Hacker exploits IE8 on Windows 7 to win Pwn2Own

Hacker exploits IE8 on Windows 7 to win Pwn2Own

Summary: Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil hacked into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.

SHARE:

VANCOUVER, BC -- Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.

Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.

[ ALSO SEE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again ]

"I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass," he added.follow Ryan Naraine on twitter

Vreugdenhil, who won a $10,000 cash prize and a new Windows machine, said he uses fuzzing techniques to find software vulnerabilities. "I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass, he said.

After finding the IE 8 vulnerability, Vreugdenhil said it took about two weeks to write an exploit to get around the ASLR+DEP mitigations.

[ ALSO SEE: Pwn2Own 2010: iPhone hacked, SMS database hijacked ]

Members of Microsoft's IE team were on hand to witness Vreugdenhil's exploit.  A company spokesman said they were not yet aware of the details of the vulnerability but will activate its security response process once the information is collected from the contest organizers.

TippingPoint Zero Day Initiative (ZDI), the company sponsoring the hacker challenge, is expected to send the flaw details to all the affected vendors on Friday March 26, 2010.

* More to come...

Topics: Operating Systems, Browser, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

273 comments
Log in or register to join the discussion
  • Sure is quiet in here...

    n/t
    jgpmolloy
    • Microsoft Compliant with Communist China

      An anonymous reader from China shares his views about Google?s situation in China:

      Source: http://bit.ly/aYW988

      "Why is it totally right to ?censor? the Chinese people wanting to be informed about the issues effecting them? Why should a people be forbidden from knowing, to be made ignorant?"

      Mirror: http://xrl.us/bg2qyz
      Wang Li
      • Not like the great Google

        who really didn't pull out because they were hacked, but because they care ABOUT YOU!!
        Ron Bergundy
      • what a bunch of crap

        Google stood up to China after it was hacked and they realized they'd never make that much market share. So big f...ing deal.
        tech_walker
    • could hear a pin drop there for a while

      n/t
      thx-1138_
    • Your right, it is quite!

      it's not like the Apple story of the iphone being hacked as people expected that.

      And I bet the M$ Winblows losers were afraid to come here, which gave you the perfect opportunity to post first before anyone else could!!
      Ron Bergundy
      • Well...

        I don't know about the Cult of Balmer... but for me, I was waiting for stupid declaration from the Cult of Stallman and the Cult of Jobs... regardless of the fact that:

        Firefox WAS hacked
        Safari is an embarassement once more
        and the iPhone have been hacked...


        PS: I use windows because it's where most of the programs I use are... and no there is NO viable open source alternative to what I use... and yea... games on linux?

        PPS: I have a ubuntu box also...

        PPPS: for obvious reason I did not mention the fact that IE was hacked... because it's the subject of this article... if your too blind to notice that... well that's your loss..
        Ceridan
      • LMAO! Really?

        "And I bet the M$ Winblows losers were afraid to come here"

        Apparently you grazed over the whole "Mac was hacked again" by-line, huh? *nix systems can be hacked as well, genius.
        Timbo Zimbabwe
        • @Timbo Zimbabwe - Uh, really?

          Besides the fact there is no such line as "Mac was hacked again" in the article, the "by-line" reads, "Posted by Ryan Naraine @ 5:36 pm." Embellishers always have trouble with facts, don't you?
          Isocrates
  • Shooting fish in a barrel.

    nt
    Dietrich T. Schmitz GNU/Linux Advocate
    • Firefox, Safari, and the iphone were also hacked.

      <nt>
      jamesrayg
      • SHHH he lives in fantasy world it's dangerous to wake him ! - nt

        nt
        TheBottomLineIsAllThatMatters
      • Firefox for Windows

        To be clear, it was Firefox for Windows which was hacked, not Firefox on Linux. I've read some posts suggesting that Linux's AppArmor would have prevented this from happening. If that is true, then the real problem is that the OS is incapable of mitigating applications' exploits. Perhaps this is why the next version of Office will run in a jail (chroot).
        davidr69
        • AppArmor is not enabled by default.

          Therefore it would not have mitigated the exploit.

          [i]If that is true, then the real problem is that the OS is incapable of mitigating applications' exploits.[/i]

          Windows offers Protected Mode which mitigates IE exploits. From what I've read so far there is no indication Protected Mode was bypassed.
          ye
          • If IE runs in protected mode, by default on...

            64 bit versions of windows, then it was bypassed. I do not run anything
            the way it comes out of the box. I look at what I can do to harden it, as
            much as possible. You also have to remember that many on here are
            posting opinions, not facts.
            Rick_K
          • There is no indication Protected Mode was bypassed.

            Do you have any additional information which shows otherwise?

            And yes, Protected Mode is enabled by default on all versions of Vista and Windows 7 be they 32 or 64 bit.
            ye
          • Hmmm...

            As the story said, a fully patched x64 flavour of Windows 7. Protected mode would be on by default. Logic suggests that it would not have been turned off to make it easier to for the hackers.

            Protected mode was unable to protect the system. Does that come as any real surprise to anyone? There are no silver bullets, there are no magic solutions in security. To paraphrase, if you build it, they will break it.
            DNSB
          • @DNSB: Yes, it's on by default.

            However Protected Mode isn't designed to prevent exploits. It's intended to limit the impact of an exploit. Therefore just because an exploit was successful doesn't mean Protected Mode was bypassed.

            Doesn't sound like you understand Protected Mode so I would recommend you research it before commenting further on it.
            ye
          • Just going by what I am reading.

            If it does not protect against a cracker getting your information, what
            good is it really? If a cracker can get your Credit Card information, bank
            account information, etc. what good is this ?protected mode?? This is
            where the newer attacks are aimed, isn?t it?
            Rick_K
          • @Rick_K: It does not, by default, prevent an exploit...

            [i]If a cracker can get your Credit Card information, bank account information, etc.[/i]

            ...from reading files. If you have this kind of information laying around in clear text on your hard disk then you're still at risk of it being captured by an exploit. This does not mean Protected Mode failed.

            [i]what good is this ?protected mode??[/i]

            It protects the system and user files from being modified or deleted. For example a key logger could not silently be installed. Nor could the users files be encrypted by ransomware. The fact it doesn't protect against every possibility does not render it useless.
            ye