Wednesday, March 09, 2011

Pwn2Own Day One: No Surprises Here Safari, IE Both Hacked

For followers of the now highly publicized Pwn2Own hacking contest it should come as little surprise that both Apple's Safari and Microsoft's Internet Explorer have fallen of the first day.

Taking just short of 5 seconds and despite a last-minute update from Apple, Safari was the first to be cracked by security researchers from the French penetration test company VUPEN. Reportedly the team used a known flaw in Apple's Calculator program to execute a bypass of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X.

Apple had released a last minute update that patched 62 vulnerabilities in various aspects of Safari 5.0.3. This however was of little consequence to the contest at the MacBook Air used in the contest was still running the older un-patched version. TippingPoint can not disclose the nature of the vulnerability but has said the vulnerability used by Vupen to hack Safari has not been fixed in 5.0.4, otherwise they would not have awarded the $15,000 prize.

VUPEN won a $15,000 cash prize and an Apple MacBook Air 13″ running Mac OS X Snow Leopard.

A second researcher, Stephen Fewer, successfully hacked into a 64-bit Windows 7 machine running Internet Explorer 8 using three different vulnerabilities and custom exploits. Fewer used two different zero-day bugs in IE that he’d found previously to get reliable code execution, and then exploited a third vulnerability that allowed him to jump out of the IE Protected Mode sandbox to get to the operating system.

Like VUPEN, Fewer’s attack also successfully bypassed DEP and ASLR in Windows 7. Fewer won a $15,000 cash prize and a new Sony Vaio laptop running Windows 7 for being the first contestant to hack the Windows browser.

Firefox and Google Chrome stood untested, with the attempts at hacking Firefox being rescheduled to Thursday and the contestants scheduled to test Google Chrome being no shows. Thursday will also feature attempts at hacking the four smartphones slated for this year including and iPhone 4 running Apple's iOS 4.2, a Nexus S running Google's Android (version unknown), a Dell Venue Pro running Windows 7 and a Blackberry Torch 9800 running the Blackberry 6 OS. TippingPoint will award $15,000 for the first hack of each of the smartphones.

The contest will continue through the CanSecWest conference ending March 11th.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you