Safari, IE browsers hacked in Pwn2Own contest

Apple and Microsoft browsers were the first to be compromised in the Pwn2Own hacking contest at the CanSecWest security conference, according to ZDNet UK sister site ZDNet.com.

French security company Vupen scooped $15,000 (£9,000), and an Apple MacBook Air 13" running Mac OS X Snow Leopard, for its Safari crack on Wednesday.

The company managed to hijack a fully patched 64-bit Mac OSX machine within 5 seconds of surfing to a site Vupen had rigged to upload a specially written exploit.

Vupen co-founder Chaouki Bekrar launched a calculator app and wrote a file to the hard disk on the machine to prove it was under his full control.

The company found a flaw in WebKit, the rendering engine used by Safari, and specially crafted an exploit which bypassed both ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention) security technologies in the browser.

"The victim visits a web page, he gets owned," Bekrar told ZDNet.com. "No other interaction is needed."

Vupen had to write a debugging tool, create the shellcode, and the technique for exploiting the vulnerability, and said there was a lack of documentation around 64-bit Mac OSX compromises.

Apple patched both Safari and IOS on the same day as the contest, making the Pwn2Own contest more difficult.

Microsoft's Internet Explorer browser was successfully hacked by Metasploit developer Stephen Fewer. The Irish security researcher hacked into a 64-bit Windows 7 (SP1) machine running Internet Explorer 8 (IE8) using two different zero-day bugs in IE, plus a third flaw to jump out of the IE8 Protected mode sandbox.

"I had to chain multiple vulnerabilities to get [the exploit] to work reliably," Fewer told ZDNet.com.

Fewer won a $15,000 cash prize and a new Windows laptop, and declined to reveal the flaws until Microsoft releases a patch.