In association with heise online

11 March 2011, 12:39

Pwn2Own 2011: no-one goes after Chrome

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Broken Padlock

The first day of the Pwn2Own competition was devoted to the Safari, Internet Explorer and Chrome browsers. By the luck of the draw, the attempt on Safari on Mac OS X took place first. The team from French security provider VUPEN promptly reported success in launching a calculator on the Mac system.

At the last minute, Apple attempted to make life harder for the hackers with the improved version 5.0.4 of Safari, but only some of the security holes that VUPEN had prepared for had been closed, not all of them. The team exploited a vulnerability in WebKit which the French experts say they had been working on the exploit for two weeks. The event organiser will not be disclosing the details until the vendor has provided patches.

Internet Explorer 8 also very quickly fell prey to Irish Metasploit developer Stephen Fewer, though he had to connect three different security holes to get around the browser's protected mode and other security mechanisms.

The attacks were anything but easy. The 64-bit operating system had all of the current patches and security mechanisms, such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), were enabled and all of which had to be overcome to launch the calculator application. To make things worse, the processes of Internet Explorer under Windows 7 all ran at low integrity levels, meaning that the processes cannot write into normal directories with medium integrity (see the feature "Rights and Integrity") – which what is needed for a complete Pwn in the competition.

No one had a go at Chrome; although two parties registered, one did not show up at the competition, and the other told the organisers that they did not have a working exploit. Google had offered an additional $20,000 for anyone who could hack its browser. And so, for the third time in a row, Google's browser remained unhacked.

The new rules caused some confusion about vulnerable versions. Apparently, there was a patch freeze a week before the competition for the systems to be attacked. To win the attacked system, competitors only need to be able launch the exploit. To win the prize money, however, the exploit also had to work on new versions released during patch freeze. At the conference, there is currently some speculation about whether Google closed some vulnerabilities with the update to Chrome 10, two days before the competition, which would explain why some hackers did not come.

On the second day, Firefox and some of the iPhone 4, BlackBerry Torch, Google Nexus S and Dell Venue phones will come under fire as hackers get into the starting blocks and try to win prize money and fame by taking control of the hardware.

See also:

(Marc Heuse / crve)

Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit