In the eternal war between crackers and security professionals, the hackers have won the latest battle.
At the CanSecWest conference in Vancouver, Canada, the HP Zero Day Initiative's (ZDI) annual Pwn2Own competition has ended its first day of competition and Microsoft's Internet Explorer (IE) 10, Google's Chrome and Mozilla's Firefox Web browsers have all been cracked. In addition, Java—can anyone be surprised at this?--was also cracked multiple times.
Vupen Security, the French security and hacking company, cracked IE 10. Vupen reported, via Twitter, that they "pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass."
Mind you, no one else had anything to boast about on this day. Google, which had just fixed numerous security bugs in the Chrome Web browser prior to Pwn2Own, saw Chrome go down as well. MWR Labs, a branch of UK-based MWR InfoSecurity, took down Chrome 25 on Windows 7 by exploiting multiple "zero-day," or unpatched, browser vulnerabilities.
The Chrome crack's authors explained that they'd broken the Web browser by having Chrome visit a malicious Web page. This, in turn, enabled them "to exploit a vulnerability which allowed us to gain code execution in the context of the sand-boxed renderer process. We also used a kernel vulnerability in the underlying operating system [Windows 7] in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."
Vupen struck again and also took out Firefox. Vupen said that they did in Firefox by "using a use-after-free and a brand new technique to bypass ASLR/DEP [Address Space Layout Randomisation/Data Execution Prevention] on Win7 without the need of any ROP [Return-oriented programming]."
Vupen has not publicly revealed how they did this without using ROP, perhaps the most common way of exploiting operating systems with ASLR/DEP protection. The company did announce on Twitter, as per the Pwn2Own rules, that "ALL our 0days & techniques used at #Pwn2ownhave been reported to affected software vendors to allow them [to] issue patches and protect users."
Vupen broke Java by "using a same unique heap overflow as a memory leak to bypass ASLR and as a code execution."recently, fell not once or twice but three times to crackers.
Java was also broken by Accuvant Labs security scientist Joshua Drake and Context Information Security consultant and vulnerability researcher James Forshaw. Drake appears to have used a similar method to Vupen's in his successful hack, while Forshaw used a "reflection" attack.
Not everything was "pwned" though. No one broke Adobe's Flash Player and Adobe Reader on Windows 7 or Safari on Mac OS X Mountain Lion. Adobe products may yet go down. Vupen is going after Flash today and George Hotz, best known for unlocking Apple's iPhone, is taking on Reader.
It's not all bad news for those who are trying to secure their programs.
In a ThreatPost interview, Chaouki Bekrar, Vupen's CEO and head of research, said, "Writing exploits in general is getting much harder. Java is really easy because there's no sandbox. Flash is a different thing and it's getting updated all the time and Adobe did a very good job securing it. It's more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure."
As for the browsers in general, Brekar concluded:
"Chrome is probably the most hard to attack because of the sandbox. The weakness in Chrome is Webkit and the strength is the sandbox. Probably one of the reasons Chrome is so secure is that the Google guys don't just fix vulnerabilities but they're proactive in fixing techniques and sandbox bypasses."
How good is Chrome security really though? We'll find out: In a separate hacking contest, Pwnium 3,for a a total prize package of $3.14159 million.