Safari, IE 8 Fall To Pwn2Own Hackers

Despite the last-minute update from Apple, Safari was the first to be cracked by security researchers on the first day of the Pwn2Own hacking contest.

A team of security researchers from the French penetration test company VUPEN successfully exploited a zero-day flaw in Apple’s Safari browser to win the Pwn2Own challenge yesterday.

Browsers under security spotlight

Security researchers took turns trying to compromise the most up-to-date versions of Microsoft Internet Explorer (IE), Apple’s Safari, Mozilla Firefox and Google Chrome on the first day of the hacking contest at CanSecWest in Vancouver, British Columbia.

VUPEN cracked Safari in “5 seconds,” claimed several messages on Twitter from attendees.

In contrast, the two contestants who signed up to hack Google Chrome were no-shows. Chrome survived day one, and Google gets to hang onto its $20,000 (£12,452) prize.

VUPEN co-founder Chaouki Bekrar used a specially rigged website that compromised a 64-bit version of a fully patched Mac OS X running on a MacBook. The three-man team spent about two weeks to find the vulnerability in WebKit, the open-source browser rendering engine Safari is based on, and to write the exploit, Bekrar told ZDNet‘s Ryan Naraine, who was at the contest.

The winning exploit bypassed two key anti-exploit mitigations built into Mac OS X, Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP). The team had to launch the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access on the hijacked machine.

“The victim visits a web page, he gets owned. No other interaction is needed,” Bekrar told Naraine.

For the IE portion of the contest, the prize went to Irish security researcher Stephen Fewer, according to Naraine. He successfully hacked into a 64-bit Windows 7 machine running IE 8 using three different vulnerabilities and custom exploits. Fewer used two different zero-day bugs in IE that he’d found previously to get reliable code execution, and then exploited a third vulnerability that allowed him to jump out of the IE Protected Mode sandbox to get to the operating system.

Like VUPEN, Fewer’s attack also successfully bypassed DEP and ASLR in Windows 7.

While VUPEN was the first contestant to crack Safari, three other researchers, including previous three-time winner Charlie Miller, succeeded. But under the contest’s winner-takes-all rules, the competition was over as soon as VUPEN succeeded. VUPEN had also signed up to test IE, but was slated to go second after Fewer, the first IE contestant.

Mozilla and mobile OSes up next

One contestant is scheduled today, the second day of the contest, to attempt hacking Mozilla Firefox, before the mobile platform portion of the contest begins, according to a spokesperson from TippingPoint ZDI, the contest’s sponsor. Contestants will begin with the Apple iPhone, followed by RIM BlackBerry, Samsung Nexus S running Android and Dell Venue Pro running Windows 7.

Apple released a last-minute update that patched a number of vulnerabilities in Safari and its iOS, but it appears that the target iPhones will not be running iOS 4.3, said Security Generation on Twitter. It is not clear at this time whether VUPEN compromised the new Apple Safari 5.0.4, which Apple had released hours before the contest.

Google and Mozilla had patched their browsers the week before the contest, but Microsoft had not.

Fewer won a $15,000 (£9,339) cash prize and a new Sony Vaio laptop running Windows 7 for being the first of the three researchers to hack the Windows browser. VUPEN claimed the other $15,000 cash prize and a 13-inch Apple MacBook Air running Mac OS X Snow Leopard for cracking Safari.

Technical details of the exploits legally belong to TippingPoint under contest rules. TippingPoint will provide information to Microsoft and Apple and give them six months to fix the flaws before publicising them.

CanSecWest is not just about hacking. There were also several panels, such as the one by a pair of security researchers from Germany, who demonstrated several techniques that enabled them to remotely reboot, shut down and completely disable many popular mobile phones with SMS messages.