14 DAY TRIAL // Internet Explorer 8 was the second browser to fall at the Pwn2Own hacking contest, but the security researcher responsible for the hack had to chain together three exploits.
Pwn2Own 2011 kicked off yesterday at the CanSecWest conference in Vancouver, Canada, with Safari being compromised in five seconds by researchers from VUPEN Security.
Internet Explorer 8 followed shortly, but unlike the Safari exploit which was executed via a transparent drive-by-download attack, the IE hack required the user to interact with the page and click on a link.
The compromise was the achievement of Irish security researcher and Metasploit developer Stephen Fewer, who had to exploit three vulnerabilities in order to get the job done.
In addition to proving arbitrary code execution by launching calc.exe, Fewer's attack also bypassed the IE Protected Mode and write to a file.
The researcher told ZDNet he needed six weeks to find the three vulnerabilities and write a reliable exploit, the Protected Mode bypass being the hardest part.
"Writing the exploit was the tricky part. It was very time consuming, especially bypassing protected mode," he said.
That's because Fewer devised a completely new technique to do it that hasn't been publicized yet. As per the contest's rules, all technical details belong to the event's sponsor, TippingPoint, which will share them with affected vendors.
The attack was executed against a fully patched Internet Explorer 8 running on a laptop with 64-bit Windows 7 SP1 installed, which Fewer won along with the $15,000 cash prize.
The IE8 hack is proof of how hard it is to bypass all security measures in modern operating systems and browsers. Spending six weeks to chain together exploits for three separate vulnerabilities is certainly not practical for the average attacker who want to make a big impact with as few resources as possible.