempt any exploits.
Versions of Safari that were not fully patched and running on Mac OS X Snow Leopard were compromised during the CVE portion of Pwn2Own.
[84] Apple Safari on Mac OS X Mavericks and Adobe Flash on Windows 8.1 were successfully exploited by Liang Chen of Keen Team and Zeguang Zhao of team509.
Vupen earned $100,000 for the crack, while the anonymous entrant had their prize of $60,000 reduced, as their attack relied on a vulnerability revealed the day before at Google's Pwnium contest.
[85] Also, Nico Joly of the VUPEN team took on the Windows Phone (the Lumia 1520), but was unable to gain full control of the system.
The top hacker proved to be Jung Hoon Lee, who took out "IE 11, both the stable and beta versions of Google Chrome, and Apple Safari" and earned $225,000 in prize money.
The contest saw six successful demonstrations and awarded $270,000 over the two-day event while purchasing 13 unique bugs in Adobe Reader, Apple Safari and macOS, Microsoft Windows, and Oracle VirtualBox.
The Flashback Team (Pedro Ribeiro and Radek Domanski) earned the Master of Pwn title with two successful Wide Area Network (WAN) router exploits.
This year's event expanded by adding the Enterprise Communications category, which includes Microsoft Teams and Zoom Messenger.
Researchers from the Synacktiv Team were able to remotely start the windshield wipers, open the trunk, and flash the headlights of the vehicle.