10 March 2011 | 8,909 views

Day One At Pwn2Own Takes Out Microsoft Internet Explorer and Apple Safari

Check Your Web Security with Acunetix

Well it’s March again and well we love March because it’s Pwn2Own time! Every year around this time we get some goodies to discuss way back since:

It took Microsoft till June last year to fix the Pwn2Own bug – Microsoft Patches At Least 34 Bugs Including Pwn2Own Vulnerability.

This time both Internet Explorer and Safari fell on the first day!

Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them.

The attacks came on Day One of the Pwn2Own contest, which pays more than $15,000 apiece for exploits that successfully give the attacker full remote access of the targeted machine. Wednesday’s event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google’s Chrome browser was also up for grabs, but no one stepped forward to try hacking it.

“Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security and the contestant who successfully hacked Safari. “This is what we wanted to demonstrate – that we can create a very reliable exploit for Apple Mac OS and Safari without even crashing the browser.”

Contest rules forbid him from disclosing most technical details behind the vulnerability, but he was permitted to say that it involved what’s known as a use-after-free flaw in the Apple browser. He said the exploit used a technique known as return-oriented programming to bypass a security protection known as data execution prevention that is built into many Apple programs.

There have been a barrage of patches recently too with Microsoft patching some very serious bugs in the March 2011 Black Tuesday, Apple patches critical Mac bugs with Java updates, Apple patching 62 bugs in Safari and Jon Oberheide killing his own Android bug by reporting it to Google.

Also sadly one of the Pwn2Own champions Geohot wasn’t present most likely to to the shit storm Sony is throwing at him.

It’ll be interesting to what else comes out of Pwn2Own this year.

After building the tools from scratch, it took him about two weeks to find the bug and set out to exploit it. The result was an attack that reliably commandeers a Mac when Safari visits a website that hosts the malicious code.

“Just after visiting the webpage with the affected version of Safari, we can, for example, launch the calculator or open a shell or do anything else we want,” he said a minute or two after demonstrating the exploit at the contest, which was attended by members of Apple’s security team. “We have the same privileges as the user who visited the webpage.”

He said users would have no way of knowing their machines have been compromised. There is no prompt asking for a password. The only way to thwart the attack is to run Safari from an account that has been configured to have limited privileges.

Under competition rules, contestants drew a lottery to determine who was the first to attempt hacking a particular browser. Once a browser was compromised, it was eliminated from the running. Both IE and Safari were hacked on the first try.

“I have an exploit all ready to go, and now it’s just sitting in my bag,” said Charlie Miller, a three-time Pwn2Own winner, shortly after Bekrar took this year’s prize. “You’d think Apple would be concerned about it.”

Miller said he’s had the working attack for more than nine months now. Even after Apple patched a whopping 62 Safari security bugs just hours before the contest started, Miller’s exploit still worked, he said.

Charlie Miller has a working exploit sitting in his back too after Bekrar already took the prize. It seems like it’s really quite worth developing a reliable, working 0-day exploit for $15,000!

The new sandbox in IE got pwned pretty easily too, which shows..slapping on some tonka toy security controls isn’t ever going to stop a dedicated attacker. There was one contestant who stepped up to the plate to take down Google’s Chrome, but perhaps the exploit didn’t work as there’s no reports on that.

Day two of Pwn2Own will see attacks on Smart-phone platforms – Windows 7 Mobile, an iPhone 4, a BlackBerry Torch 9800, and a Nexus S running Google’s Android. There are multiple contestants signed up for each platform!

Source: The Register



Recent in Apple:
- Apple Retires Support Leaving 20% Of Macs Vulnerable
- Andrew Auernheimer AKA Weev Gets 41 Months Jail Time For GET Requests
- Apple, Facebook & Hundreds More Hacked By 0-Day Java Exploit

Related Posts:
- Charlie Miller Does It Again At PWN2OWN
- Microsoft Unleashes Record Breaking Patch Tuesday – April 2011
- Mozilla Beats Apple & Microsoft to Pwn2Own Patch For Firefox

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 81,165 views
- Apple Struggling With Security & Malware - 24,064 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 15,237 views

Low-cost VPS Hosting

4 Responses to “Day One At Pwn2Own Takes Out Microsoft Internet Explorer and Apple Safari”

  1. Bogwitch 10 March 2011 at 10:33 am Permalink

    Always good fun to see which browser falls first. I’m suprised there’s no mention of Firefox – do you know of any reason for that?
    I also note that Safari fell too. As I have been saying for several years, Apple offerings are NOT completely secure as some Apple zealots wouls have us believe and as their popularity increases, so will the vulnerabilities.
    Kudos to Google for Chrome. Although no exploit at pwn2own does not mean no vulnerabilities!

    • Darknet 11 March 2011 at 6:10 am Permalink

      Yah I found that interesting, perhaps no one even submitted a challenge for Firefox. Well Apple has never really been secure, the users of Macs just tend to be an unusually arrogant bunch and due to the small amount of users – there was no real point targeting them.

  2. Bogwitch 11 March 2011 at 9:31 am Permalink

    According to The Register, Firefox was not attempted. http://www.theregister.co.uk/2011/03/11/iphone_blackberry_hacked/

    As for Apple, there was no real point in targetting them but given the high saturation of Iphones, this will now change. I see a distinct move towards malware for mobile devices, much the way the shift from ‘hack because I can’ moved to ‘hack for cash’ with the early profit-driven malware changing the host computer to dial premium rate numbers, the early malware for mobile devices will also be configured to dial or text premium numbers.

  3. window 16 March 2011 at 11:33 am Permalink

    What about Firefox? Didn’t try it or didn’t succeed?