Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari

Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari

Summary: VANCOUVER, BC -- It took a while longer but Microsoft's Internet Explorer 8 did not survive the hacker onslaught at this year's CanSecWest Pwn2Own contest.[ ALSO SEE: Pwn2Own 2009: Safari/MacBook falls in seconds ]A security researcher named "Nils" (he declined to provide his full name) performed a clean drive-by download attack against the world's most widely used browser to take full control of a Sony Vaio machine running Windows 7.

SHARE:

VANCOUVER, BC -- It took a while longer but Microsoft's Internet Explorer 8 did not survive the hacker onslaught at this year's CanSecWest Pwn2Own contest.

[ ALSO SEE: Pwn2Own 2009: Safari/MacBook falls in seconds ]

A security researcher named "Nils" (he declined to provide his full name) performed a clean drive-by download attack against the world's most widely used browser to take full control of a Sony Vaio machine running Windows 7.

He won a cash prize and got to keep the hardware.  Details of the vulnerability, which was described by contest sponsor TippingPoint ZDI as a "brilliant IE8 bug!" are being kept under wraps.

Several members of Microsoft's security response team were on hand to witness the successful exploit.

"Nils" also scored a clean hit against Apple's Safari (he was the second hacker to exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.

More to come...

Topics: Browser, Apple, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

246 comments
Log in or register to join the discussion
  • Axsimulate dared me to post here, I'm obliging him

    OS X still fell first and it fell within seconds meaning that OS X is officially the least secure OS out there. It was proven last year and it was just proven again. :)
    NonZealot
    • Nope

      This was about browsers, not OSes. Charlie
      Miller won the first "slot" through a lottery.
      Had "Nils" gotten the first slot, another
      browser would have fallen first.

      Sorry, but it seems that all of the browsers
      are in a bad state. Firefox, IE and Safari.

      The OSes don't matter.
      honeymonster
      • OS does matter

        I won't bother typing my response out again so follow the link to see my response:
        http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=62210&messageID=1146141

        NonZealot
        • I can see why you wouldn't

          MAC systems are indeed useful however I'm not aware of Firefox being
          greatly restricted in major desktop Linux distributions: AppAmour
          (SLED)
          nor SELinux (RHEL).

          Your discussion of UAC and Protected mode ignores published
          techniques used to get around Vista?s Address Space Layout
          Randomization (ASLR) and Data Execution Prevention (DEP). Similarly
          your position requires no privilege escalation vulnerabilities in
          windows.

          The reality of the contest: looks like all browsers fell at the same stage
          of the competition.

          "The takeaway is that Safari is the least secure browser ever made."

          Ridiculous statement.

          "Browsing is not safe."

          Extend to modern desktops are extremely complicate pieces of
          software which currently prove impossible to secure.

          "The question, then, is: what is my OS going to do to keep me safe
          from my browser?"

          Isn't the better question how can I keep my computer secure?
          Technology is relevant if already proven not to work.
          Richard Flude
          • NonZealot is immune to factual statements. [nt]

            [nt]
            olePigeon
        • @NonZealot

          Regardless of all the protect you claim Windows has, it still got hacked.
          Axsimulate
      • The OS matters

        There are a number of known privilege escalation attacks against Windows. Once the browser is hacked the machine is effectively owned by the attacker. This is especially true for the various Windows "Home" editions of Windows since the user is typically effectively running as Administrator.

        Only someone foolish enough to browse the web while logged on as root has the same level of vulnerability when running Linux. Even "consumer" distros like Ubuntu only allow the user to run privileged commands through the sudo mechanism which means the user has to enter their password to execute the command. A user would have to be particularly clueless to provide their password to an action they didn't initiate.

        The bottom line is that a Windows browser vulnerability means the entire machine can be owned. A Linux browser vulnerability means that only the current user is exposed. Still not good but better than having the whole machine owned.

        Cheers,
        Dave
        DaveAtFraud
        • Somewhat true

          [i]Only someone foolish enough to browse the web while logged on as root has the same level of vulnerability when running Linux.[/i]

          And how often does that happen?

          There's very little out there that's ported to Linux code, so the chances of someone hosing their own machine by accidentally deleting their own files or the some of the system's binaries [b]is far greater[/b] than any infection from the web

          [i]Even "consumer" distros like Ubuntu only allow the user to run privileged commands through the sudo mechanism which means the user has to enter their password to execute the command.[/i]

          That's naturally built into the design of Linux. I don't know of any consumer distros where the default is the admin log in. If there were than people would avoid it like the plague.

