In association with heise online

19 March 2009, 13:47

Pwn2Own 2009: Safari, IE 8 and Firefox exploited

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Winner Charlie Miller (left), Judge Aaron Portnoy from TippingPoint (middle) and winner Nils (right)
Zoom Winner Charlie Miller (left), Judge Aaron Portnoy from TippingPoint (middle) and winner Nils (right)
Source: TippingPoint DVLabs
Safari was the first browser to fall to an exploit at the Pwn2Own 2009 security competition held at the CanSecWest conference in Vancouver, Canada, but Internet Explorer 8 and Firefox fell soon after. The competition, sponsored by TippingPoint Technologies, awards a prize for each vulnerability found on various mobile phone platforms and internet browsers. It started yesterday, the 18th of March and runs for three days. Participants are invited to attack Internet Explorer 8, Firefox and Google Chrome on Windows 7 and Safari and Firefox on Mac OS X. All browsers and operating systems are fully patched.

Security researcher Charlie Miller, in a repeat performance of last year, used a prepared exploit to crack the Safari web browser on a MacBook running the latest version of Mac OS X, in a matter of seconds. The exploit won him $5,000 and the MacBook. According to CNet Miller said that he used a security hole which he discovered last year that allows a remote attacker to gain control of a machine when a user visits a malicious URL. Last year Miller also cracked Safari in a few minutes and won a MacBook Air and $10,000 in prize money. According to the rules, each attack is done in turn and Miller drew the first time slot for the browser competition.

Following Miller, a 25 year old computer science student at the University of Oldenburg in Germany, going by the name of 'Nils', used an exploit on Microsoft's Internet Explorer 8, circumventing the latest Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) to win the Sony Vaio P series notebook which he attacked and $5,000 for the exploit itself. Following his successful attack on Internet Explorer 8, 'Nils' then demonstrated exploits for Safari and Mozilla's Firefox winning him $5,000 for each, for a grand total of $15,000.

All of the participants are prevented from revealing the details of the exploits which were used as they are required to signed a general Non Disclosure Agreement so that the affected vendors can be advised of the bugs. On day one, none of the mobile exploit attempts were successful. The second day of the competition focusses on the survivors from day one, Google's Chrome and the mobile devices, with the rules changing to make attacks easier. Those wanting to follow updates from the final day of Pwn2Own 2009 can do so via TippintPoint's twitter page.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit