Pwn2Own 2009: Safari, IE 8 and Firefox exploited

Winner Charlie Miller (left), Judge Aaron Portnoy from TippingPoint (middle) and winner Nils (right)
Source: TippingPoint DVLabs Safari was the first browser to fall to an exploit at the Pwn2Own 2009 security competition held at the CanSecWest conference in Vancouver, Canada, but Internet Explorer 8 and Firefox fell soon after. The competition, sponsored by TippingPoint Technologies, awards a prize for each vulnerability found on various mobile phone platforms and internet browsers. It started yesterday, the 18th of March and runs for three days. Participants are invited to attack Internet Explorer 8, Firefox and Google Chrome on Windows 7 and Safari and Firefox on Mac OS X. All browsers and operating systems are fully patched.

Security researcher Charlie Miller, in a repeat performance of last year, used a prepared exploit to crack the Safari web browser on a MacBook running the latest version of Mac OS X, in a matter of seconds. The exploit won him $5,000 and the MacBook. According to CNet Miller said that he used a security hole which he discovered last year that allows a remote attacker to gain control of a machine when a user visits a malicious URL. Last year Miller also cracked Safari in a few minutes and won a MacBook Air and $10,000 in prize money. According to the rules, each attack is done in turn and Miller drew the first time slot for the browser competition.

Following Miller, a 25 year old computer science student at the University of Oldenburg in Germany, going by the name of 'Nils', used an exploit on Microsoft's Internet Explorer 8, circumventing the latest Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) to win the Sony Vaio P series notebook which he attacked and $5,000 for the exploit itself. Following his successful attack on Internet Explorer 8, 'Nils' then demonstrated exploits for Safari and Mozilla's Firefox winning him $5,000 for each, for a grand total of $15,000.

All of the participants are prevented from revealing the details of the exploits which were used as they are required to signed a general Non Disclosure Agreement so that the affected vendors can be advised of the bugs. On day one, none of the mobile exploit attempts were successful. The second day of the competition focusses on the survivors from day one, Google's Chrome and the mobile devices, with the rules changing to make attacks easier. Those wanting to follow updates from the final day of Pwn2Own 2009 can do so via TippintPoint's twitter page.

See also:

• Pwn2Own 2009 Day 1, TippingPoint blog post.
• Pwn2Own 2009: cash for mobile and browser holes, a report from The H.

(crve)