Pwn2Own: Down go all the browsers

Pwn2Own: Down go all the browsers

Summary: In the first day of the Pwn2Own cracking contest, Microsoft's Internet Explorer 10, Google's Chrome and Mozilla's Firefox web browsers have all gone down in flames.


In the eternal war between crackers and security professionals, the hackers have won the latest battle.

In ZDI's Pwn2Own hacker competition one browser after another fell.

At the CanSecWest conference in Vancouver, Canada, the HP Zero Day Initiative's (ZDI) annual Pwn2Own competition has ended its first day of competition and Microsoft's Internet Explorer (IE) 10, Google's Chrome and Mozilla's Firefox Web browsers have all been cracked. In addition, Java—can anyone be surprised at this?--was also cracked multiple times.

Vupen Security, the French security and hacking company, cracked IE 10. Vupen reported, via Twitter, that they "pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass." 

Mind you, no one else had anything to boast about on this day. Google, which had just fixed numerous security bugs in the Chrome Web browser prior to Pwn2Own, saw Chrome go down as well. MWR Labs, a branch of UK-based MWR InfoSecurity, took down Chrome 25 on Windows 7 by exploiting multiple "zero-day," or unpatched, browser vulnerabilities.

The Chrome crack's authors explained that they'd broken the Web browser by having Chrome visit a malicious Web page. This, in turn, enabled them "to exploit a vulnerability which allowed us to gain code execution in the context of the sand-boxed renderer process. We also used a kernel vulnerability in the underlying operating system [Windows 7] in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."

Vupen struck again and also took out Firefox. Vupen said that they did in Firefox by "using a use-after-free and a brand new technique to bypass ASLR/DEP [Address Space Layout Randomisation/Data Execution Prevention] on Win7 without the need of any ROP [Return-oriented programming]."

Vupen has not publicly revealed how they did this without using ROP, perhaps the most common way of exploiting operating systems with  ASLR/DEP protection. The company did announce on Twitter, as per the Pwn2Own rules, that "ALL our 0days & techniques used at #Pwn2ownhave been reported to affected software vendors to allow them [to] issue patches and protect users."

Java, which has been getting hacked over and over again recently, fell not once or twice but three times to crackers. Vupen broke Java by "using a same unique heap overflow as a memory leak to bypass ASLR and as a code execution."

Java was also broken by Accuvant Labs security scientist Joshua Drake and Context Information Security consultant and vulnerability researcher James Forshaw. Drake appears to have used a similar method to Vupen's in his successful hack, while Forshaw used a "reflection" attack. 

Not everything was "pwned" though. No one broke Adobe's Flash Player and Adobe Reader on Windows 7 or Safari on Mac OS X Mountain Lion. Adobe products may yet go down. Vupen is going after Flash today and George Hotz, best known for unlocking Apple's iPhone, is taking on Reader.

It's not all bad news for those who are trying to secure their programs.

In a ThreatPost interview, Chaouki Bekrar, Vupen's CEO and head of research, said, "Writing exploits in general is getting much harder. Java is really easy because there's no sandbox. Flash is a different thing and it's getting updated all the time and Adobe did a very good job securing it. It's more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure."

As for the browsers in general, Brekar concluded:

"Chrome is probably the most hard to attack because of the sandbox. The weakness in Chrome is Webkit and the strength is the sandbox. Probably one of the reasons Chrome is so secure is that the Google guys don't just fix vulnerabilities but they're proactive in fixing techniques and sandbox bypasses."

How good is Chrome security really though? We'll find out: In a separate hacking contest, Pwnium 3, Google is challenging hackers to break into its Linux-based Chrome OS for a a total prize package of $3.14159 million.

Related Stories:

Topics: Security, Browser, Microsoft Surface, Windows, Software, Oracle, Networking, Microsoft, Hewlett-Packard, Google, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Pwn2Own: Down go all the browsers

    Kudos (James Forshaw) (Joshua Drake) (VUPEN Security) (Nils & Jon)
  • I wonder... much time MWR Labs spent to develop exploit against Chrome, Vupen spent several months to take down IE 10:
    "We thought a lot about whether to participate this year because the cost to create a reliable exploit is getting very high. We spent several weeks finding the vulnerability in IE 10 and several more weeks writing a reliable exploit," said Bekrar. "Even the prizes at Pwn2Own don't cover that cost. But we have other techniques."
    • SO much easier to exploit the weakest link

      The user. We've seen this for years though. Far easier to put your malware in pirated software than to exploit OS or Java / Flash vulnerabilities.
      • Ooops, here's the first excuse

        From fanbui shill #1
        • Jack-wagon...

          they all got hammered. Even the childish SJVN has had his sacred Chrome/Google hit.
          • Well.. Not all?

            At least one is reported to survive
          • Chrome on Windows

            "...took down Chrome 25 on Windows 7" Rotten foundation. Google is still offering Pi million dollars for an exploit on Chrome OS. Stay tuned.
          • typical

            Chrome OS probably won't be hacked for two good reasons. a) not much effort goes into hacking it because so few people use it and b) it's designed too just run Chrome, which makes it much easier to secure. Nothing to do with a "rotten foundation"
            Dean Swiatek
          • Pwnium 3 Results

            "The operating system that powers Google’s Chromebooks managed to survive Pwnium 3 without being hacked....

            Google had set a ceiling of $3.14159 million for potential exploits discovered at Pwnium. It had broken down the attacks into two categories with a different prize amount based on the complexity of the hack:

            Guest mode browser or system compromise using a web browser (logged-in user compromise also acceptable) – $110,000
            Compromise with persistence on device using a web browser (guest to guest with interim boot) – $150,000"

        • Wrong!

          Sorry, but Todd'sBottom is not the #1 fanboi shill around here. C'mon, you all know who holds the undisputed title.. :P
          Steve I.
      • Which is why Android now accounts for most mobile malware

        Yup, as the Linux based OS got popular, the bad guys followed it. Even Apple doesn't come close to the number of creatures riding on Android.

        Now, of course, since all browsers went down in flames, claiming one is better than the others seems a bit pointless. Sort of like all the losers pointing at each other.
        • Except that one browser survived.

          I now expect to hear a lot of baa-ing from the flock.
        • Where does it say anything about Android?

          And how about posting links to actual Android hacks, not theoretical "could be" vulnerabilities?
      • you are the weakest link... goodbye

        ((( "SO much easier to exploit the weakest link... The user." )))

        So true. The weakest links appears to be the vulnerable users of Microsoft Surface Pro running IE 10, while the strongest links are users of the unpwned Safari on Mac OS X Mountain Lion.
  • Waiting for windoze fanbuis... come on here and spin their latest bs

    C'mon, windoze fanbuis C'mon...
    • Really?

      CaviarGreen, please tell me how you pass you time when you are not instigating on these forums?
      • Really

        Why I pass the time instigating on these forums. That's how I spend my time.

      • He waits for his mother to fix his dinner when

        he comes home from McDonalds to go to the bedroom in the basement.
        • No MickeyD's where I live

          Only townhouse fried chicken.

    • Do they have boats?

      Because you spelled buoy wrong.