Pwn2Own hack topples Firefox on Windows

And, for the second year in a row, a German hacker known simply as "Nils" exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine.

The successful exploit, which defeated ALSR+DEP on Windows 7, followed hacking attacks against Safari on Mac OS X, Internet Explorer 8 on Windows 7 and Apple's iPhone device.  There were no hacking attempts against Google Chrome.

Nils, a 26-year-old hacker who heads up the security research team at U.K.-based MWR InfoSecurity, also planned to attack Apple's Safari browser but after Charlie Miller's victory against that target, he did not get an opportunity.

As per the contest rules, he was not allowed to disclose details about the Firefox vulnerability -- contest sponsor TippingPoint ZDI owns the exclusive rights to that information -- but in a Q&A session with journalists here, Nils said the biggest challenge was navigating the anti-exploit mitigations in Windows 7.

He used several tricks to bypass Address Space Layout Randomization (ALSR) and Data Execution Prevention (DEP) to get his drive-by download to load an executable on the target machine.

ASLR+DEP are held up as significant roadblocks to thwart malware attacks on the newest versions of Windows but, as this contest shows, skilled hackers with enough motivation and resources can bypass those mitigations easily.

Nils said Mozilla can do a better job of opting into ASLR on Windows, a clear hint that implementation errors make it easy to bypass the Windows defenses.

More to come...