Pwn2Own hack topples Firefox on Windows
Summary: A German hacker known simply as "Nils" exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine.
VANCOUVER, BC -- The first day of the CanSecWest Pwn2Own hacker challenge wrapped up here today with a familiar face going after a familiar target.
And, for the second year in a row, a German hacker known simply as "Nils" exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine.
The successful exploit, which defeated ALSR+DEP on Windows 7, followed hacking attacks against Safari on Mac OS X, Internet Explorer 8 on Windows 7 and Apple's iPhone device. There were no hacking attempts against Google Chrome.
Nils, a 26-year-old hacker who heads up the security research team at U.K.-based MWR InfoSecurity, also planned to attack Apple's Safari browser but after Charlie Miller's victory against that target, he did not get an opportunity.
As per the contest rules, he was not allowed to disclose details about the Firefox vulnerability -- contest sponsor TippingPoint ZDI owns the exclusive rights to that information -- but in a Q&A session with journalists here, Nils said the biggest challenge was navigating the anti-exploit mitigations in Windows 7.
He used several tricks to bypass Address Space Layout Randomization (ALSR) and Data Execution Prevention (DEP) to get his drive-by download to load an executable on the target machine.
ASLR+DEP are held up as significant roadblocks to thwart malware attacks on the newest versions of Windows but, as this contest shows, skilled hackers with enough motivation and resources can bypass those mitigations easily.
Nils said Mozilla can do a better job of opting into ASLR on Windows, a clear hint that implementation errors make it easy to bypass the Windows defenses.
More to come...
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Quick Question...
So the hackers decided not to go after Chrome at all then? Interesting.
That to me is a vote of confidence towards Google's Chrome.
Be serious, Chrome has already had many public security holes
Re:
Let's see how it goes tomorrow.
"Wrapping up for the day. Chrome remains untested
and therefore the only browser left standing."
http://twitter.com/search?q=%23pwn2own
RE: Chrome was not tested today.
Re:
Chrome patched its flaws just few days before
I think the contest need some new rules so that all hackers can use the browser said 1 month earlier before the event, or else next year all browser vendors can do the same thing like Google to patch their browser just few days before the event.
@sawengchuan Nobody was stopping Microsoft or Mozilla from securing their..
Good for Google for finding and fixing theirs.
Thanks sawengchuan
to develop another hack. Thank you for the information.
Huh? Chrome has had CSS3 support for a long time.
As long as...
Won't happen with Ubuntu Linux, AppArmor LSM and profiled Firefox
Too hard?
AppArmor stops exploits of any kind cold in their tracks.
That's why TippingPoint chose not to include Linux in their competition.
Fuzzing doesn't work against AA.
I stake my reputation on it.
Dietrich T. Schmitz
GNU/Linux Advocate
Duh, they could have opted for Linux without AppArmor.
Ubuntu isn't Linux. It is a mere flavor of Linux.
http://www.livecdlist.com/
Well, a buffer overrun might reach userland
They simply won't get past AA.
Do we need to review 'Linux is the kernel'...blah?
(cough)
OK WinTard commence with the copy/paste!
Userland
0wned
Did ya read your link?
And they could have opted for Windows without ASLR/DEP/UAC..
Ubuntu is the most well known Linux distro for desktops.
So it would make sense to compare desktop OSs to it.
Other distros aren't generally as geared towards the main-stream crowd, and thus tend to require more technical skills to use.
For example, the Linux distro Gentoo, and pretty much all of the *BSDs (which are the most secure, albeit not Linux).
Or you could switch to Chrome
best desktop OS (Windows 7 64 bit) on the best
laptop (MacBook Pro). That makes me better than
you. :)
Same underlying security model issues. Read their 'caveats'
http://dev.chromium.org/developers/design-documents/sandbox#TOC-Other-caveats
[b]"The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.
In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox."[/b]
And this is *why* Linux AppArmor LSM runs in its own external (to the system kernel!) protected memory space.
Thank youz.
Dietrich T. Schmitiz
GNU/Linux Advocate