Safari, IE hacked first at Pwn2Own
Apple, Microsoft browsers drop to first shots at the hacking contest
Computerworld - Apple's Safari and Microsoft's Internet Explorer (IE) both fell to the first hackers who tried their luck on the browsers at Wednesday's opening day of Pwn2Own.
The hacking challenge kicked off at 3:30 p.m. PT, slightly later than scheduled, at the CanSecWest security conference, which runs March 9-11 in Vancouver, British Columbia.
A team from the French security company Vupen walked off with $15,000 and a new MacBook Air after exploiting an unpatched vulnerability in Safari.
"Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest," Vupen said Wednesday afternoon on its Twitter account several hours before the contest began. "This breaks some exploits but not all!!"
HP TippingPoint, the security company that sponsors Pwn2Own, said earlier today that the last-minute Safari updates could affect who was awarded prize money.
TippingPoint's Peter Vreugdenhil said the browsers were "frozen" two weeks before today's tip-off with the then-current versions of Safari, Google's Chrome 9, Microsoft's IE8 and Mozilla's Firefox 3.6, to give researchers a stationary target.
"Exploit development does sometimes rely on certain versions and that is the reason we have frozen the devices," Vreugdenhil said in an e-mail today.
But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize.
Instead, the money would have gone to the first researcher who exploited the "frozen" version of Safari -- 5.0.3 was on the MacBook Air -- using a bug still present in today's update.
"As long as the latest version still has the vulnerability, and the researcher has successfully 'pwned' [successfully compromised the computer] with the frozen version, he or she will have won," said Vreugdenhil.
This was the first time in four years that Safari had fallen to someone other than Charlie Miller, an analyst with the security consulting group Independent Security Evaluators (ISE), and co-author of The Mac Hackers Handbook. Miller won at Pwn2Own in 2008, 2009 and 2010 by exploiting Safari.
Microsoft's IE8 also dropped to its first attacker, Stephen Fewer, who drew the No. 1 spot for that browser. Fewer is the founder of Harmony Security, and frequently reports bugs to TippingPoint's Zero Day Initiative (ZDI) bounty program.
To exploit IE8, Fewer bypassed Protected Mode, said Aaron Portnoy, manager of TippingPoint's security research team and the organizer of Pwn2Own for each of its five years. Protected Mode is Microsoft's name for the sandbox-like anti-exploit technology designed to isolate the browser from the operating system and the rest of the computer.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts