The hackers at last week’s Pwn2Own contest had a field day with some of the world’s most popular browsers, but they didn’t make a clean sweep.
Pwn2Own pits security experts against web browsers on laptops and smartphones. At stake are cash prizes of $15,000 per exploit, along with the actual hardware on which the browsers were hacked. In all cases, the exploits only required the user to visit one malicious website. After that, the attacker was free to run programs, write new files remotely or access sensitive data such as the address book on smartphones.
Here’s a round-up of the winners and losers:
Apple had a poor showing at Pwn2Own, with both the mobile and desktop versions of Safari hacked, Ars Technica reports. French security firm VUPEN took down desktop Safari with a combination of well-known techniques for bypassing operating system protection and new code to make these techniques work on 64-bit systems. The iPhone fell to Charlie Miller and Dion Blazakis, who compromised the smartphone through a special web page. Apple has since protected itself against the particular exploit used by Miller and Blazakis, but the underlying security flaw still exists.
Microsoft’s Internet Explorer 8 also fell to the hackers. Stephen Fewer of Harmony Security used three vulnerabilities to execute code on 64-bit Windows 7 Service Pack 1. Fewer said the attack took five to six weeks to put together.
The other mobile platform to fall was Research in Motion’s Blackberry. Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann used a flaw in Blackberry’s Webkit browser, but it wasn’t easy; little documentation exists on the Blackberry system’s internals, and they had to chain three flaws together to run their exploit code, according to Ars.
But it wasn’t all bad news. Google’s Chrome survived the competition — its third successful Pwn2Own in a row — and Mozilla’s Firefox escaped attacks for the first time since it became part of the competition in 2009, according to Computerworld. However, Chrome uses the same Webkit engine that was exploited for the Blackberry hack, and so Google has already released a patch to fix the problem. (That means Google’s $20,000 bug bounty went unclaimed.) Microsoft’s Windows Phone 7 and Google’s Android phones also emerged unscathed.
If all this talk of system-compromising hacks and malicious websites makes you nervous, worry not; contest rules stipulate that the hackers won’t release their findings until they’re patched by browser makers. Still, I wouldn’t go traipsing around the Internet with reckless abandon — at least not without some good anti-virus and anti-malware software.