Part of that move toward applications, Forslof said, has been forced on hackers as operating systems have become more secure. This year's contest put that into relief when Macauley initially had a tough time breaking into the Fujitsu notebook running Vista SP1.
"SP1 was a huge challenge to him," said Forslof. "When he walked in, he was strutting, he was going to own [that machine], he was going to break it in two minutes, he was going to wow the crowd."
That didn't happen, at least not immediately. Macauley, said Forslof, had prepared an exploit, but had not tested it against Vista's Service Pack 1, which was released to the general public only two weeks ago.
" Microsoft has built a lot of things into its OS to make exploiting vulnerabilities more challenging," Forslof said, ticking off several defensive technologies, including ASLR (address space layout randomization). "Shane had to use some tricks to get that exploit to work on SP1."
"This is where a contest gets interesting," she said. "Vulnerabilities and exploits are hand in hand, of course, but they're two different animals. If Shane had taken this to another platform, it would have been a no brainer."
According to Forslof, the Flash vulnerability Macauley exploited on the Vista SP1 notebook is multi-platform and is present, for example, on both Mac OS X and Linux.
Macauley's difficulty in bringing down the Fujitsu was "immensely fascinating," added Forslof, for it showed researchers, working together and under pressure, as they tried one thing after another until they found an exploit solution.
"The sheer amount of difficulty [he had] exploiting that Flash vulnerability shows that Microsoft has started to make it more difficult for the bad guys," Forslof said when asked to draw some conclusions from PWN To OWN.
"Some of [Microsoft's] defense-in-depth strategies put a kink in the exploit. Everything is breakable, everything is exploitable, but what we'd like to do is narrow the group of people who can do it by making it harder for them," Forslof said.