Hacker exploits IE8 on Windows 7 to win Pwn2Own

Summary: Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil hacked into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.

By Ryan Naraine for Zero Day | March 24, 2010 -- 17:36 GMT (10:36 PDT)

Follow @ryanaraine

VANCOUVER, BC -- Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.

Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.

[ ALSO SEE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again ]

"I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass," he added.

Vreugdenhil, who won a $10,000 cash prize and a new Windows machine, said he uses fuzzing techniques to find software vulnerabilities. "I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass, he said.

After finding the IE 8 vulnerability, Vreugdenhil said it took about two weeks to write an exploit to get around the ASLR+DEP mitigations.

[ ALSO SEE: Pwn2Own 2010: iPhone hacked, SMS database hijacked ]

Members of Microsoft's IE team were on hand to witness Vreugdenhil's exploit. A company spokesman said they were not yet aware of the details of the vulnerability but will activate its security response process once the information is collected from the contest organizers.

TippingPoint Zero Day Initiative (ZDI), the company sponsoring the hacker challenge, is expected to send the flaw details to all the affected vendors on Friday March 26, 2010.

* More to come...

Topics: Operating Systems, Browser, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

273 comments

Log in or register to join the discussion

Sure is quiet in here...

n/t

jgpmolloy
24 March, 2010 17:46

Reply Vote
- Microsoft Compliant with Communist China
  
  An anonymous reader from China shares his views about Google?s situation in China:
  
  Source: http://bit.ly/aYW988
  
  "Why is it totally right to ?censor? the Chinese people wanting to be informed about the issues effecting them? Why should a people be forbidden from knowing, to be made ignorant?"
  
  Mirror: http://xrl.us/bg2qyz
  
  Wang Li
  24 March, 2010 22:51
  
  Reply Vote
  - Not like the great Google
    
    who really didn't pull out because they were hacked, but because they care ABOUT YOU!!
    
    Ron Bergundy
    25 March, 2010 13:15
    
    Reply Vote
  - what a bunch of crap
    
    Google stood up to China after it was hacked and they realized they'd never make that much market share. So big f...ing deal.
    
    tech_walker
    29 March, 2010 16:24
    
    Reply Vote
- could hear a pin drop there for a while
  
  n/t
  
  thx-1138_
  25 March, 2010 06:46
  
  Reply Vote
- Your right, it is quite!
  
  it's not like the Apple story of the iphone being hacked as people expected that.
  
  And I bet the M$ Winblows losers were afraid to come here, which gave you the perfect opportunity to post first before anyone else could!!
  
  Ron Bergundy
  25 March, 2010 13:14
  
  Reply Vote
  - Well...
    
    I don't know about the Cult of Balmer... but for me, I was waiting for stupid declaration from the Cult of Stallman and the Cult of Jobs... regardless of the fact that:
    
    Firefox WAS hacked
    Safari is an embarassement once more
    and the iPhone have been hacked...
    
    PS: I use windows because it's where most of the programs I use are... and no there is NO viable open source alternative to what I use... and yea... games on linux?
    
    PPS: I have a ubuntu box also...
    
    PPPS: for obvious reason I did not mention the fact that IE was hacked... because it's the subject of this article... if your too blind to notice that... well that's your loss..
    
    Ceridan
    25 March, 2010 18:40
    
    Reply Vote
  - LMAO! Really?
    
    "And I bet the M$ Winblows losers were afraid to come here"
    
    Apparently you grazed over the whole "Mac was hacked again" by-line, huh? *nix systems can be hacked as well, genius.
    
    Timbo Zimbabwe
    26 March, 2010 13:08
    
    Reply Vote
    - @Timbo Zimbabwe - Uh, really?
      
      Besides the fact there is no such line as "Mac was hacked again" in the article, the "by-line" reads, "Posted by Ryan Naraine @ 5:36 pm." Embellishers always have trouble with facts, don't you?
      
      Isocrates
      11 April, 2010 15:16
      
      Reply Vote
Shooting fish in a barrel.

nt

Dietrich T. Schmitz GNU/Linux Advocate
24 March, 2010 17:52

Reply Vote
- Firefox, Safari, and the iphone were also hacked.
  
  <nt>
  
  jamesrayg
  25 March, 2010 00:34
  
  Reply Vote
  - SHHH he lives in fantasy world it's dangerous to wake him ! - nt
    
    nt
    
    TheBottomLineIsAllThatMatters
    25 March, 2010 05:43
    
    Reply Vote
  - Firefox for Windows
    
    To be clear, it was Firefox for Windows which was hacked, not Firefox on Linux. I've read some posts suggesting that Linux's AppArmor would have prevented this from happening. If that is true, then the real problem is that the OS is incapable of mitigating applications' exploits. Perhaps this is why the next version of Office will run in a jail (chroot).
    
    davidr69
    25 March, 2010 06:47
    
    Reply Vote
    - AppArmor is not enabled by default.
      
      Therefore it would not have mitigated the exploit.
      
      [i]If that is true, then the real problem is that the OS is incapable of mitigating applications' exploits.[/i]
      
      Windows offers Protected Mode which mitigates IE exploits. From what I've read so far there is no indication Protected Mode was bypassed.
      
      ye
      25 March, 2010 06:53
      
      Reply Vote
      - If IE runs in protected mode, by default on...
        
        64 bit versions of windows, then it was bypassed. I do not run anything
        the way it comes out of the box. I look at what I can do to harden it, as
        much as possible. You also have to remember that many on here are
        posting opinions, not facts.
        
        Rick_K
        25 March, 2010 07:17
        
        Reply Vote
      - There is no indication Protected Mode was bypassed.
        
        Do you have any additional information which shows otherwise?
        
        And yes, Protected Mode is enabled by default on all versions of Vista and Windows 7 be they 32 or 64 bit.
        
        ye
        25 March, 2010 07:35
        
        Reply Vote
      - Hmmm...
        
        As the story said, a fully patched x64 flavour of Windows 7. Protected mode would be on by default. Logic suggests that it would not have been turned off to make it easier to for the hackers.
        
        Protected mode was unable to protect the system. Does that come as any real surprise to anyone? There are no silver bullets, there are no magic solutions in security. To paraphrase, if you build it, they will break it.
        
        DNSB
        25 March, 2010 08:24
        
        Reply Vote
      - @DNSB: Yes, it's on by default.
        
        However Protected Mode isn't designed to prevent exploits. It's intended to limit the impact of an exploit. Therefore just because an exploit was successful doesn't mean Protected Mode was bypassed.
        
        Doesn't sound like you understand Protected Mode so I would recommend you research it before commenting further on it.
        
        ye
        25 March, 2010 08:28
        
        Reply Vote
      - Just going by what I am reading.
        
        If it does not protect against a cracker getting your information, what
        good is it really? If a cracker can get your Credit Card information, bank
        account information, etc. what good is this ?protected mode?? This is
        where the newer attacks are aimed, isn?t it?
        
        Rick_K
        25 March, 2010 08:44
        
        Reply Vote
      - @Rick_K: It does not, by default, prevent an exploit...
        
        [i]If a cracker can get your Credit Card information, bank account information, etc.[/i]
        
        ...from reading files. If you have this kind of information laying around in clear text on your hard disk then you're still at risk of it being captured by an exploit. This does not mean Protected Mode failed.
        
        [i]what good is this ?protected mode??[/i]
        
        It protects the system and user files from being modified or deleted. For example a key logger could not silently be installed. Nor could the users files be encrypted by ransomware. The fact it doesn't protect against every possibility does not render it useless.
        
        ye
        25 March, 2010 08:51
        
        Reply Vote