          [i]A user would have to be particularly clueless to provide their password to an action they didn't initiate.[/i]

          The only time I've entered my password was when I go to a trusted package repository that your distro has supplied to you, to download anything I need. Or when I've had to make command line adjustments, with the help of people in the Linux forums I've been to. But that's only when absolutely necessary.

          Never do it alone unless you know what you're doing.
          hasta la Vista, bah-bie
    • @NonZealot

      Nope, just the first one on the list.

      Maybe I should have been more specific. Why don't you slam MS and it's
      OS and browser since it didn't take that long to hack those either. After
      all Vista and Win7 are touted as being THE most secure of any OS.
      Axsimulate
      • A beta browser, a beta OS

        Safari, released, on OS X, released, fell first. Windows 7 is in beta, IE8 is in beta. Isn't that the point of beta? Don't you accept the fact you're more prone to security vulnerabilities in beta software as the entire point of beta is to uncover these issues before release?
        LiquidLearner
        • Are you trying to tell us that...

          all Microsoft's OSs are still in beta?
          kozmcrae
        • @LiquidLearner

          Why does it matter? A security hole is a security hole whether it's in beta
          or FC. How do you know that the exploit that was used would have been
          patched before FC?
          Axsimulate
        • good point

          i overlooked the beta info. isnt that why they have these hacker contest? to find a few good sploits for "a viao" LOL
          pcguy777
          • Yeah, but IE7 and Vista SP1 aren't in beta

            Have they been exploited since their latest round of security patches?

            [i]rhetorical question[/i]
            hasta la Vista, bah-bie
        • Don't you

          Don't you accept the fact you're more prone to security vulnerabilities

          WHEN YOU DOWNLOAD PIRATED/HACKED SOFTWARE??
          richvball44
      • Just wrong.

        Actually, the article specifically stated that it took a while for the IE8 exploitation, whereas the other 2 browsers dropped fast when they were targeted. So your comment stating "it didn't take that long" to hack Win7 and IE8 is completely unfounded.

        Vista/Win7 ARE some of the more secure OSs out there on default install, Vista has had a good track record in its time. But no OS is perfect, it all eventually falls on the user more than anything else.
        @...
        • @shane

          "It took a while longer but Microsoft?s Internet Explorer 8 did not survive
          the hacker onslaught at this year?s CanSecWest Pwn2Own contest."

          Charlie Miller had a whole year plus to search for holes, how long did nil
          have to search for IE8 holes? The beta is been available for how long?

          How long is a while? 1 minute? 5 minutes? an hour? 2 hours? No matter
          how you slice it, it didn't take long and IE8/Win7 was hacked.
          Axsimulate
        • And the article was wrong

          First, Firefox fell after IE8.
          More importantly, the slots given to attack the various machines were
          given in a lottery, as already pointed out (can't you bother to read before
          posting replies?) The first slots went to people attacking other browsers.
          Had Nils been given the first slot, IE8 would have gone down first.

          Seriously bad reporting (again) from Ryan Naraine and ZDNET (oh the
          shock) and poor research on your part.
          Once again, another pointless article from ZDNet, and another excuse fr
          NZ to spout his misinformed garbage.
          SpiritusInMachina
          • Bit bitter?

            Me? I read the article before replying. So... yes? I will just assume English is a second language for you. I merely stated that the article mentioned that IE8 took longer, I did not mention whether it went first, second or third.

            But you're right, Ryan Naraine is a horrible security blogger. This article was obviously biased towards trying to get people to think IE8 was insecure, when in fact it should be noted that all browsers were taken out with similar ease.
            @...
          • Bittersweet

            Again, you are misinformed. First, the other two did NOT drop fast. If
            you bothered to do your research, you would have seen that the
            statement that Safari fell in seconds is taken out of context. No
            browsers fell during the first 24 hours, on the second day when rules
            were relaxed, Safari fell. Similarly, research would have shown you
            that the other two did not "take awhile," but rather went down fairly
            quickly as well. They took longer because their 30 minute slots came
            later. Also, the article does NOT say firefox fell quickly.

            "Vista/Win7 ARE some of the more secure OSs out there on default
            install, Vista has had a good track record in its time. But no OS is
            perfect, it all eventually falls on the user more than anything else."

            What does this have to do with anything? This is about attacking
            browsers. No one went after any OS here.
            And you question MY reading comprehension?
            SpiritusInMachina