Mar 25, 2010
Safari, Firefox, and IE8 hacked; Chrome left untested
Day 1 of Pwn2Own has just wrapped up and the results so far mimic those of last year. Hackers have claimed victory over all browsers and operating systems except Google’s Chrome browser, which no one attempted to hack.
Safari 4 on 10.6 Snow Leopard was the first to fall to a very familiar face, Charlie Miller. This is Miller’s third year in a row hacking Safari at Pwn2Own. For this year, Miller set up a remote exploit at a web site through which a conference organizer’s Macbook was taken control after surfing to it.
Up next was Internet Explorer 8, which was successfully breached by Peter Vreugdenhil, a Dutch security researcher. Vreugdenhil used a four layer attack to bypass DEP and ASLR on Windows 7 after an organizer surfed to the website that contained the exploit code. He claimed that it took him less than a week to code the exploit.
Nils from MWR InfoSecurity then successfully targeted and hacked Firefox 3 on 64-bit Windows 7 using calc.exe, though he claimed that “could have started any process” to demonstrate the exploit. Though a memory corruption vulnerability was used for the attack, he also had to bypass DEP and ASLR as Peter did with IE8. He claims it only took a few days to code the exploit. Nils is a German CS student at the University of Oldenburg who had also successfully hacked IE8, Safari, and Firefox at last years Pwn2Own.
Google Chrome was the only one left standing because no one even attempted a go at it. Charlie Miller’s comments from last year’s Pwn2Own might shed some more light as to why Chrome was left unscathed: ”There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.”
All successful competitors receive $10,000 USD and their hacked laptop as reward. The following laptops are available as prizes: Apple Macbook Pro 15″, HP Envy Beats 15″, Sony Vaio 13″, and Alienware M11x. They also receive 20,000 ZDI points which qualifies them for a $5,000 USD payment, 25% reward points on 2011 ZDI entries, 15% monetary bonus on 2011 ZDI entries, and a paid trip and registration to DEFCON in Las Vegas.
All systems and browsers were updated to the latest versions and left in their default state for the contest. Details of the successful exploits will remain withheld from public until the respective software vendor issues a patch.