Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Microsoft > Security

March 10th, 2011, 15:56 GMT · By

Pwn2Own 2011: It Takes 3 Holes to Hack IE8, just 1 for Safari

SHARE:

Adjust text size:


IE8
Enlarge picture
Safari 5 is the first browser victim of this year’s Pwn2Own hacking contest at CanSecWest, with Internet Explorer 8 being the second one to fall.

Security researchers from French security outfit VUPEN took a swing at Safari 5 on a fully patched Mac OS X Snow Leopard (64-bit) copy running on a MacBook.

Exploiting just a single zero-day vulnerability in Safari, the VUPEN researchers took Apple’s browser down in just five seconds, walking away with no less than $15,000 and the Apple MacBook Air 13″, according to Zero Day.

VUPEN co-founder Chaouki Bekrar explained that just by using simple fuzzing techniques a variety of issues can be discovered rather easily in WebKit, the engine at the core of Safari.

Taking advantage of the flaws in attacks is somewhat difficult because exploiting vulnerabilities on x64 Mac OS X is an uncharted territory, but as VUPEN proved, not impossible.

The 0-day flaw they discovered allows for drive-by attacks, which means that a user needs to simply visit a malformed webpage to get owned, without any additional interaction required.

It appears that the attack on Internet Explorer 8 was more complicated. First off, the security researcher Stephen Fewer needed no less than three vulnerabilities to bypass all the security mitigations set in place by Microsoft.

Fewer told Zero Day that without linking the vulnerabilities, the attack would have not been successful.

He hacked IE8 on 64-bit Windows 7 (SP1) by using two security holes to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), key security mitigations on which IE8 relies on.

The third vulnerability was used in order to circumvent yet another layer of security for IE8, namely Protect Mode, part of the user Account Control (UAC) mitigation.

Fewer confessed that the hardest part of the attack was writing the bypass for IE8 Protect Mode, which involved inventing a completely new way to circumvent the protection.

Also, the attack involved a victim visiting a malicious web page, but also clicking on a link in order to launch the exploits.

TELL US WHAT YOU THINK:

1,865 hits · 3 comments · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


IE9 vs. Chrome 9.0 vs. Firefox 4.0
IE9 Memory Security Mitigations: DEP/NX, ASLR, SafeSEH and Enhanced GS
IE9 vs. IE8 vs. IE7
Internet Explorer 9 (IE9) Power Tips from Microsoft

READER COMMENTS:


Comment #1 by: Exsecrabilus on 11 Mar 2011, 14:34 UTC reply to this comment

Dear Softpedia,

I cannot help but notice that this article is biased against Mac for Windows. Isn't news supposed to be objective? You say "It Takes 3 Holes to Hack IE8, JUST 1 for Safari" like you want to prove that IE is more secure. When did Softpedia degenerate into an editorial site? Needless to say, I am sorely disappointed.

Sincerely,
Loyal reader

Comment #1.1 by: Freelancer111 on 08 Oct 2011, 17:22 GMT

You Fanboys mystify me.


Comment #2 by: doraaaaaaaaaaa on 23 Jun 2011, 13:47 UTC reply to this comment

thank uuuuuuuuuuuuuuuuuuuuuuuuuuuuu

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use