Researcher hacks just-launched IE8

Cracks Microsoft's new browser hours before release; also hacks Safari, Firefox

1 2 Page 2
Page 2 of 2

Microsoft refused to confirm the vulnerability, however, and used its usual phrasing when bugs go public. "Microsoft is investigating reports of a possible vulnerability in Internet Explorer 8," a spokeswoman said in an e-mail. "If the vulnerability is confirmed, we'll take action to help protect our customers."

The spokeswoman also declined to answer a question about whether Nils' vulnerability exists only in the Windows 7 build used at PWN2OWN, or in some or all of the versions released today. Her only comment along those lines: "The build of Internet Explorer 8 used in the contest yesterday was not the RTW build released today."

IE8 wasn't the only browser Nils hacked yesterday. After he took down IE8, he moved on to Apple Inc.'s Safari and Mozilla Corp.'s Firefox, both of which he successfully exploited with attack code he had created earlier. His total for the afternoon: $15,000 in cash from TippingPoint, and the Sony laptop.

"It was insane compared to last year," said Forslof, noting that at 2008's PWN2OWN, there were just two vulnerabilities disclosed. "Nils hit the IE8 vulnerability, and everybody thought that was it. Then he comes back and says, 'Do you mind if I try my Safari vulnerability? Oh, and by the way, I also have a Firefox bug'."

"After just two hours, we had four browser vulnerabilities and we'd paid out $20,000," Forslof said.

Before Nils took his shot at IE8, Charlie Miller successfully defended his title as PWN2OWN's 2008 first-prize winner by hacking Safari within seconds. Miller, who said he had been "really nervous" this year because of the crush of spectators, walked away with $5,000 and a MacBook notebook.

By the rules of the contest and TippingPoint's policies, details of the vulnerabilities are kept confidential until the vendor releases a patch. "We'll go through our normal investigations," said Forslof, "and we'll work in close coordination with the vendors."

TippingPoint is one of two security companies with a bug bounty program. The company's Zero Day Initiative, or ZDI, cash-for-crashes program does not disclose what it pays for a vulnerability, but in the past, it has offered bonuses as large as $20,000.

The PWN2OWN contest wraps up tomorrow, with browsers from Microsoft, Mozilla, Apple and Google Inc. still fair game. A second part of the challenge pits hackers against five smartphone operating systems: Windows Mobile, Google's Android, Symbian, and the operating systems used in the iPhone and the BlackBerry.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon