Mar 25, 2010
Safari, Firefox, and IE8 hacked; Chrome left untested
Day 1 of Pwn2Own has just wrapped up and the results so far mimic those of last year. Hackers have claimed victory over all browsers and operating systems except Google’s Chrome browser, which no one attempted to hack.
Safari 4 on 10.6 Snow Leopard was the first to fall to a very familiar face, Charlie Miller. This is Miller’s third year in a row hacking Safari at Pwn2Own. For this year, Miller set up a remote exploit at a web site through which a conference organizer’s Macbook was taken control after surfing to it.
Up next was Internet Explorer 8, which was successfully breached by Peter Vreugdenhil, a Dutch security researcher. Vreugdenhil used a four layer attack to bypass DEP and ASLR on Windows 7 after an organizer surfed to the website that contained the exploit code. He claimed that it took him less than a week to code the exploit.
Nils from MWR InfoSecurity then successfully targeted and hacked Firefox 3 on 64-bit Windows 7 using calc.exe, though he claimed that “could have started any process” to demonstrate the exploit. Though a memory corruption vulnerability was used for the attack, he also had to bypass DEP and ASLR as Peter did with IE8. He claims it only took a few days to code the exploit. Nils is a German CS student at the University of Oldenburg who had also successfully hacked IE8, Safari, and Firefox at last years Pwn2Own.
Google Chrome was the only one left standing because no one even attempted a go at it. Charlie Miller’s comments from last year’s Pwn2Own might shed some more light as to why Chrome was left unscathed: ”There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.”
All successful competitors receive $10,000 USD and their hacked laptop as reward. The following laptops are available as prizes: Apple Macbook Pro 15″, HP Envy Beats 15″, Sony Vaio 13″, and Alienware M11x. They also receive 20,000 ZDI points which qualifies them for a $5,000 USD payment, 25% reward points on 2011 ZDI entries, 15% monetary bonus on 2011 ZDI entries, and a paid trip and registration to DEFCON in Las Vegas.
All systems and browsers were updated to the latest versions and left in their default state for the contest. Details of the successful exploits will remain withheld from public until the respective software vendor issues a patch.
Mar 24, 2010
Opera 10.51
A full-featured Internet browser, Opera includes pop-up blocking, tabbed browsing, integrated searches, and advanced functions like Opera's groundbreaking E-mail program, RSS Newsfeeds and IRC chat. And because we know that our users have different needs, you can customize the look and content of your Opera browser with a few clicks of the mouse.
- Speed Dial: Your favorite sites are just one click away at all times.
- Search Shortcuts: Faster search รข€“ type your queries directly into the address bar.
- Trash Can: Instantly reopen recently closed tabs.
- Speed Dial: Get your favorite Web page with just one click.
- Mouse Gestures: With Opera you can navigate the Web with your mouse.
- Opera Link: Synchronize data of your choice online, or among different computers and devices.
- Quick Find: Opera remembers not only the titles and addresses, but also the actual content of the Web pages you visit.
- Feed Preview: Preview a Feed by clicking on the feed icon, and you will see it in clean and efficient multiple-column layout.
- Quick and customizable Web search: Get quick access to Google, eBay, Amazon and more with the search field in the upper right corner.
Download: here
Subscribe to:
Posts (Atom)