14 DAY TRIAL // When it comes down to browser security, public perception and corporate marketing do little to actually bulletproof against hacking attempts. And, apparently, not even complex mitigations built into the underlying platform are sufficient. White hackers owned Internet Explorer 8 and Firefox 3 running on top of Windows 7 and Safari on Mac OS X at the CanSecWest 2010 hack contest. At the end of the Pwn2Own contest at the CanSecWest security show, Google Chrome was the only browser left standing, but only because hackers ignored it completely. (via ZDNET)
Those that have followed the hack contests associated with the CanSecWest for the past three years already know that Safari on OS X is by now the favorite victim of the show. For the third year in a row, Charlie Miller, principal security analyst at Independent Security Evaluators, took down Safari, owning the Mac OS X computer. Miller used a drive-by attack, in which a conference organizer visited a malformed website set up to exploit a Critical vulnerability in the browser that is trumpeted by Apple as being an epitome of security by default. The Critical Safari security hole exploit allowed Miller to gain complete control of the MacBook and brought him a $10,000 prize from the sponsor, TippingPoint Zero Day Initiative (ZDI).
At CanSecWest 2009, Miller owned a Mac OS X machine through a Safari vulnerability in just ten seconds. However, another security researcher, who goes only by the moniker Nils, also had a Safari hack all lined up, but didn’t get a chance to have a go at the MacBook offered by conference organizers. Nils had to content himself with owning Firefox 3 running on top of a 64-bit (x64) Windows 7 computer.
Head of research at UK-based MWR InfoSecurity, Nils had not only to defeat Firefox, but also the mitigations built by Microsoft into 64-bit Windows 7, including Address space layout randomization (ASLR) and Data Execution Prevention (DEP). After bypassing both ASLR and DEP, the security researcher exploited a hole in Firefox 3 via a drive-by attack using a malicious website, and completely owned the machine running Mozilla’s open source browser, winning $10,000 in the process.
Peter Vreugdenhil, a security researcher from the Netherlands, was the one to take down Internet Explorer 8 running on top of x64 Windows 7, for a prize of $10,000. The Dutch white hacker also needed to bypass ASLR and DEP ahead of being able to exploit vulnerabilities in IE8. Microsoft representatives participating at the event noted that they would start addressing the security problems that allowed the hack as soon as they received information on the vulnerabilities from the conference’s organizers.
All security researchers present at CanSecWest who took part in the Pwn2Own hacking contest exploited zero-day (0-day) vulnerabilities in their attacks. Details of the vulnerabilities have not been made public, and will be shared with Microsoft, Mozilla and Apple at the end of the CanSecWest conference.
Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).
Firefox 3.6.2 for Windows is available for download here.
Google Chrome 4.1 Stable is available for download here.
Opera 10.51 is available for download here.
Internet Explorer 9 (IE9) Platform Preview is available for download here.