The Pwn2Own contest rules were announced recently for CanSecWest '08 coming up next week.
Unfortuantely, or fortunately (depending on how you look at it), I won't be able to join in the fun as I will be presenting at Black Hat Europe next week, although you can rest assured I'm going to take a stab at the contest from remote! I've got a couple of interesting things I've been looking at in each of the target environments (well, not Ubuntu yet, but I'll start looking tonight), although I doubt I'll get something exploitable in time. It'll be interesting to see if anyone comes up with something this year... it sort of makes me wish I would've sat on the iPhoto format string flaw I discovered awhile back, but then that wouldn't have been very responsible of me.
In any case, you can see that Apple was hot on the patch releases today, as referenced by my co-blogger Larry Dignan here and here. It had me wondering, was there something special about the day after St. Patrick's Day? Did everyone get done drinking Guiness last night and decide it would be a good time to push out those 80-85 patches they were sitting on? It seems a bit too coincidental that this major security conference is coming up with a Pwn2Own competition involving that fancy new MacBook Air and the next thing you know 80-85 patches are coming out of Cupertino. Ok, ok, so maybe I'm a conspiracy enthusiast and the patch had nothing to do with that at all, but it does make for interesting discussion.
Someone stands to get a lot of props, a new computer, and potentially up to $25,000 from ZDI for the new vulnerability. For those unfamiliar with the competition, Dino Dai Zovi won the competition last year, and was rewarded with a new Mac and also $10,000.
All I'll say for a prediction for this year is:
Lock the women, children, and MacBook Air up because Dino is coming to town!