iPhone, Safari, IE8, Firefox all fall on day one of Pwn2Own
'Technically impressive' exploit of IE8 bypasses DEP, ASLR on Windows 7 at hacking contest
The two-man team of Vincenzo Iozzo and Ralf-Philipp Weinmann exploited the iPhone in under five minutes, said a spokeswoman for 3Com TippingPoint, the security company that sponsored the contest. The pair also walked away with $15,000 in cash, a record prize for the challenge, which is in its fourth year.
Iozzo, an Italian college student, works for Zynamics GmbH, the company headed by noted researcher Thomas Dullien, better known as Halvar Flake, while Weinmann is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.
Weinmann is probably best known for being part of a three-man team that in 2007 demonstrated how to crack the Wi-Fi security protocol WEP much faster than previously thought possible.
Charlie Miller, an analyst at Baltimore-based Independent Security Evaluators, brought down Safari on a MacBook Pro running Snow Leopard for a three-peat at Pwn2Own.
Miller won prizes in both 2008 and 2009 by hacking a Mac; last year, Miller cracked Safari in just 10 seconds. For his work today, Miller walked off with the notebook and $10,000 in cash.
No one else has won at Pwn2Own three times.
When his turn came, Pwn2Own newcomer Peter Vreugdenhil successfully exploited a vulnerability in IE8 running on Windows 7 with attack code called "technically impressive" by TippingPoint because it bypassed the operating system's Data Execution Prevention, or DEP, security mechanism, which is designed to stop most attacks.
Like Miller, Vreugdenhil, a freelance vulnerability researcher from the Netherlands, earned a $10,000 prize.
Another former winner, a German computer science student known only by his first name, Nils, was awarded $10,000 for hacking Firefox on Windows 7.
Of the browsers set up as targets for the contest, only Google's Chrome remained standing on the first day.
TippingPoint does not release details of the vulnerabilities exploited for Pwn2Own, but instead purchases the rights to the flaws and exploit code as part of the contest. It then turns over information to the appropriate vendors, who all had representatives on hand.
Only after the vendor has plugged the hole does TippingPoint disclose details of each flaw.
If history is any indication, vendors will push out patches for the exploited vulnerabilities fairly quickly. In 2008, for example, Apple took just three weeks to patch the Safari bug that Miller used to win $10,000 at his inaugural Pwn2Own.
Mozilla beat that record last year when it updated Firefox a week after Nils exploited the browser.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Microsoft defends Windows 7 security after Pwn2Own hacks
- Pwn2Own winner tells Apple, Microsoft to find their own bugs
- Hacker busts IE8 on Windows 7 in 2 minutes
- iPhone, Safari, IE8, Firefox all fall on day one of Pwn2Own
- iPhone falls in Pwn2Own hacking contest
- Former winners defend titles at Pwn2Own hacking contest
- Hackers at Pwn2Own to compete for $100K in prizes
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts