Seems like Pwn2Own is getting a reputation for uncovering some pretty nasty browser based vulnerabilities, once again this year Firefox, Safari and IE8 were all broken wide open. The latest development is Mozilla has beaten both Microsoft and Apple to the punch and released Firefox 3.6.3 patching the vulnerability.

Again it was a critical vulnerability and the creator netted himself $10,000 from the contest for the exploit. Pretty fast patching from Firefox though with an 8 day turnaround, and the vulnerability is only on Firefox 3.6.x not 3.5.x in its current state.

Mozilla late yesterday patched a critical Firefox vulnerability used by a German researcher to win $10,000 for hacking the open-source browser at last week’s Pwn2Own contest.

In a repeat of 2009, Mozilla was the first browser maker to patch a bug exploited at Pwn2Own. In fact, the company improved on its performance by fixing the newest flaw only eight days after Nils, a researcher who works for U.K.-based MWR InfoSecurity, hacked Firefox. Last year, Mozilla took 10 days to come up with its Pwn2Own fix. Nils also successfully exploited Firefox at 2009′s contest.

This time, Nils used a memory corruption flaw to hack the browser, Mozilla said in the security advisory that accompanied the update to Firefox 3.6.3. It rated the bug as “critical,” the highest threat ranking in its four-step scoring system.

Nils exploited Firefox 3.6.2 — Mozilla had patched the browser just two days before the contest kicked off — on 64-bit Windows 7 , also bypassing the operating system’s DEP (data execution prevention) and ASLR (address space layout randomization) defenses. For his work, Nils was awarded $10,000 by 3Com TippingPoint, Pwn2Own’s sponsor.

Gotta give him some props though, exploiting the latest version of Firefox and bypassing both DEP and ASLR. Nice work Nils! It just goes to shows, if the motivation is there (which it is for many blackhats) then an entry vector can be found.

Especially with the rapid pace of software development in the web era, there’s no way everything can be kept secure with all the additional features and functions that are constantly being added.

Other researchers hacked Apple’s Safari and Microsoft’s Internet Explorer 8 (IE8) to also win $10,000 each.

According to Mozilla, Nils’ exploit only works against Firefox 3.6, the newest edition, but the company said it planned to also patch Firefox 3.5 “just in case there is an alternate way of triggering the bug.” Mozilla did not specify a timeline for the Firefox 3.5 update. Firefox 3.5 was just patched last Monday to bring it to version 3.5.9.

Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its change- and bug-tracking database, allowing only authorized users to view information on the flaw. That move is typical of Mozilla when it has patched some, but not all, of its browsers.

Neither Apple or Microsoft has announced plans to patch their Pwn2Own vulnerabilities. Microsoft has acknowledged receiving details of the IE8 vulnerabilities that Dutch researcher Peter Vreugdenhil used to hack the browser, but earlier this week said a patch was not ready.

Microsoft as usual have stated it is still ‘under investigation’ having just patched 10 vulnerabilities in IE8 last week, they now have another to add to the list. I’m not holding my breath for an out-of-band patch however.

Mozilla also made the move to lock the public out of the vulnerability details on Bugzilla to prevent it from getting into the wild.

No news from Apple yet on the Safari bug, wonder when they’ll come out with a fix for it? Or acknowledge it even? Or perhaps they’ve already fixed it and pushed out the patch..who knows?

Source: Network World

You right remember in March last year we posted about Charlie Miller at the PWN2OWN contest owning the MacBook Air in under 2 minutes.

Guess what? He’s done it again! This time though he’s even faster clocking in at under 10 seconds. No one else stood a chance. He walked off with the prize again, $5000 and the MacBook that he hacked.

Of course he wrote the exploit before hand, but still impressive!

Charlie Miller, a security researcher who hacked a Macintosh in two minutes last year at CanSecWest’s PWN2OWN contest, improved his time today by breaking into another Macintosh in under 10 seconds.

Miller, an analyst at Independent Security Evaluators in Baltimore, walked off with a $5,000 cash prize and the MacBook he hacked.

“I can’t talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched,” said Miller on Wednesday, not long after he had won the prize. “It probably took five or 10 seconds.” He confirmed that he had researched and written the exploit before he arrived at the challenge.

It guess it might be a Safari exploit, but I guess if you keep your ears open you’ll hear about it soon enough.

I wonder if he’ll be able to pull the same trick again next year, with his record so far I’d say it wouldn’t be a large stretch of imagination.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. “I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”

Two weeks ago, Miller predicted that Safari running on the Macintosh would be the first to fall.

PWN2OWN’s sponsor, 3Com Corp.’s TippingPoint unit, paid Miller $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. “Apple has it, and they’re working on it,” added Miller.

Interestingly another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. So Safari and IE8 both fell!

What with all the claims from Microsoft that IE8 is so secure…I guess that pissed on their bonfire didn’t it?

This year’s PWN2OWN also has a section for mobile operating systems, the prize is larger too at $10,000. If you want to join you can have a crack at Windows Mobile, Google’s Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Source: Computer World (Thanks Navin)